What does ‘good’ look like & how to support your teams to achieve it?
First let’s remind ourselves that data protection by design and by default requires businesses to adopt policies and procedures to make sure data protection is taken seriously across the business.
In my experience, most people are keen to ‘do the right thing’ with personal data. But sometimes they’re unsure how to go about it and if their current ways of working are adequate.
This is where well-crafted data policies can really help. Sadly, people often have a negative view of policies. In my view, that’s because there’s so much poor practice around.
People rarely volunteer to write a policy. They can gravitate towards becoming long winded legalese, only serving to restate what the law requires. This ‘vanilla’ one-size-fits-all approach has very little practical value.
There is a better way. A well-written easy to read policy should communicate what good looks like for your business and explain how your people should behave to deliver good practice.
Yes you need to take into account what the law says, but don’t shy away from stressing the benefits for your business of acting responsibly. Focus on the needs of your business sector and the unique nature of your businesses processing.
Make policies relevant. Even better if you can, tie-in the launch of improved data policies with training, which shares the main themes from the policies. This can bring them to life and improve awareness.
So where to start?
First decide which policies you actually need and how they should fit together. My favoured approach is to have just two ‘parent’ data policies, the Data Protection Policy & Information Security Policy, then link out to ‘child’ policies or procedures which sit below them.
You might consider a third parent policy, such as Acceptable Use, but personally I prefer information about acceptable use to be included within the Data Protection and Information Security policies, so people don’t have to search around.
I’d recommend you host policies on your Intranet, if you have one, and create them in the form of web pages rather than PDFs. It’s good practice to include hyperlinks to and from topic-specific guidance notes, so people can easily navigate to find more about a specific topic. This helps you to keep the parent policies short and concise – easy to digest.
Here’s a typical Policy Framework, showing the two ‘parent’ policies and examples of possible ‘child’ policies / procedures below. In practice the names & content of child policies may vary from business to business, reflecting the nature of your business.
Example of a Data Policy Framework
Let’s try some examples…
Imagine I’m processing some marketing data and want to know how long I should keep the data. I’d follow the link from the Data Protection Policy to the Data Retention Policy & Schedule – the Schedule will (hopefully) state the relevant data retention periods.
Perhaps I’d like to access my work emails via my new mobile device, so I click to move from the Information Security Policy into the BYOD (Bring Your Own Device) Policy.
There’s little point having a gleaming list of policies if nobody reads or uses them. So, make them easy to understand and easy to access. And remember they don’t have to read like War and Peace!
Simon Blanchard, January 2021
If you would like some help getting your data policies or training up to scratch, get in touch with Simon, Phil or Julia for an informal chat.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.