Why do we need data protection policies?

Look under the carpet of any successful organisation, including life science companies, and you are likely to find a comprehensive suite of policies. These typically provide high-level statements of commitment by an organisation on how it achieves certain outcomes, as well as strategies for dealing with standalone operational issues.

This approach extends to the use of data protection policies. Yet why should organisations adopt data protection policies and what are the benefits these policies provide?

What do we mean by a data protection policy?

It is worth considering what we mean when we talk about a data protection policy. Policies can take many different forms. They may be public facing statements of a company's commitment and approach to the collection and use of customer personal data or an internal policy directed at telling employees how personal data collected about them will be handled.

Policies are also used to foster certain behaviours, limit negative actions or drive forward particular good practices so that employees, for example, can do their jobs with knowledge and confidence. A policy can, therefore, be a guide to action with detailed information on the steps to achieve the objective of the policy being delivered by separate procedures.

Considering the law

Law books

There are a number of reasons why we need data protection policies, with legal requirements being foremost. Data protection laws in the EU place legal responsibility upon the shoulders of the data controller who determines how and why personal data of individuals is processed. Central to these obligations are eight data protection principles, comprising enforceable standards over the way personal data is collected, managed and used.

The principles do not, however, provide a template for compliance. They typically use non-specific terms to describe processing such as “adequate”, “relevant” “fair” and “appropriate” and for this reason, compliance by the controller is down to interpretation - applying the principles to specific circumstances. Although there is no explicit statement in the law that policies must be used, there is an implicit presumption that policies are needed to deliver compliance by helping an organisation and its employees to understand the nuances, consider the data and apply the law appropriately.

If we take, for example, the first of the data protection principles, this requires that personal data is processed “fairly”. The UK data protection Act 1998 (DPA) does not comprehensively explain the concept of fairness, it merely explains in the schedule to the DPA that personal data will only be processed fairly if the data controller has ensured, as far as reasonably practicable, that individuals have information communicated to them. A website privacy policy may be one of the ways this is achieved.

Another example can be found in the security principle. A core requirement of this principle is that security measures must be "appropriate" to prevent data from being accidentally or deliberately compromised. This must include the use of organisational measures, meaning robust policies and procedures that define the security processes of the organisation and clearly delineate the responsibilities for security within the organisation and by any third parties processing personal data on its behalf.

Limiting liability

The value of policies in underwriting legal compliance can be seen particularly when we look at the UK regulator, the 'Information Commissioner's (IC) approach to auditing compliance and enforcing the law.

In assessing the level of compliance by an organisation, the IC will typically focus, among other factors, on the role of governance and accountability. The view of the IC on the compliance or otherwise of an organisation and the level of any formal action it takes, will be strongly influenced by the presence or absence of polices. For example, when fining Midlothian council £140,000 in January 2012, the IC pointed to how the breach could have been avoided if the council had put adequate policies and procedures in place.

Avoiding bad publicity


Legal reasons for using policies are clearly very important but equally important are the practical and commercial risks of not having policies. In reality damage to brand and reputation can be more dangerous for an organisation than any risk of action or a fine by the IC.

Improving business processes

That said, it is not just about the law or avoiding bad press. There are also positive and practical commercial benefits from using data protection policies. These include enabling uniformity and consistency in decision making, helping to build a culture of awareness and responsibility, making personal data management and infrastructure more resilient; and, through greater transparency, instilling trust and confidence in individuals when they are deciding whether to share their data.

If you have any questions on this article or would like to propose a subject to be addressed by Synapse please contact us.


Sally Annereau

Sally is a data protection analyst in the IT, Telecoms & Competition group based in the London office.

"There is an implicit presumption in the law that policies are needed to deliver compliance."