One thing that is mentioned a lot when it comes to GDPR is policies. One large part of how companies will have to demonstrate compliance with GDPR is through documentation and policies. The regulation, for example, requires a data protection and information security policy to exist, as well as a privacy policy.
A data protection and information security policy (learn more about factors for successful information security management) is a document about the organisation and its overall routines and processes in relation to the handling and processing of personal data.
It can be time consuming to create a policy. And there are a few things to keep in mind when developing an information security policy.
What an information security policy should include
As of now, there isn’t a specific template to follow when writing a GDPR information security policy. Our advice is therefore to base it on the ISO 27001 standard and adjust the policy to the requirements that will be prioritised in the GDPR.
The document should include a general description of the policy, scope, stakeholders and their requirements. The document should also include the following:
- Organisation (stakeholders, scope)
- Leadership (management structure, policy, responsibility)
- Planning (risks/opportunities, goals)
- Support (resources, competence, awareness, documentation)
- Activities (planning, assessment and handling of risks)
- Evaluation of performance (measurement, analysis, evaluation, audit)
- Improvements (and deviations)
In order to adapt the policy to GDPR it is important to document and specify those things that are prioritised in the regulation. Things like access control, Security by Design, assets in terms of a record of data processing activities, and of course incident handling since GDPR requires quick reporting of incidents should they occur.
5 quick tips
Decide which language to use – Everyone should be able to understand the content of the policy. So, it is important to use terms and language already used in the organisation.
Involve the entire organisation – This should apply before, during and after writing the policy. Although the information security policy is mainly a management document, don’t hesitate to involve people from all parts of the organisation. It is also important to continuously train staff internally about the policy.
Reuse old policies – Do you have an old policy in place? Don’t be afraid to reuse what already works for you. Some parts of old policies can work really well!
Keep it simple – At policy level you should be broad and overall. Don’t get caught up in the details. Talk about purpose and goals instead of detailed processes.
Don’t be afraid to change a policy – A policy is a living document and not only should, but it must, be kept up to date.