5 Reasons Why Your Company Must Have an internal Data Protection Policy

Photo by dylan nolte on Unsplash
Dr. Thomas Helbing

A Data Protection Policy (or SOP) is a work instruction that sets out responsibilities and processes to ensure compliance with the GDPR in your company and informs your employees about data protection requirements. It covers much more than just data security.

In my opinion, a Data Protection Policy is the most important and often neglected data protection instrument in medium and large-sized companies.

  1. 1) The GDPR expressly requires that companies take appropriate organizational measures to comply with the GDPR. In addition, the company must be able to demonstrate compliance with the GDPR (accountability principle, Art. 5 para. 2 and Art. 24 para. 1 GDPR). This is impossible without the Data Protection Policy.
  2. 2) Data protection law is difficult to understand and its implementation complex. Unclear processes and “googled “knowledge fails to meet the importance of data protection. In any case, a lack of a Data Protection Policy is reason for organizational fault in medium-sized and larger companies.
  3. 3 Only a good Data Protection Policy can minimize liability risks for the management. Questions about data protection processes are standard for controls by supervisory authorities.
  4. 4. If something goes wrong with data protection but the big picture fits in the form of a proper and monitored Data Protection Policy, the risk of fines decreases.
  5. 5. A Data Protection Policy is a basic requirement for audits in order to compare the actual with the target state.

By the way, drafting a Data Protection Policy is not the task of the data protection officer (DPO). DPOs advise and control the company. The DPO therefore has to inform the company about missing policies or review existing ones, but does not have to design or even implement them.

You can find here my free template of a Data Protection Policy including instructions for implementation, a checklist and overview in German language ("DSGVO Sinfonie" package). For English a language version and advice, please contact me.

Data Protection Law


Ratgeber, Muster und Checklisten