GDPR - documents
Different policies companies may need
There are different policies that companies may need to ensure that the rules of GDPR are complied with by the company and employees.
What is the difference between a routine and a policy?
A routine and a policy are not the same thing. A policy is more comprehensive and strategic, as well as something that is often decided by the board of directors or senior management. The policy describes what applies and the purpose of working in a certain way. Unlike a routine, which describes how it should be implemented in practice. Several different routines can be established to comply with what is stated in a policy. A policy includes the company’s goals and strategic direction as well as the principles the company’s employees work on to achieve the goals. A routine consists of specific instructions on how to achieve what is stated in a policy in practice.
Examples of routines that can be good for a company to establish and implement
- Erasure of personal data.
- Documentation, investigation and reporting of personal data breaches.
- Comply with the rights of data subjects upon request.
- Onboarding and offboarding of staff.
- Sharing of data internally between employees or within the group of companies.
- Obtaining and withdrawing consent.
- Social media management and photography.
Examples of policies that companies may need to establish and implement
IT security policy
An IT security policy ensures that the company has a strong IT protection that is risk-based and adapted to the current threat landscape. In addition, the policy clarifies which tools and methods employees should use to prevent personal data breaches and comply with other rules in the GDPR. An IT security policy can be suitable for most companies to establish and implement in the business, in order to maintain a uniform internal standard around IT security.
The policy constitutes an overall policy document on how the company works in the IT environment in a secure manner in accordance with, among other things, GDPR. For example, what data protection principles the company bases the accessing control on, implemented technical security measures, how the company should protect personal data both internally and externally, etc. In addition, an IT security policy usually describes the different levels of security of personal data processed. The starting point is that the more important personal data, the higher the level of security required.
Privacy policy
A privacy policy constitutes an important internal governance document and is a good organizational security measure to take. The privacy policy is an internal document, which describes how employees should work in accordance with the GDPR. It is therefore the employees who must comply with the privacy policy when processing personal data within the framework of the performance of the work. For example, a privacy policy includes information about the legal bases used by the company when processing personal data. It should also describe the seven (7) basic principles of the GDPR that apply, the internal division of responsibilities, contact persons, etc.
Privacy Policy and Privacy Notice are not the same thing
A privacy notice is an external informative document addressed to data subjects. There, the company describes the legal basis for the processing, the storage duration, the rights of the data subjects, the purpose of the processing, etc. The purpose of a privacy notice is to inform the data subjects about the company’s processing of their personal data, in accordance with Article 13 of the GDPR and Article 14 of the GDPR. A privacy notice should be published publicly on the company’s website. A privacy policy is instead an internal document that provides guidance to employees on how to work in accordance with GDPR. A privacy policy should therefore not be published publicly on the company’s website.
Learn more
Assessments that companies may need to make under the GDPR
Companies may need to make certain assessments before certain processes begin to be performed. For example, a Data Protection Impact Assessment (DPIA), to find out whether the processing poses a high risk to the rights and freedoms of data subjects. In addition, companies may need to request a prior consultation with the national data protection authority, if the risk remains high after carrying out an impact assessment. Another type is a Legitimate Interest Assessment (LIA), to determine whether the company has a legitimate interest in a particular processing.