Policies – part 2… from principles to processes

Online GDPR staff training – free sample https://dataprotectiontrainingcentre.com/demo

Find out more about developing effective policies, procedures and processes with Daragh O’Brien…

The GDPR sets out 7 principles which give us a high level overview of things you need to consider as an organisation. To bring maturity to your risk governance framework, organisations should think about how these principles are applied to their data processing activities. The most effective way to carry out this exercise is to develop a hierarchy from principle right down to the processes in your organisation.

The most appropriate way to develop this hierarchy is to move from principles to policies, from policies to procedure and from procedures to processes. These processes will determine the how good data processing activities are enforced and KPIs can be put in place to measure the outcomes of your processing activities over time.

Once again… organisations should think about how the principles will be appropriately applied to the processing activities in your organisation e.g. how long should you retain a customer’s data. Once you’ve done this work policies can be developed for each processing area and written in plain language. These processes should reflect how the principle have been interpreted in relation to your processing activities  e.g. we will retain customers data for a period of 2 years.

These policies are then mapped or reflected in procedures within your organisation, these procedures are then executed through processes. This hierarchy should be documented and show clear mapping between each area. This mapping allows organisation to evolve their processes overtime in a holistic way and reduce risk by having more oversight and control over their policies, procedures and processes. This type of mapping document also acts as a very useful artefact should your organisation ever interact with supervisory authorities.