To best demonstrate that you and your organisation comply with the principles embodied in the GDPR legislation, an appropriate Data Protection Policy is key.
Such a policy ensures that you have a consistent and accountable approach to all data security matters. It can be included as part of existing policies or be an additional separate document (so long as there are no contradictions between different organisational policies).
The policy should clarify who is responsible for what in the ongoing pursuit of data protection – including policy implementation and monitoring of the compliance to the GDPR.
As with all policies:
- It should be approved at high level with everyone from top to bottom being briefed on their required actions.
- Reviews and updates at periodic intervals to improve, update or maintain its relevance.
- Monitoring under the policy enables improvements in efficiency of data handling and security controls.
- Simply drawing up a policy is insufficient:
- subsequent monitoring is also required.
- This should test appropriate measures to provide guidance on the state of effectiveness of the policy.
- Monitoring staff and reports should be independent of those persons implementing the policy to minimise bias.
- Monitoring results should be reported on regular and periodic basis.
- awareness and training is also required.
- All staff should receive data protection awareness and training
- Ideally on appointment with periodic updates as needed
- Covers handling of personal data and their responsibilities
- Specialist training for staff relating to the roles they play eg
- information security and database management and marketing.
- Ongoing reinforcement of key messages via team briefings, posters etc.
Information Risk Management activities will identify the data held, the justifications for taking in this data as well as why it is wanted.