Written data protection policies and procedures are not themselves a legal requirement. But good policies can go a long way towards demonstrating how you comply with the law by setting out standing decisions, practical procedures and allocations of responsibility.
For example, you’re required to consider data protection “by design and by default”. Recording how new processing activities are to be assessed, who decides whether or not an impact assessment is required and, if so, who will carry out and sign off that assessment, can help to show your compliance.
Likewise, a written procedure that tells your staff what to do if they receive a data subject rights request can help reduce the instances of requests that are missed or dealt with too slowly. Planning for a data breach ahead of time can save enormous amounts of cost, stress and heartache if the worst happens.
We can help you devise, record and put into operation your data protection policies. Whether you just need a steer on filling out your article 30 record, want to set out simple steps for your staff to follow when you get an access request, or need to devise a full multi-disciplinary data breach response plan, drop us a line.