Internal Data Protection Policy
An internal data protection policy describes the principles and conditions that apply to your company’s handling, processing and storage of personal data. The document will set out how these principles and conditions apply in the context of the company’s operations and how they are relevant to personal data collected from different data subjects (i.e. customers, employees or suppliers). It is also known as a privacy standard or simply as a data protection policy.
When should you use an Internal Data Protection Policy?
An internal data protection policy will help your company comply with the requirements of the UK General Data Protection Regulation (UK GDPR) and other applicable data protection regulations (such as the Data Protection Act 2018). As well as helping to ensure your company is legally compliant, a well-drafted internal data protection policy also:
provides employees with clear guidance about their data protection responsibilities;
underlines the importance of protecting personal data which is processed by the business; and
sets standards for how your company makes decisions about processing personal data.
Why is an Internal Data Protection Policy important and why should you use an Internal Data Protection Policy?
In the UK, companies must process personal data in compliance with privacy laws, including the UK GDPR. Almost all companies will process personal data as they will collect details such as names, addresses and contact details of customers, service providers or visitors to their website. Some examples of how you might be processing personal data as a SMB include:
collection of personal data from prospective customers through your website, social media platforms, and other forms of communication;
storage of customer contact details in any CRM systems; and
login details for users of your app or website.
There are large potential fines for failing to comply with the UK GDPR - the most serious violations can results in fines of up to 4% of global turnover of the preceding financial year or £17.5 million (whichever is greater) and other violations can result in fines of up to 2% of annual worldwide turnover of the preceding financial year or £8.75 million (whichever is greater).
What are the common pitfalls of an Internal Data Protection Policy?
Adopting an internal data protection policy by itself is not sufficient to ensure compliance with the UK GDPR. Your business will also need to communicate the policy to your employees and implement and adopt the data protection practices set out in the policy. The policy should be appropriate for your business and reflect the types of personal data that you process. If your company only processes small amounts of personal data and is relatively small, you could consider incorporating the data protection policy into your employee staff handbook, rather than having it as a standalone document.
Access all the templates you need with PocketLaw. Save time and reduce risk by leveraging our extensive library of 130+ templates, which are developed by qualified lawyers.
Ready to get started? Create your internal data protection policy in minutes. PocketLaw offers a platform with legal documents, guidance and a clever contract management system, as well as access to partner law firms where bespoke advice is needed. All legal you need to grow your business and drive it forward.