Internal Data Protection Policy

When should you use an Internal Data Protection Policy?

The document is an internal policy document directed at your company’s employees (unlike a privacy policy, which is made available to data subjects outside of your organisation). It should be used to make employees aware of their data protection obligations, provide a clear definition of what personal data is and assign accountability within your company for protecting personal data. It can also be used to set out how the organisation processes personal data and describe the rights of individuals whose personal data is processed by your company.

An internal data protection policy will help your company comply with the requirements of the UK General Data Protection Regulation (UK GDPR) and other applicable data protection regulations (such as the Data Protection Act 2018). As well as helping to ensure your company is legally compliant, a well-drafted internal data protection policy also:

1. provides employees with clear guidance about their data protection responsibilities; 

2. underlines the importance of protecting personal data which is processed by the business; and

3. sets standards for how your company makes decisions about processing personal data.

It should be used together with other data protection policies and documents such as a privacy policy, a cookie policy and a policy for handling personal data breaches.

Why is an Internal Data Protection Policy important and why should you use an Internal Data Protection Policy?

In the UK, companies must process personal data in compliance with privacy laws, including the UK GDPR. Almost all companies will process personal data as they will collect details such as names, addresses and contact details of customers, service providers or visitors to their website. Some examples of how you might be processing personal data as a SMB include: 

• collection of personal data from prospective customers through your website, social media platforms, and other forms of communication; 

• storage of customer contact details in any CRM systems; and

• login details for users of your app or website.

 There are large potential fines for failing to comply with the UK GDPR - the most serious violations can results in fines of up to 4% of global turnover of the preceding financial year or £17.5 million (whichever is greater) and other violations can result in fines of up to 2% of annual worldwide turnover of the preceding financial year or £8.75  million (whichever is greater). 

What are the common pitfalls of an Internal Data Protection Policy?

Adopting an internal data protection policy by itself is not sufficient to ensure compliance with the UK GDPR. Your business will also need to communicate the policy to your employees and implement and adopt the data protection practices set out in the policy. The policy should be appropriate for your business and reflect the types of personal data that you process. If your company only processes small amounts of personal data and is relatively small, you could consider incorporating the data protection policy into your employee staff handbook, rather than having it as a standalone document. 

Remember, an internal data protection policy is only one part of a company’s data protection compliance practices. It is not a substitute for documents such as a privacy policy or a privacy notice (which should be provided to employees together with their employment contract when they join your company).