The Dutch Data Protection Authority makes six recommendations on drafting your data protection policy, based on its audits of privacy policies of blood banks, IVF clinics and political parties.
A good data protection policy shows the individuals and the Supervisory Authority that it complies with GDPR.
Three mandatory components were examined:
- a description of the (categories of) personal data
- a description of the purposes of data processing
- the rights of data subjects.
Recommendations:
- Assess whether you are required to have a written data protection policy. Even if not required, a data protection policy is recommended.
- Use internal and / or external expertise.
- Record the policy in one document; prevent fragmentation of information in a privacy statement, a processing register and a policy.
- Be specific and describe how you implement the GDPR principles in practice. Repeating standards from the GDPR is not enough.
- Make the policy known; Though not required, publication of the data protection policy is recommended. But beware of including confidential details on your information security.