How to Fix Your Company Policies for GDPR

By Patrick O’Kane, Data Protection Officer

Do you ever sit at a desk trying to read a company policy and find that the words are just not going in? Often company policies are written in the most turgid, dull and unintelligible language.  The consequence is that employees never read them, much less remember what they say.

The European General Data Protection Regulation (GDPR) requires companies to be smarter than that. Under GDPR we must be more accountable and be able to “demonstrate compliance”. Part of being able to show compliance includes having proper staff policies in place to help employees understand their data duties.

  1. The Essential policies – These are the ones you MUST have.
  1. Data Protection Policy – An essential guide to employees regarding how they may use data, how they can keep it secure, and the consequences of misuse. A good Data Protection Policy can prevent data breaches by helping employees understand how they are supposed to handle data.
  2. Data Retention Policy – A statement explaining when data in documents (or data held electronically) should be deleted.  This policy sets out the time limits for deleting different types of documents so that we can stay within the GDPR storage limitation principle found in Article 5 of the GDPR.
  3. Data Breach Incident Policy –  An emergency plan that tells your company what to do if a data breach occurs, how to form a team to deal with the breach, how to prevent any further loss of data and whether the company needs to tell customers and Regulators about the breach.

  1. Other data policies you may need
  1. Big Data Policy – What you can and cannot do with Big Data under GDPR.
  2. Human Resources and Data Protection Policy – How to treat employee data.
  3. Marketing and Data Protection Policy – The rule book on sending customers offers and promotions.
  4. Social Media Policy – Explains what employees are allowed to post on social media, sometimes including on private accounts.
  5. Encryption Policy – How, when and why we encrypt data.
  6. Outsourcing Policy – What you need to do if you are sending data to a business partner.
  7. Bring Your Own Device Policy – The manual on how to use a personal device in the course of your job.


  1. Ensuring Comprehension

Once you’ve written your policies, you need to know that they are understood by your employees.  To make them comprehensible:

  1. Make sure they are easy to find – If a 22- year-old call center worker has a query about data protection from a customer, she should be able to access the Data Protection Policy at the click of a mouse for more details. Put your policies up front and center on your intranet homepage.
  2. Mind your language – Draft policies for all levels of your company and all age groups.  Draft policies for the people who watch “Suits” as well as the people in suits….
  3. Keep them short – Enough said.
  4. Be consistent – Use the same introduction, sign off and layout for all your company policies.  Use an attractive layout.
  5. Don’t be afraid to enforce your policy – Proper Data Protection Governance is a much more important for companies post-GDPR. This means that companies have much more to lose if employees misbehave with customer data. Do not be afraid to discipline an employee if they have breached the Data Protection Policy.

Patrick O’Kane is a noted data privacy expert and lawyer (barrister). He is the Data Protection Officer for a Fortune 500 US company. He helped lead a major GDPR implementation project across a group of 30 companies, and has written a book on GDPR entitled “GDPR – Fix it Fast: Apply GDPR to your Company in 10 Simple Steps”.


  1. I’ll have to agree with your comments on the GDPR, and also add to it by stating that GDPR compliance for U.S. businesses is an overwhelming topic indeed as I’m finding that organizations really don’t know where to start. What’s the scope? What policies need to be developed? The questions are endless and it can be frustrating, to say the least. My recommendations are to first get a sense of what scope is, which begins by identifying what type of personal data do you store, process, and or transmit for EU data subjects. Just knowing that should give controllers and processors in the US – and the UK – some comfort. After that, I would move to the all-important Article 32 to see what security policies, procedures, and processes you have in place, or are missing. Good luck!

Comments are closed.