What is a Data Protection Policy & What is Covered?

Data protection is vital not only for your business but also for your customers whose sensitive data and information you might hold. The EU regulation GDPR has strict guidelines around the protection and security of personal data that businesses must adhere to. 

As part of privacy and human rights laws, adhering to and managing secure data is a large concern for businesses, one that we take seriously. Not only does your business need to consider the everyday safety of your personal information, but also the complications and complexities that come with server disruptions and tech changes. 

In this blog, we will explore what data protection is, what a data protection policy entails, and the responsibilities of businesses in relation to their policies and any breaches.  

What is data protection by design?

Data protection by design is the process of conceptualising the safety and security of data in the design and creation of new processes, systems, and technology stacks. This proactive approach integrates security into the beginning stages of development, ensuring that data protection is a consideration throughout any new process or software implementation. 

Some key concepts that come with data protection by design include: 

• Data minimisation – limiting the personal data you collect to ensure that anything used or stored is necessary to your business functions. 
• Privacy as a default – building systems and processes with safety in mind to ensure that this is the default for all business activity – ensuring that software is designed to automatically protect customer and company data. 
• Transparency – your company should be clear and transparent about what data it collects and how this data is used and stored within your business.  
• User controls and consent – your customers should be able to consent to their personal data being collected, used, and stored. This consent should also be changeable if the customer decides.  
• Accountability and governance – your business should regularly assess your data security, conduct checks, implement data security officers, and more, where necessary, to ensure the highest level of protection and that your regulation standards are maintained. 
   

Mitigating data protection risks starts with well-designed systems that consider data collection and storage. To abide by EU GDPR regulations, your business should consider the necessity, usage, and continual protection of customer and company data from the outset.  

What is a data protection policy?

A data protection policy is your promise to protect the data you collect, use, and store. It is an outline of your commitments as a business and the principles, rules, and regulations for managing and handling the data.  

This will include what data you will collect, how it will be used, why it is necessary, and how your customers can consent or change their consent. In summary, your data protection policy should explain how your business will keep in line with data protection laws and regulation compliances.  

You should also include information on training and awareness within your business and your proposed response to any data protection breach. 

This should sit accessibly on your site.  

What is a data protection breach?

A data breach occurs when someone receives unauthorised or accidental access, alteration, disclosure, or destruction of personal data. This happens when data is accessed, altered, processed, or transmitted to someone it shouldn’t be. This can be done through malicious attacks and accidental access. A data protection breach occurs when the law or regulations your company abide by are violated.  

Some forms of data breaches include: 

• Malicious attacks or cybersecurity threats – this can be through hacking attempts to steal, manipulate, or gain access to your data. It can also include vandalism to your data from internally in your organisation, malware download, or data theft.  
• Physical loss or threat – if your work devices, such as laptops or work phones, are lost or stolen, this can result in unauthorised access to personal and sensitive data.  
• Accidental disclosure – this is the act of inadvertently providing access to sensitive data. This can occur through phishing emails, accidental data shared with the wrong recipient, and other accidental means of providing access or sharing data which shouldn’t have been.
  
  

What is covered by data protection?

As part of privacy and human rights law, individuals have the right to know what your company is doing with their data, how it is being stored, and to withdraw consent or have their data deleted from your systems.  

Part of your customers’ rights includes knowing what information your company holds about them and the right to access this information.  

Data protection covers a vast range of regulations regarding this data, its collection, storage, and management. Some of the regulations include:  

• Processing activities – this concerns what is happening with the data you’ve collected and how you’re collecting, storing, and managing it.  

• Data controllers – this concerns who is controlling, managing, and processing the data and whether the right training and understanding are in place to provide protection and avoid breaches were possible.  

• Data subjects – this concerns who you’re collecting and storing data on, their rights as individuals, and how they can access and control their data within your business – including providing or removing consent.  

• Confidentiality – this concerns the protection against unauthorised or unlawful control, management, storage, and collection of personal data. Customers have the right to confidentiality and consent around their personal data.  

• Data breach notification – this concerns the need to inform customers of any potential data breach, no matter how it happened. This should be done when a data breach is likely to impact the rights and freedoms of the individuals involved.