Review Data Protection Policies
Article 24 of the GDPR, states that processing activities shall include the implementation of appropriate data protection policies by the data controller.
Policies differ from procedures, as they are high-level documents that set principles, rather than details of how, what and when things should be done.
- be capable of implementation and enforceable;
- be concise and easy to understand; and
- balance protection with productivity.
The data protection policy should specifically include the following key elements:
- topics covered by the policy;
- reasons why the policy is needed;
- contacts and responsibilities;
- objectives; and
- how to handle violations.