The Dutch Data Protection Authority makes six recommendations on drafting your data protection policy, based on its audits of privacy policies of blood banks, IVF clinics and political parties.

A good data protection policy shows the individuals and the Supervisory Authority that it complies with GDPR.

Three mandatory components were examined:

  • a description of the (categories of) personal data
  • a description of the purposes of data processing
  • the rights of data subjects.


  • Assess whether you are required to have a written data protection policy. Even if not required, a data protection policy is recommended.
  • Use internal and / or external expertise.
  • Record the policy in one document; prevent fragmentation of information in a privacy statement, a processing register and a policy.
  • Be specific and describe how you implement the GDPR principles in practice. Repeating standards from the GDPR is not enough.
  • Make the policy known; Though not required, publication of the data protection policy is recommended. But beware of including confidential details on your information security.

Read the full text.