Aspects of the way that organisations operate change from time to time and your controls need to keep up, which means that your polices and procedures need to keep up too. If your policies or procedures are not up to date or if you don’t have any policies or procedures at all, it might be time to conduct a review with some expert help.
Why do policies and procedures matter?
Information, including personal data, is critical to the operation of most organisations. Where one slip, oversight or error could have serious repercussions, it’s essential that everyone on your team is moving in the same direction. Training plays a big part in that, but teams still need a point of reference that they can go to so that they know what to do and how to proceed.
There is a knock-on effect to change in organisations that can directly or indirectly impact on data protection controls. Sometimes the changes can be unforeseen at first, but become far reaching.
For example, your organisation might be considering maintaining remote/home working for some staff. That could entail reviews of controls for mobile devices, access to networks, lines of reporting, software controls and registers, health and safety measures, use and storage of paper files, remote password systems, team communications and training.
Each one of the above should have it’s own controls (polices or procedures). So far, there’s no mention above of data protection controls, but the fact remains that personal data is being processed through every single one of those aspects.
And so, a change in any of those aspects is going to impact on personal data, which means that your polices and procedures for personal data are going to need to be reviewed as well.
Many organisations and entities realise this and the touchpoints for up-to-date data protection polices and procedures can be far reaching, including;
- Polices and procedures being presented when tendering for work.
- Some insurers are asking for detail of policies and procedures.
- Regulators might require visibility of an effective policies and procedures, especially in the event of an investigation or complaint.
Which policies and procedures are we talking about?
There are lots of difference names given to polices and procedures that govern or instruct on matters of concern with data protection. Words like ‘privacy’ ‘information’ ‘data’ often crop up in the title. And, sometimes, organisations combine various strands; it’s not uncommon for instance to see documents called, ‘Data protection and information security policy’.
In any case, your data protection policy suite is not unlikely to include some or all of the following components:
- Data protection leadership and reporting structure.
- Data protection policy (general)
- Privacy controls
- Dealing with Data Subject Access Requests
- Dealing with data breaches
- Conducting Data Protection Impact Assessments
- Training requirements and reviews
- References to registers (of ‘maps’) of personal data
- Remote working policies
- Software controls
- Password protection
- Retention and disposal of personal data
- Cookie and website controls
- Data sharing and access controls.
Are template policies and procedures a good idea?
There’s no delicate way of putting this; no, on their own, they’re not.
No two organisations process personal data in the same way. The ‘cocktail’ of influences is vast, including the combinations of different bundles of software you use (and which patch or version), and which network you use, and where people are working, the types of customers or clients that you have, your communication, supervision and training schedules and structures, and so on… added together, the variables are in the millions.
It’s near impossible that one organisation could ‘borrow’ the template policies of another and to then sleep soundly knowing that they apply appropriately.
We sometimes refer to templates, and sometimes they can be a good place to start or to obtain inspiration. Like any other tool, their effectiveness is limited if its not suitable for the intended purpose.
How can Databasix help us?
We conduct a review of your privacy and data protection suite of policies, controls and procedures and discuss their ‘real world’ application with you; from this we can identify any gaps that might exist to produce tailored documents that accurate reflect the way that your organisation protects personal data.
We simplify the detail and put it into plain English that your team will understand and that will be relevant to them.
There’s also the option to tailor the policies to help you to bring them into alignment with requirements for tenders or insurers.
No two organisations' needs are the same and so we provide support tailored to their individual requirements. Get in touch for an tailored quote.