10th August 2018 - Sam Gilbert

A Data Protection Policy is important because it contains sets of principles and rules that businesses adhere to in order to keep the data of others in a lawful and secure way.

Under the EU General Data Protection Regulation (GDPR), data controllers must implement a data protection policy as part of their efforts to demonstrate that processing is performed in accordance with the requirements under the GDPR.

Data Protection Policies should include a set of principles that guide individuals who are responsible for the collection or processing of personal information, and to ensure that processing activities are carried out in accordance with these principles.

Data Protection Policies are often implemented as part of an organisation’s employee handbook together with employee training sessions. The extent of the implementation will depend on the types of data being collected and the processing activities that an organisation is engaged in.

Key elements of a Data Protection Policy

Keep it simple –  It is important that employees are able to clearly understand their obligations and that the policy does not leave legal data requirements up to interpretation. By creating a policy that is easy to understand, employees are more likely to be able to understand what is required to meet legal requirements.

Identify different types of data – Identifying the different types of data that an organisation collects  is essential to meeting compliance requirements. Some types of data, such as data relating to personal or sensitive information must be collected and  processed in accordance with more stringent requirements under the applicable privacy laws.

Dealing with data breaches – Some data breaches require mandatory data breach notification. This means that data breaches must be reported to the relevant government authority and also disclosed to the individuals affected by the breach.

Generally, this applies where there is a risk of serious harm to the individual concerned, and there are no remedial actions that may be taken to prevent the likely risk of the harm occurring. Under the GDPR, the test is whether there is a risk to the rights and freedoms of an individual.

Data Protection Policies should have clear instructions about how employees ought to  deal with potential data breaches when they occur and what practices should be put in place to help prevent or mitigate data breaches where possible.

Under the GDPR there are six applicable principles that pertain to data processing activities.

Essential Principles of Data Protection

1. personal data should be processed in a lawful, fair and transparent manner;
2. personal data should be collected for specified, explicit and legitimate purposes;
3. personal data must be adequate, relevant, and necessary for the purposes for which it is processed;
4. personal data must be accurate and kept up to date;
5. personal data must be stored only for as long as necessary to fulfill the purposes of the processing;
6. personal data should be protected with appropriate security measures.

Data controllers must be accountable for the data they collect and be able to demonstrate compliance with the above principles. A Data Protection Policy will assist in informing employees on how they should collect, process and protect data in accordance with the relevant privacy laws and regulations.

Take away points

A Data Protection Policy:

•  educates employees on how to meet compliance requirements for handling personal information and data;
• promotes a workplace culture of data protection and security;
• creates awareness of the obligations around data processing activities;
• should be written in clear and plain language so that employees can easily understand their obligations on how to handle and protect personal information and data.

Sam Gilbert, IP and Technology Consultant, B.A., LL.B  University of Technology, Sydney

 If you would like to know more about this article or about data protection policies, please do not hesitate to get in contact with the team at W3IP Law on 1300 776 614 or 0451 951 528.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.