In our series on six practical steps to GDPR compliance we’ve looked at many of the essential aspects of a sound, risk-based approach to data protection. In this final post we examine how to document the key elements of your GDPR compliance program in a set of effective policies and procedures.
Data protection legislation has been around for a long time so most organizations will have some policies and procedures in place - if nothing else, GDPR gives you a great opportunity to review and refresh these documents.
What's in a name?
There is a long-standing debate in the compliance community about the difference between policies and procedures. Here, we assume the following:
- A policy is a guiding principle; a statement of intent and direction intended to set the tone and reflect corporate values. A policy should be a useful support to decision making to achieve a desired outcome.
- A procedure, quite simply, tells the reader how to achieve the aims of the policy.
In light of this distinction, you might want to consider publishing the documents separately and publish your policies more widely than your procedures.
Who are they for?
Hopefully the days of policies written by lawyers for lawyers (or at least for regulators to achieve the tick in the policy box) are long gone.
Generally, both data protection policies and procedures are written with employees in mind and this should impact a number of factors:
- Scope: Are you addressing the attitudinal and behavioral dimensions of your policies as well as 'the rules'? Do your policies and procedures take into consideration local language requirements and possible cultural differences?
- Simplicity: Is the content easily understood by a general audience? Are you avoiding overly-legalistic language?
- Substance: Will the content, terminology and tone of voice of your policies resonate with your audience? Will they be perceived as authentic and in line with your organizational culture?
- Structure: Are your policies and particularly your procedures, organized in a manner that is easy to read and understand? Increasingly policies and procedures are including visual design elements, examples and questions and answers to aid understanding and application.
Transparency in business is increasingly important as a factor in consumer trust. You may also want to consider making your policies, but not your procedures, publicly available. Accordingly, you need to consider your customers and end-users as a secondary target audience.
Steps to success
The content of your policies and procedures indeed needs to be accurate and legally validated but this is just one of many steps you should take to ensure that they are effective.
There is a strong case for 'market testing' your policies and procedures with target audience groups to ensure that you have achieved the objectives of scope, simplicity, substance and structure.
Consider how policies will be made available to employees. Will they just sit on the corporate intranet waiting to be discovered or will you publicize them and make them available with modern communication tools and techniques?
Will you just assume the right people have read your policies or will you undertake a process of attestation? Having employees 'sign up' to a policy certainly gives you a useful audit trail. There is some evidence that there may be additional benefits in terms of driving more compliant behaviors in the workplace. Dan Airley's fascinating experiments in this area show that the simple act of 'signing up' to a moral code can have a significant impact on ethical behavior.
What policies do you need?
Remember that there are many aspects of GDPR that intersect with an organizations' information security provisions. It's likely that there are already policies in place that help with GDPR compliance - ensure that you know what they are and that you do not duplicate, or worse, conflict with, existing information security practices within your organization.
Also, ensure that your policies reflect some of the significant changes that GDPR makes to current data protection practices particularly in the areas of:
- Subject access requests including the right to be forgotten
- Data disposal and deletion
- Breach management
- Subject Access Requests
Is it too late?
With just a couple of weeks to go to May 25th, it may feel like achieving a comprehensive and effective policy suite is simply not achievable. However, you don't have to start from scratch. SAI Global's GDPR solution includes:
- A library of ready-made template policies which have been legally verified and are ready to use
- Workflow capability to ensure an efficient, collaborative design, review and sign off process
- Tools for policy dissemination and attestation - including links to our market-leading GDPR learning solutions.
More from this series
- GDPR: 6 Reasons to be Cheerful
- GDPR: The Truth is Out There - Mapping The Personal Data Universe
- A human Firewall is Your Best Defence
- A Risk Based Approach to GDPR
- Data Breach - It's Not If, But When!
About the AuthorMore Content by Rob Van Straten