IAPP Training · Module 10 - BoK IV.B

Module 10 · Data protection policy (Article 24(2))

A data protection policy (Article 24(2)) is an internal tool to train employees and set out what may and may not be done, plus the consequences of breach. It is required 'where proportionate' in relation to the processing. Best practice: concise, understandable language (translate where needed), achievable goals, and writing it for employees, not the regulator.

Internal tool - trains employees; sets out what may/may not be done and the consequences of breach.
Required 'where proportionate' in relation to processing activities.
Best practice: concise/understandable language (translate if needed); achievable goals; written for employees, not the regulator.

Audience

The policy is written for employees, not the regulator. If staff cannot understand and follow it, it fails its purpose.

Key terms - quick answers

What is “Data protection policy”?

An internal Article 24(2) document that trains staff and sets the rules and consequences for handling personal data; required where proportionate.

← Module 10 · Data protection impact assessment (DPIA, Articles 35 and 36)Module 10 · Records of processing (Article 30) →