A crucial part of your EU GDPR (General Data Protection Regulation) project is producing documentation to demonstrate your compliance. One of those necessary documents is a GDPR policy Template .
To help you prepare one, we will outline what a data protection policy is, what you should include, what tools can help your organization produce this essential document, and offer a template that does most of the hard work for you.
Article 24(2) of the GDPR states that “Where proportionate in relation to processing activities, […] measures […] shall include the implementation of appropriate data protection policies by the controller.”
Policies differ from procedures, as they are high-level documents that set principles, rather than details of how, what and when things should be done. Policies must:
Be implementable and enforceable
Be concise and easy to understand
Balance security with productivity
In addition to the above, a data protection policy template should include:
Topics covered by the policy
Reasons why the policy is needed
Contact details
Roles and responsibilities
Objectives of the policy
Information on how to handle violations
For example, your data protection policy may include instructions for staff involved in collecting client data, specifying to only collect the minimal amount required.
Complying with the GDPR – especially with Article 32 and the mandate to “…implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…” requires information security policies, procedures, and processes. As a controller or processor, if you haven’t adopted an InfoSec framework (i.e., ISO 27001/27002, NIST 800) and put in place the necessary documents, then FLANK’s Information Security Policy Template UK & Cybersecurity Policy and Procedures Manual is what you need.
Need evidence from the GDPR as to the importance of information security? Article 32(1)b discusses the “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” This is the well-known CIA triad of information security, which can be met by having comprehensive information security policies, procedures, and processes in place – those offered by FLANK for instant download.
Per Article 32(1)c, "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident", and Article 32(1)d, "a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing", ultimately requires a well-formalized and documented Business Continuity and Disaster Recovery Planning/Contingency Planning (BCDRP/CP) program to be in place.
FLANK offers an incredibly detailed, well-written, and easy-to-use and implement program that’s available for instant download. Even without the GDPR cookie consent compliance requirements for such a mandate, every business should have a BCDRP/CP program in place for best practices. Get yours today from FLANK and get compliant.
Per Article 32, “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…” Therefore, controllers and processors need a well-formalized, documented cyber incident response and breach reporting program for the GDPR.
FLANK offers an incredibly detailed, well-written, and easy-to-use and implement program that’s available for instant download. Even without the GDPR compliance requirements for such a mandate, every business should have an incident response and breach reporting program in place for best practices. Get yours today from FLANK and get compliant.
The EU Representatives GDPR Documentation Toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organizations worldwide. The toolkit includes:
A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR
Helpful dashboards and project tools to ensure complete coverage of the GDPR
Direction and guidance from expert GDPR practitioners
Two licenses for the GDPR Staff Awareness E-learning Course