EU GDPR Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

Contents of the Data Protection Policy according to GDPR

Author: Punit Bhatia

Key elements of a GDPR compliant Data Protection Policy

Creating an internal Data Protection Policy is a good way of starting your compliance with the European General Data Protection Regulation (GDPR). As interpretation of GDPR can be complex and challenging for most people, it is common practice to create an internal Data Protection Policy.

Why should my company create a Data Protection Policy?

As there is a risk of each of your different departments or employees in your company interpreting the GDPR requirements in different ways, a GDPR Data Protection Policy makes it easier for employees, and saves them the effort of having to interpret the entire regulation by themselves.

In addition, your company can also articulate what is expected and how these requirements are to be fulfilled. To know more about GDPR requirements, you can read this article: A summary of 10 key GDPR requirements.

Key elements of a Data Protection Policy

Typically, the policy will have these elements:

  • Purpose of the policy: This part of the policy describes why this policy is being used, and why it is important for the company. Consider this more like the privacy vision of your company.
  • Definitions of key terms: This part of the policy defines key terms like personal data, special categories of data, etc., in the context of the company. See also: GDPR Glossary.
  • Principles and purposes of processing: This part of the policy defines the guiding principles for the processing of personal data, and the activities for which personal data can be processed. For example, this may include mapping the company activities to legitimate purposes defined in GDPR. See also: Understanding 6 key GDPR principles.
  • Key requirements or controls: This part of the policy lists the key requirements that should be fulfilled in order to be considered compliant with the policy. To ensure that employees and managers can validate the fulfilment of a requirement, a set of controls can be provided. For example, to fulfil the requirements of lawful processing, a control should be implemented to ensure that all processing activities are listed and mapped to one of the legitimate purposes defined in the policy.
  • Key roles and their responsibilities: This part of the policy defines the key roles / stakeholders for ensuring compliance with this policy. This section also outlines the responsibilities of each of the key stakeholders. It is important to note that the responsibilities of employees must also be explicitly stated, so that the employees feel like a part of it. See also: The role of the DPO in light of the General Data Protection Regulation.
  • Appointment of Lead Supervisory Authority: This part of the policy states who is considered (from the perspective of your company) to be the Lead Supervisory Authority. If your company is based in multiple locations, or operates as different legal entities, it should be specified how the management intends to manage the relationships with different Supervisory Authorities. See also: The obligations of controllers towards Data Protection Authorities according to GDPR.


Having an internal Data Protection Policy within a company can be a huge advantage. You must not underestimate the value of this policy, as it allows all employees and external staff of your company to understand what is to be done, and why. Even more importantly, as part of the approval process, it will allow your top management to be aware of the company´s obligations in the context of GDPR. So, create your Data Protection Policy today.

Here you can see a preview of the structure of the Personal Data Protection Policy.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on EU GDPR regulations.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Andrei Hanganu
Lead EU GDPR Expert


Upcoming free webinar
Privacy Notices under the EU GDPR
Wednesday – November 27, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.