Who needs a data protection policy?
The GDPR includes the principle of obligatory accountability in Art. 5 (2). Accordingly, each responsible individual or office must be able to provide evidence of having an overall policy for data protection compliance, which must also be regularly reviewed and, if necessary, further developed.
In other words, companies that process personal data must establish a procedure to regularly review, rate and evaluate the efficacy of the data protection and data security measures. For this purpose, a data protection policy is the optimal starting point.
What are the contents of the data protection policy?
A data protection policy should be well structured because it has to be understandable for both internal and external stakeholders.
It must also depict the individual conditions in a company. Therefore, templates or samples should always be customised for the specific case. However, a proper data protection policy should contain at least the following contents:
- Data protection policy and responsibilities in the company
- Legal framework in the company
- Existing technical and organisational measures
- Organisational minimum regulations