Measures - GDPR
Privacy Policy is an internal governance document
A privacy policy is an internal governance document that, among other things, describes the overall vision of the work with data protection for employees, and gives them a clear framework to start from.
What is a Privacy Policy?
A privacy policy describes how the company should work internally in accordance with the GDPR. It provides guidance to employees on how to think in their tasks in relation to the rules of the GDPR. The policy describes, among other things, what data protection principles apply and how the company should apply them, the legal bases the company uses, roles and responsibilities, etc.
What is the difference between a Privacy Policy and a Privacy Notice?
It is common to confuse a privacy policy and a privacy notice. These are not the same. Put simply, a privacy notice is an external document that is addressed to data subjects and should be published on the company’s website. It should include, among other things, a description of the legal basis for the processing, the purpose, data subjects’ rights, retention period, etc. A privacy policy is instead an internal document for the employees of a company, which deals with how they should relate to data protection in their work.
Why it can be good for companies to have a privacy policy
- Provides a clear framework for employees on how to process personal data in accordance with the GDPR.
- Describes the basic principles in relation to the company’s own processes.
- Creates a good structure and internal security.
What parts are good to include in a privacy policy?
Principles
There are seven (7) basic principles of the GDPR that permeate the entire regulatory framework. Describe how the company follows them in the privacy policy.
Roles and responsibilities
It is good to make it clear who is going to do what. By having clear lines of responsibility, the company can prevent mistakes and misunderstandings.
Legal bases used
Companies subject to the GDPR must always have a legal basis for processing personal data. It is good to clarify in the privacy policy which legal bases are used in which situations.
Storage period and access restriction
The company shall erase the personal data regularly, as well as when a data subject requests it in accordance with his or her rights. It is good to include the requirements for erasure, possible exceptions, what principles the company is based on when access permissions, etc.
Safety requirements
It is the employees who work with GDPR-related measures in practice. Therefore, it is important that they know how to act correctly, in order to follow the internal instructions and not violate the GDPR. For example, information on technical and organisational security measures they should take.
Processing of personal data breaches
It is important that employees know how to act in the event of personal data breaches. For example, who to report to internally and what the applicable deadlines are. Under the GDPR, certain types of personal data breaches must be reported to the national data protection authority within 72 hours of detection. Therefore, it is important that employees know how to act in the event of an incident, so that they meet the legal requirements.
Documentation
The company must be able to demonstrate that it complies with the GDPR and this means, among other things, that appropriate written GDPR documentation needs to be established. Therefore, it is good to clarify what, where and how employees should document.
Sharing with third parties
Companies usually share personal data with external parties, i.e. a third party. It is good to specify when this may take place, when the parties need to enter into a written data processing agreement, times for follow-up and checks, etc.
Education
Employees need some training in GDPR to know how to perform their tasks in accordance with the regulation. It is therefore good to include training requirements in a privacy policy, such as in connection with on- and off boarding, as well as specific more in-depth training courses for employees who process important personal data or processing that poses a high risk to the data subjects.
Establish procedures to provide practical instructions for how employees should fulfil what is stated in the policy
A policy is an overall internal governance document with strategic goals, while routines are practical instructions for employees on how to achieve the goals. Therefore, it is often appropriate to establish different routines to help employees follow the vision in the policy.
Learn more
Establish an IT security policy
Another policy that can be good for companies to establish is an IT security policy. It regulates how the IT environment is to be protected in a comprehensive and strategic way. For example, the principles on which the company bases access control, allocation of responsibilities, technical security measures taken by the company, etc. An IT security policy is an overall framework on which other security documents, such as a password routine, are based.