How Do You Conduct A GDPR Policy and Privacy Information Review

Published on Oct 12, 2021

As part of our series of articles about how to carry out a GDPR compliance audit or GDPR readiness assessment, we recently discussed how to conduct a data mapping exercise in order to identify what personal data your organisation holds. We followed this up with an article about how to establish a lawful reason for processing. In this article, we turn our focus towards internal and external documentation.

It may come as a surprise, but achieving compliance with the UK general data protection regulation (GDPR) isn't helped by implementing boilerplate policy documentation. Instead, it requires appropriate procedures and notifications that reflect how your organisation approaches specific compliance issues. When added together, this documentation forms the heart of an effective privacy management operation and the foundation for ongoing GDPR compliance. It ensures businesses have considered how it protects the personal information it holds and has taken action to safeguard the rights of data subjects. Well documented policies and privacy information are defined as a responsibility of the controller under Article 24(2) and are also a substantial factor in demonstrating accountability under Article 5(2), so the significance of having accurate and relevant documentation shouldn't be understated.

Consequently, you should regularly review your data protection policies, procedures, and related privacy information to ensure your organisation retains ongoing GDPR compliance. Conducting regular reviews also helps ensure privacy-related processes are concise and remain relevant, which means they will be easier to follow by your employees.

What should be included in your data protection policy?

In the first instance, let's look at the types of areas that should be included within your data protection policies and procedures in order to be compliant.

Privacy laws like the GDPR are long and complex. Your data protection policy is, therefore, a summarised version of all relevant legislation that applies in the region(s) in which your business operates. It explains your commitment to privacy compliance, the practices you follow and the requirements expected of employees in terms they will understand.

In the event of an investigation from the Information Commissioner's Office (ICO), your data protection policy is the first place they will look. This is how the ICO will determine if you process personal data lawfully and whether an alleged violation resulted from a mistake or widespread neglect. It's worth noting that human error will likely result in a far more lenient outcome than that of systemic failure, which will almost certainly lead to a monetary penalty.

While there are no set criteria, you could consider including the following in your data protection policy documentation:

  • Purpose explaining why the GDPR policy is necessary
  • Definition of terms
  • Scope of the laws and regulations covered
  • Your general approach to data protection
  • How your governance structure is setup
  • Contact information of your Data Protection Officer (where applicable)
  • How you ensure lawful processing
  • How you address data protection by design and default, data minimisation
  • How your data processing practices are reviewed
  • How you demonstrate accountability
  • How you ensure the rights of data subjects are protected
  • Your subject access request procedure
  • How long personal data is retained
  • What technical and organisational controls are in use (encryption, anonymisation, pseudonymisation)
  • What authentication processes are in place
  • What rules exist to protect against email threats and unauthorised disclosure
  • Your data breach response and notification procedure
  • How staff are trained in handling personal data and information security
  • How/where processors are used and selected
  • What contractual requirements are placed on processors, and how they are verified
  • What safeguards are in place to protect data being transferred to third countries and international organisations
  • How marketing processes are controlled and monitored for compliance

How to review GDPR policy documents

The next step is to check each area of the policy documentation:

  • Check to see if any compliance obligations and responsibilities have changed since the last review
  • Determine whether your organisation has implemented compliant policies and procedures to manage the processing of personal data
  • Confirm that all supporting information and justification is documented and still valid
  • Ensure activities required of employees are being carried out in accordance with such policies and procedures

How does this work in practice?

For instance, looking at how long you need to keep hold of personal data and what needs to happen to ensure that it's securely deleted would follow something along these lines.

Data Retention Policy

Your data retention policy sets out your organisation's rules about how long information should be held. The GDPR doesn't define a specific storage limitation period. Instead, your policy should outline retention periods based on documented and justifiable requirements deemed necessary for your business. When determining if the set retention limits are still relevant, consider the purpose for processing the data, along with any legal or regulatory requirements. The key point is not to keep hold of personal data for longer than it is needed for the purpose.

There are two exceptions to avoid having to adhere to data retention periods. The first is to anonymise the data so that it cannot be connected to an identifiable person. Anonymised data can be retained indefinitely under the GDPR. The second is where the information is archived for public interest purposes or related to scientific and historical research or statistical purposes, subject to Section 19 of the Data Protection Act 2018 (p30).

As the retention deadline approaches, you have three options, either delete, anonymise or archive the data. Check which of these is the appropriate action and that it happens in practice. When deleting personal data, be sure to destroy, remove or erase all copies. This means you will need to know where the data is stored and whether it is digital or paper-based.

A retention schedule will help you keep track of how long different types of personal data can be kept and provides guidelines for how they should be discarded.

A GDPR policy review is a perfect time to rethink your privacy information

Once the policy review is complete, it's time to focus on your external privacy information. These include your privacy notice along with any forms where personal data is captured.

Whereas privacy policies are internal documents outlining the rules and requirements expected of employees—privacy notices are external documents that explain to individuals what you do with any personal data you hold about them and why. The UK GDPR provides more precise instructions about how individuals have the right to be informed under Articles 12, 13 and 14 (p12-15).

The conventional approach to presenting privacy information is outdated and, as it turns out, unfit for purpose. By this, we mean that many privacy notices are complex legal disclaimers, with numerous interlinking documents intended to make it hard for the reader to understand how their information is being used. In reality, privacy notices should be transparency tools that build customer trust and loyalty by clearly explaining how personal data is processed. We recently wrote an article about how to write your privacy notice to win customers and influence people covering this very topic. When conducting a review of your privacy information, it's just as important to consider accessibility as it is content.

Final thoughts

After completing a thorough policy review, it is helpful to prepare a list of observations and conclusions. You will also need to follow up and determine why specific policies are not being followed and implement an action plan to meet the documented compliance guidelines.

By following the requirements outlined within your data protection policies and procedures, alongside transparent privacy information presented in an easily accessible format, your organisation will demonstrate to the ICO that it can identify and control risks that could otherwise lead to a breach of data protection.

As a training provider, Freevacy recommends the BCS Practitioner Certificate in Data Protection along with the IAPP Certified Information Privacy Professional Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) certified training courses, which when combined will provide the required knowledge to review data protection policies and procedures successfully.

In our next article we look at how to carry out a data security audit.

To find out more about data protection and privacy law training, please email us at or call 0370 04 27701.

Click your chosen course below to see our next available courses dates