Policy development is a key consideration for any organisation looking to comply with data protection laws. Data protection policies are a set of principles, rules and guidelines that define the goals of an organisation in terms of privacy compliance. They provide guidance on how to achieve compliance objectives. Apart from guidance, a sound privacy policy framework ensures consistency in data protection across your organisation, offers clarity on data protection obligations and promotes accountability within the business.
This article is part of our ‘Roadmap to Data Protection Compliance’ series, which gives practical guidelines on how to comply with data protection laws and regulations. In this article, we outline the 5 basic data protection policies all organisations need to develop for compliance. Namely:
- Data Protection Policy
- Data Retention Policy
- Privacy Policy/Notice
- Information Security Policies
- Incident Response Policy/Plan
1. Data Protection Policy
The first policy you need for privacy compliance is a Data Protection Policy. This is an internal policy which outlines your organisation’s approach to safeguarding personal data. It communicates to staff your expectations on how they should collect, use, disclose or otherwise process personal data. In addition, it enables an employer to communicate to staff the consequences of internal non-compliance. Through your data protection policy, you can address the following matters:
- First, the privacy governance structure within your organisation and the various roles and responsibilities assigned to each stakeholder.
- The data protection principles and the measures that you have put in place to comply with the principles
- Data subject rights handling including the mechanisms you have in place to receive and respond data subject rights
- Your expectations on matters such as data retention, data security, data breach prevention and response, direct marketing, etc.
- Any data protection measures that are unique to your business. For instance, a journalism company, health-related organisation, children organisation etc., will have a different approach to data protection than other business organisations.
- How staff should escalate privacy concerns within the organisation
- Lastly, the consequences of failing to comply with the policy
2. Data Retention Policies
One of principles outlined under Section 25 of the Data Protection Act is storage limitation. This principle means that you should only keep personal information for as long as is necessary for the purposes of collection. Failing to define retention limits is a violation of the Act.
A data retention policy is a set of guidelines that keep track of how long an organisation retains information and how to dispose of the information when it is no longer needed. Information here means both electronic/digital format as well as hard-copy format. In many cases, a retention policy covers all types of information processed within an organisation and does not necessarily confine itself to personal data. However, because the law mandates that personal data should not be retained indefinitely, you should the specify retention limits for personal data.
The typical contents of a retention policy are: –
- Clear internal procedures for deletion and destruction
- The data kept in your organisation and the duration it is stored
- Justification for the retention period for each type of data
- A determination of which personal data should be backed-up and the duration of the back-up
When defining retention periods for your data, consider the purpose for which you collected the information – If your lawful purposes for processing personal data still apply, you can continue to hold the data. However, when the purpose expires, consider your legal and regulatory requirements to retain data. For example, as evidence for tax and audits, or if necessary, in contemplation of potential lawsuits. Retention periods are not usually defined in data protection laws but you can refer to other relevant statutes e.g., the income tax Act or Companies Act. Moreover, consider whether you require the data for decision-making or business continuity e.g., AGM minutes or director and shareholder information.
3. Privacy Policies or Notices
A Privacy Notice, commonly referred to as a Privacy Policy, communicates how an organisation safeguards the personal data it interacts with. It is sometimes confused for the Data Protection Policy. However, the key distinguishing factor between the two is that Data Protection Policy is an internal document addressed to staff within the organisation while Privacy Notices are outward facing policies directed at the individuals whose personal data is collected and processed by an organisation. A Privacy Notice can be directed at employees (Employee Privacy Notice), Website users (Website Privacy Notice), Clients or customers (Privacy Notice) etc.
Privacy Notices typically contain:
- The identity and contact details of the data controller or processor, including contact details for your Data Protection Officer.
- An explanation of:-
- Why you collect and use personal data
- How you use and disclose the data
- How long you keep the data
- Your legal basis for processing.
- And any other special considerations e.g., regarding children’s data, health data, any International Transfers etc.
Privacy Notices are the main platforms through which organisations communicate with data subjects on how they handle their personal data. Your business discharges its transparency obligation through these documents. Because your customers, clients, employees etc. heavily rely on your Privacy Notice, a misleading, incomplete, inaccessible or poorly worded document may result in massive fines, sanctions and reputational risks. This was the case in Facebook Inc. settlement against America’s Federal Consumer Protection Agency FTC where Facebook suffered huge financial and regulatory sanctions for deceiving its users on their privacy policy. To avoid this ensure your notices are accurate, clear and easy to understand especially for vulnerable groups like children. Further, ensure the notice is readily accessible to the reader at the relevant time i.e., before processing begins.
4. Information Security Policies
Information Security Policies set out your organisation’s guidelines for detecting, preventing, and managing risks to business’ information. These risks include the loss, theft, copying, or any other derogation of information integrity. All the information you hold may be at risk of derogation including soft copy, hard copy or even oral information. Information security risks can originate internally or externally; and could be either malicious or accidental; No matter the case, your organisation needs to anticipate and defend itself against these risks through a detailed policy framework.
Your information security policy framework should also offer guidelines in the event of an actualised security risk (a data breach). Data breaches may result in severe legal, regulatory, financial, reputational consequences (see 2016 Uber data breach and subsequent coverup); However, if properly managed through your policy framework, these risks can be mitigated.
When developing these policies consider the risk factors resulting from the nature of your business, the nature of the information you hold, why and for whom you hold it (e.g., sensitive health data or government data). Additionally, assess the IT systems you use and the integrity and competence of your employees and third party vendors. Moreover, incorporate default cyber and physical security measures in your data processing operations.
You will also need to consider how the information security policy framework interacts with policies in adjacent areas, for example the other data protection policies outlined in this article. Further, you should also consider whether to have one information security policy or have multiple policies dealing with different dimensions of information security for example, Acceptable use policies, Cloud security policies, Asset security policies, email and internet policies, cyber security policies, clear desk/clear screen policy etc.
4. Information Security Policies
An Incident Response Plan is an Information Security Policy that details the procedures of reporting and responding to suspected, attempted, or actual data breaches. Data protection laws have stringent requirements regarding personal data breaches and security incidents including tight reporting timelines. As such, you need a detailed Incident Response Plan that guides employees on how to identify and react to a data breach. The guidelines should clearly stipulate:
- The assigned roles and responsibilities for managing incidents, including responsibilities for any external communications or notifications to the police, regulators, business partners and affected individuals.
- The obligation on employees to report any suspected incident immediately on discovery.
- The channel(s) for reporting any suspected information security incident.
- Finally, clear procedures and mechanisms for detecting, investigating and reporting data breaches
Conclusion
An organisation cannot comply to data protection laws and regulations without an appropriate data protection policy framework. Policies not only outline your organisations overall attitude towards privacy but they also offer specific guidelines for compliance. This article only outlines the basic policies to adopt, however, a you should develop a more comprehensive policy framework that takes into account the unique circumstances in your industry.
As we wind up the roadmap to compliance series, next week we discuss third party vendor compliance and finally conclude the series with an article on how to register as a data controller or processor.
As we wind up the roadmap to compliance series, next week we discuss third party vendor compliance and finally conclude the series with an article on how to register as a data controller or processor.