The goal of the data protection policy is to depict regulatory data protection aspects in one summarising document. It can also be used as the basis for data protection inspections, e.g. by the customer within the scope of a data processing agreement. This is not only to ensure compliance with the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA) 2018 but also to provide proof of compliance.
Brief description of the company and motivation to comply with data protection.
· For a company, in addition to existing corporate objectives, the highest data protection goals are to be defined and documented. Data protection goals are based on data protection principles and must be individually modified for every company.
· Determination of roles and responsibilities (e.g. representatives of the company, operational data protection officers, coordinators or data protection team and operational managers)
· Commitment to continuous improvement of a data protection management system
· Training, sensitisation and obligation of the employees
· Industry-specific legal or conduct regulations for handling personal data
· Requirements of internal and external parties
· Applicable laws, possibly with special local regulations
· Conducted internal and external inspections
· Data protection need: determination of protection need with regard to confidentiality, integrity and availability.
Appropriate technical and organisational measures that must be implemented and substantiated, taking into account, inter alia, the purpose of the processing, the state of the technology and the implementation costs.
The description of the implemented TOM can, for example, be based on Art. 32 of the UK GDPR:
· Pseudonymisation (Art. 32 (1) (a) of the UK GDPR; Art. 25 (1) of the UK GDPR)
· Encryption (Art. 32 (1) (a) of the UK GDPR)
· Confidentiality (Art. 32 (1) (b) of the UK GDPR)
o Access Control
o Entry Control
o Authorisation Control
o Separation Control
· Integrity (Art. 32 (1) (b) of the UK GDPR)
o Transfer Control
o Input Control
· Availability and Resilience (Art. 32 (1) (b) of the UK GDPR)
o Availability Control
o Resilience Control
· Recoverability (Art. 32 (1) (c) of the UK GDPR)
· Procedures for Regular Review, Assessment and Evaluation (Art. 32 (1) (d) of the UK GDPR; Art. 25 (1) of the UK GDPR)
o Data-Protection-Management-System
o Incident-Response-Management-System
o Data Protection By Design and Default
o Order Control
