The six recommendations are as follows:
1. Assess whether the organisation is required to set up a data protection policy: not every organisation is required to do so. This depends on the data processing or the type of organisation.
2. Use internal and/or external expertise: the Data Protection Officer can play an important role in this as an adviser and internal supervisor.
3. Record the policy in a single document: avoid fragmentation of information in a privacy statement, a data processing register and a policy.
4. Be concrete: a data protection policy is a concrete translation of the GDPR standards in the context of an organisation’s data processing. Reiterating standards from the GDPR is not sufficient.
5. Communicate the policy: while publishing the data protection policy is not mandatory, it gives data subjects insight into how an organisation deals with personal data. However, be careful with information about security when publishing the policy.
6. Even when publication is not mandatory, it is nonetheless advisable: through a data protection policy, an organisation demonstrates its commitment to protecting the personal data of data subjects.
In short, it is good to take the DPA’s recommendations into account when drawing up policy. However, it is advisable to remain critical and to only follow the recommendations in so far as this has a positive effect on data protection within the organisation.
This is a Legal Update from Elze ‘t Hart, with thanks to Anne van der Sangen.