Get Your Data Protection Right: Data Protection Policies and Tracking Data Access
Many companies struggle to comply with GDPR, but how many of those end up being punished by regulators? The answer is very few. Despite the headline-grabbing fines we read about, the purpose of GDPR is to help you Get your Data Protection Right.
During this Get Data Protection Right series we’ve identified nine pillars of data protection that protect you from breaches and move you towards GDPR compliance. This article looks at data protection policies and the ninth pillar: controlling and tracking data access.
The Importance of a Data Protection Policy
Previously, we highlighted the importance of record-keeping and documentation in GDPR compliance. One of the most important documents you need is a data protection policy. This is required to comply with Article 24 of the GDPR. But why is it so important and how do you go about drafting and implementing it?
First create a blueprint for Your GDPR Framework
A data protection policy is a security policy that describes the technical and organisational measures your organisation has in place to protect personal data that is processed. In easy-to-understand language it should explain to employees your organisation’s commitment to the GDPR and it’s requirements. It should provide the framework used to implement, monitor and manage data security. It does not need to be extremely detailed. Think of it more as a declaration of the principles of data protection and the organisations intent to achieve them. WThe policy should condense into bite-sized pieces what portions of the GDPR are relevant to your business,
Staff awareness and accountability
Your data protection policy exists for the benefit of the staff. The policy must, therefore, be understandable to people who are not experts in the GDPR and cybersecurity. It should make it clear to your staff how the GDPR applies to them and how they will be held accountable to it.. It’s also worth noting that employees are happier when their employer takes a strong lead on important issues. Most people want to do things right.
Prove your intent to comply with the GDPR
Let’s imagine your company is investigated by GDPR enforcers for whatever reason (as a result of a serious complaint or a data breach, for instance). In addition to your Article 30 Records of Processing Activities, you will be asked to share your data protection policy to prove you have taken data protection seriously. The policy acts as a statement of intent and demonstrates that you have been proactive in making it a priority..
Drafting a Data Protection Policy
It’s easy to say that a data protection policy is an easy to understand document detailing your organisation’s core data protection practices. But where do you start? As these articles have shown, it’s not easy to distil the GDPR into a staff-friendly document.
Luckily, you don’t really need to tackle the daunting task alone. There are many customisable templates available online that do most of this work for you. Most are sufficient for smaller organizations, which often lack the resources to create a policy from scratch, but they can also be used as a starting point for larger organisation.
PrivIQ contains a template data protection policy, but even more importantly the software helps an organisation understand what’s important in GDPR and can inform the process of customising the template, so you have a data protection policy that is unique to your organisation. Through your use of PrivIQ, you will have defined and documented the technical and organisational measures and procedures you’ve put in place, so the customisation of a data protection template becomes easier.
What to include in a data protection policy
The precise content of a data protection policy will vary from organisation to organisation. But it must include the elements of the GDPR that apply to your business and staff and it must be presented in an easily digestible way.
A typical data protection policy might include the following:
- An introduction to GDPR and a statement of the purpose of the policy.
- A List of definitions. The GDPR has specific terminology and your staff need to understand these terms. (e.g. the difference between data controller and data processor).
- The scope of the policy.: Explain that the policy encompaces all the EU residents’ and their personal data as well as all staff members who process that data.
- The principles of GDPR: explains the seven key principles that businesses or associations should abide by.
- Data subject rights: Explain the eight rights: an individual’s right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights relating to automated decision-making and profiling.
- Roles and responsibilities: Explain the the actions, behaviours and practices required from all staff handling personal data. This section helps establish a mindset of accountability.
- Persons responsible: It should include the contact details of the persons in the organisation responsible for data protection. The contact details of a DPO (data protection officer) should appear here if one exists.
Reduce risk by managing & tracking data access
Making staff aware of their GDPR obligations through a good data protection policy proves you’re being serious about compliance. You still need to follow through and make sure appropriate safeguards and procedures are in place. Since most data breaches can be traced back to human error, one way to prevent data breaches is to control and track who has access to personal data. How do you do this?
It begins with completing your data register. What personal data do you process, how is it processed, where is it processed and finally when and how will it be disposed. With data mapping complete you need to create a register of who has access to it. This may be on a departmental or individual basis.,
One means of protecting personal and sensitive data is by limiting who has access to it. Look closely at any cloud services and other third party processors and make sure you’re only sending the data that they need to achieve their processing purpose. Cloud security is a major issue in data protection. Once you’ve shared data with a third party you no longer have complete control. Can you be sure that cloud-provider employees and third parties do not have access to the data you upload? It is imperative that you vet all your third party processors and then enter into legally binding processing agreements with them where they agree to bind themselves by the GDPR.
Reducing staff access so they only have access to personal data that they need to complete their tasks will reduce the risk of data breaches. Having categorised your personal data types in your data map you can then implement procedures that only allow authorised employees to view personal and sensitive data types. multi-factor authentication and other identity and access management systems (IAM) allow you to ensure that this access is limited to appropriate staff. This not only stops other employees from accessing data they don’t need, but also makes authorised staff accountable.
Whether your data is in the cloud or on-site, you need a system that allows you to see who accessed what. Database auditing software achieves this and sends alerts if it detects attacks or suspicious activity like account alterations. Third-party auditing is often available for data stored in the cloud, which improves the chances of its integrity.
All under control
If you address all nine elements of data protection then you’re a long way towards mitigating your risks. GDPR365 can help you Get your Data Protection Right and simplify ongoing monitoring of your compliance. You can embrace the GDPR as an asset for your business, not a burden. Why not book a PrivIQ demo today?