The data protection policy is a documentation that summarises all legal data protection aspects in the company. It includes objectives, responsibilities and documentation obligations and is one of the most important strategy papers of a company.
A good data protection policy assists with meeting the accountability obligations of the European General Data Protection Regulation (GDPR) as stipulated by the supervisory authorities. It also serves as the basis for statutory data protection audits, e.g. by the customer.
The template from activeMind AG helps you draft a data protection policy that provides optimal support for all parties involved in data processing in the company. At the same time, it outwardly shows the importance of and the company’s commitment to data protection.
Who needs a data protection policy?
The GDPR includes the principle of obligatory accountability in Art. 5 (2). Accordingly, each responsible individual or office must be able to provide evidence of having an overall policy for data protection compliance, which must also be regularly reviewed and, if necessary, further developed.
In other words, companies that process personal data must establish a procedure to regularly review, rate and evaluate the efficacy of the data protection and data security measures. For this purpose, a data protection policy is the optimal starting point.
What are the contents of the data protection policy?
A data protection policy should be well structured because it has to be understandable for both internal and external stakeholders.
It must also depict the individual conditions in a company. Therefore, templates or samples should always be customised for the specific case. However, a proper data protection policy should contain at least the following contents:
- Data protection policy and responsibilities in the company
- Legal framework in the company
- Existing technical and organisational measures
- Organisational minimum regulations