What is a GDPR Policy? 10 Compliance Tips

A GDPR policy is a set of guidelines and procedures that outlines how an organization collects, processes, stores, and protects personal data in compliance with the requirements of the General Data Protection Regulation (GDPR).

A GDPR policy typically includes the following elements:

• Scope and purpose: The policy should clearly state its scope and purpose, including which types of personal data are covered and how the policy applies to different business processes and activities.
• Data protection principles: The policy should outline the six data protection principles of the GDPR, including lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, and security.
• Data subject rights: The policy should explain the rights of data subjects under the GDPR, including the right to access, rectify, erase, restrict processing, data portability, and object to processing.
• Consent: The policy should outline how consent is obtained from data subjects, including how it is collected, documented, and managed.
• Data breaches: The policy should provide procedures for detecting, reporting, and investigating data breaches, as well as for notifying affected data subjects and regulators.
• Third-party data sharing: The policy should explain how third-party data sharing is managed, including contracts with third-party data processors, data transfer mechanisms, and measures to ensure data protection and security.
• Training and awareness: The policy should explain how employees are trained on GDPR compliance and how data protection awareness is promoted throughout the organization.

A GDPR policy is a key element of an organization’s GDPR compliance program, helping to ensure that personal data is collected, processed, and protected in compliance with the GDPR’s requirements.

A GDPR policy is typically created by the Data Protection Officer (DPO) or the legal department of an organization. The DPO is a designated person responsible for ensuring GDPR compliance within the organization, and is required under the GDPR for certain types of businesses.

The DPO is responsible for creating and implementing the GDPR policy, as well as monitoring and reporting on compliance with GDPR requirements. They may work with other departments within the organization, such as IT, human resources, and marketing, to ensure that GDPR requirements are being met across all areas of the business.

Legal departments may also be involved in creating GDPR policies, particularly for organizations that do not require a designated DPO. Legal professionals have expertise in data privacy and security regulations and can ensure that the GDPR policy is comprehensive and compliant with all relevant requirements.

Basically, creating a GDPR policy requires a team effort, with input from legal, IT, human resources, and other relevant departments within the organization. The GDPR policy should be regularly reviewed and updated to ensure ongoing compliance with changing regulations and business needs.

A GDPR policy should be updated regularly to ensure that it remains current and relevant to the organization’s operations and the evolving regulatory landscape. The frequency of updates will depend on various factors, such as changes in the organization’s business practices, new technological developments, and updates to GDPR requirements.

The GDPR requires organizations to regularly review their data protection policies and update them as necessary. Specifically, Article 24 of the GDPR requires organizations to implement appropriate technical and organizational measures to ensure ongoing compliance with the regulation, including regular review and update of policies and procedures.

In practice, organizations should aim to review their GDPR policy at least once a year, or more frequently if there are significant changes to the organization’s operations or the regulatory environment. This review should include an assessment of the effectiveness of the policy in meeting GDPR requirements, identification of gaps or areas for improvement, and an update of policies and procedures as necessary.

Regular review and update of the GDPR policy is essential to ensure ongoing compliance with data protection regulations and to minimize the risk of data breaches and non-compliance penalties.

Not having a GDPR policy can have serious consequences for organizations, including:

• Regulatory fines: Organizations that do not comply with GDPR requirements can face significant fines, which can be up to 4% of the organization’s global annual revenue or €20 million, whichever is greater.
• Reputational damage: Non-compliance with GDPR can result in negative publicity and damage to an organization’s reputation, particularly if there is a data breach or other significant privacy incident.
• Loss of business: Customers and partners may choose to do business with competitors that have stronger data protection policies and practices, particularly in industries that require high levels of data protection and privacy.
• Legal liability: Organizations that fail to comply with GDPR requirements can face legal action from data subjects or regulators, resulting in costly lawsuits and legal fees.
• Loss of trust: Non-compliance with GDPR can lead to a loss of trust among customers, partners, and employees, who may feel that their personal data is not being adequately protected.

Not having a GDPR policy can have significant legal, financial, and reputational consequences for organizations. It is important for organizations to take GDPR compliance seriously and to ensure that appropriate policies and procedures are in place to protect personal data and meet GDPR requirements.

Since the General Data Protection Regulation (GDPR) went into effect in May 2018, there have been several notable examples of companies and organizations being fined for violating the regulation. Here are a few:

Google

In January 2019, Google was fined €50 million ($56.8 million) by the French data protection authority (CNIL) for violating GDPR transparency and consent requirements. The CNIL found that Google did not obtain valid consent for personalized ads and did not provide sufficient information to users about how their data would be processed.

British Airways

In July 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183 million ($229 million) for a data breach that exposed the personal information of 500,000 customers. The ICO found that British Airways had inadequate security measures in place and failed to detect the breach in a timely manner.

Marriott

In July 2019, the ICO announced its intention to fine Marriott International £99 million ($124 million) for a data breach that exposed the personal information of 339 million guests. The ICO found that Marriott had failed to adequately secure its systems following its acquisition of Starwood Hotels and that the breach went undetected for several years.

H&M

In October 2020, the Hamburg Commissioner for Data Protection and Freedom of Information fined H&M €35.2 million ($41 million) for collecting and storing excessive amounts of personal data about employees at a customer service center in Germany. The commissioner found that the data collection was not necessary for employment purposes and that H&M had violated the GDPR’s principles of transparency and data minimization.

These are just a few examples of GDPR violations that have resulted in significant fines. As data protection authorities continue to enforce the regulation, it is likely that we will see additional fines and enforcement actions in the future.

Hopefully you’re convinced of the need for your company to have a GDPR policy in place at this point, so here are some tips:

• Appoint a data protection officer (DPO). The DPO is responsible for overseeing your company’s compliance with the GDPR. They should have a good understanding of the GDPR and be able to help you implement and maintain compliance.
• Conduct a data protection impact assessment (DPIA). A DPIA is a process that helps you identify and assess the risks to individuals’ privacy when you process their personal data. It is a requirement for certain types of processing, such as processing that is likely to result in a high risk to individuals’ rights and freedoms.
• Implement appropriate technical and organizational security measures. These measures should be designed to protect personal data from unauthorized access, use, or disclosure. They should also be appropriate to the risks posed to the data.
• Keep records of your processing activities. You must keep records of all your processing activities, including the purposes for which you process personal data, the categories of personal data you process, and the recipients of your personal data.
• Obtain consent from individuals before processing their personal data. Consent must be freely given, specific, informed, and unambiguous. You must also be able to demonstrate that consent has been given.
• Provide individuals with access to their personal data. Individuals have the right to access their personal data, and to have it rectified or erased if it is inaccurate or incomplete. They also have the right to object to the processing of their personal data, and to have their personal data transferred to another controller.
• Implement a data breach response plan. You must have a plan in place to respond to data breaches. This plan should identify the steps you will take to investigate the breach, mitigate the damage, and notify individuals whose data has been affected.
• Train your employees on data protection. Your employees must be aware of the GDPR and your company’s data protection policies and procedures. They should also be trained on how to handle personal data securely.
• Review your compliance on a regular basis. You should review your compliance with the GDPR on a regular basis to ensure that you are still meeting the requirements.
• Seek professional advice. If you are unsure about how to comply with the GDPR, you should seek professional advice from a legal specialist or data protection consultant.

Having a GDPR policy in place is essential for companies that process personal data of individuals within the EU. The policy ensures compliance with GDPR requirements, protects personal data, builds customer trust, and helps to avoid fines and legal penalties.