Policy development is a key consideration for any organisation looking to comply with data protection laws. Data protection policies are a set of principles, rules and guidelines that define the goals of an organisation in terms of privacy compliance. They provide guidance on how to achieve compliance objectives. Apart from guidance, a sound privacy policy framework ensures consistency in data protection across your organisation, offers clarity on data protection obligations and promotes accountability within the business.This article is part of our ‘Roadmap to Data Protection Compliance’ series, which gives practical guidelines on how to comply with data protection laws and regulations. In this article, we outline the 5 basic data protection policies all organisations need to develop for compliance. Namely: Data Protection Policy Data Retention Policy Privacy Policy/Notice Information Security Policies Incident Response Policy/Plan 1. Data Protection Policy The first policy you need for privacy compliance is a Data Protection Policy. This is an internal policy which outlines your organisation’s approach to safeguarding personal data. It communicates to staff your expectations on how they should collect, use, disclose or otherwise process personal data. In addition, it enables an employer to communicate to staff the consequences of internal non-compliance. Through your data protection policy, you can address the following matters: First, the privacy governance structure within your organisation and the various roles and responsibilities assigned to each stakeholder. The data protection principles and the measures that you have put in place to comply with the principles Data subject rights handling including the mechanisms you have in place to receive and respond data subject rights Your expectations on matters such as data retention, data security, data breach prevention and response, direct marketing, etc. Any data protection measures that are unique to your business. For instance, a journalism company, health-related organisation, children organisation etc., will have a different approach to data protection than other business organisations. How staff should escalate privacy concerns within the organisation Lastly, the consequences of failing to comply with the policy 2. Data Retention Policies One of principles outlined under Section 25 of the Data Protection Act is storage limitation. This principle means that you should only keep personal information for as long as is necessary for the purposes of collection. Failing to define retention limits is a violation of the Act. A data retention policy is a set of guidelines that keep track of how long an organisation retains information and how to dispose of the information when it is no longer needed. Information here means both electronic/digital format as well as hard-copy format. In many cases, a retention policy covers all types of information processed within an organisation and does not necessarily confine itself to personal data. However, because the law mandates that personal data should not be retained indefinitely, you should the specify retention limits for personal data. The typical contents of a retention policy are: – Clear internal procedures for deletion and destruction The data kept in your organisation and the duration it is stored Justification for the retention period for each type of data A determination of which personal data should be backed-up and the duration of the back-up When defining retention periods for your data, consider the purpose for which you collected the information – If your lawful purposes for processing personal data still apply, you can continue to hold the data. However, when the purpose expires, consider your legal and regulatory requirements to retain data. For example, as evidence for tax and audits, or if necessary, in contemplation of potential lawsuits. Retention periods are not usually defined in data protection laws but you can refer to other relevant statutes e.g., the income tax Act or Companies Act. Moreover, consider whether you require the data for decision-making or business continuity e.g., AGM minutes or director and shareholder information. 3. Privacy Policies or Notices A Privacy Notice, commonly referred to as a Privacy Policy, communicates how an organisation safeguards the personal data it interacts with. It is sometimes confused for the Data Protection Policy. However, the key distinguishing factor between the two is that Data Protection Policy is an internal document addressed to staff within the organisation while Privacy Notices are outward facing policies directed at the individuals whose personal data is collected and processed by an organisation. A Privacy Notice can be directed at employees (Employee Privacy Notice), Website users (Website Privacy Notice), Clients or customers (Privacy Notice) etc.Privacy Notices typically contain: The identity and contact details of the data controller or processor, including contact details for your Data Protection Officer. An explanation of:- Why you collect and use personal data How you use and disclose the data How long you keep the data Your legal basis for processing. And any other special considerations e.g., regarding children’s data, health data, any International Transfers etc. Privacy Notices are the main platforms through which organisations communicate with data subjects on how they handle their personal data. Your business discharges its transparency obligation through these documents. Because your customers, clients, employees etc. heavily rely on your Privacy Notice, a misleading, incomplete, inaccessible or poorly worded document may result in massive fines, sanctions and reputational risks. This was the case in Facebook Inc. settlement against America’s Federal Consumer Protection Agency FTC where Facebook suffered huge financial and regulatory sanctions for deceiving its users on their privacy policy. To avoid this ensure your notices are accurate, clear and easy to understand especially for vulnerable groups like children. Further, ensure the notice is readily accessible to the reader at the relevant time i.e., before processing begins. 4. Information Security Policies Information Security Policies set out your organisation’s guidelines for detecting, preventing, and managing risks to business’ information. These risks include the loss, theft, copying, or any other derogation of information integrity. All the information you hold may be at risk of derogation including soft copy, hard copy or even oral information. Information security risks can originate internally or externally; and could be either malicious or accidental; No matter..
