Notes from the compliance front line: effective data protection policies

4 min read

I see a lot of policies in my line of work. Many of them are not great. However, what is great is that the only reason I see them is because the organisation has brought me in to help with their governance and they want to get things right.

Small organisations often quickly knock up, or copy, policies because they know they need something. But in the rush to have something, what they produce doesn’t always work for the organisation. I see a lot of documents that are waaay too long and overcomplicate the topic in question. So here are some things to think about if you’re trying to create effective documents that do what they’re supposed to.

Policy and process?

There are some people who like to keep policies and processes separate. And in some types or sizes of organisation this makes sense. For the vast majority of my clients, this is overcomplicating things. Asking staff at a small organisation to read two documents rather than one to understand what to do when they get, say, an access request is not likely to lead to a good outcome. So I tend to help clients create one document that blends policy and process, so it’s clear not just what to do but why you’re doing it, or what you need to take into account.

To make clear what part of a document is a process aspect, a numbered step-by-step approach can work well. I have also seen it work where the process aspects are in a different colour, or in a box. Creative use of formatting and layout can also help make your documents clear and easy to follow.

Separate topics or combined?

Some organisations like to have each policy topic covered separately, some like to combine topics that are similar. It’s common to have an ‘employee handbook’ that covers a range of topics. There is no right and wrong, so think about what will be right for your organisation, pick an approach and be consistent.

I often find a lot of overlap between policies covering ‘information security’, ‘acceptable use’, ‘password rules’, ‘social media’ and the like. For many small organisations combining these topics into one document is the easiest option. Some do it as an employee handbook, some do it as one policy. It’s always worth considering what topics naturally go together.

Dos and don’ts, checklists and one-pagers

Sometimes, a policy might be a list of dos and don’ts. This can work well in very small organisations. It’s short, unambiguous and to-the-point. It conveys the most important things you want your staff to know.

One-pagers also work well to summarise key points or key actions. They can be good for instructions where all you need people to do is be able to identify something and take an action, such as sending a rights request to the right person, or knowing what things they need to notify as an incident. One-pagers can also work where you have a longer policy and want a short reminder of the most important points (see the next heading for more on this).

Checklists can be useful where you need people to take a series of steps, or to provide an overview of all the things they need to do or think about. Checklists can also be effective when they set out baseline requirements. I have seen them used to help tech teams understand what they always need to build into whatever they are building to embed key compliance points. I’ve also seen them used to help those dealing with contracts make sure all the right clauses are included, and easily identify what’s missing.

Reminders

If you write a policy, you intend someone to read it. A lot of organisations throw a bunch of policies at new staff on their first day, and some even have staff sign things to say they have read a policy. And then that’s it. It’s a lot to take in, and however you make staff aware of policies, they will always need reminders.

Reminders can be physical - such as a poster on an office wall, or a laminated card with the number to call if your laptop is stolen. They can be digital - such as a message on the screen every time you log on, regular emails and newsletters, or online training. They can also be verbal - such as a standing item on a regular meeting agenda.

Plain English

Of course I am going to promote this! Your policy is no use to anyone if they don’t understand it the first time they read it. Use ‘you’ and ‘we’, write active not passive sentences, and avoid long rambling paragraphs with loads of commas. Use bullet lists, headings, bold and different font sizes to structure the information. Have a contents list, ideally one that links to the relevant sections. Essentially, follow the principles of plain English for anything you write that you intend for someone else to read.

Get creative

Writing policies is part of governance, but it doesn’t have to be boring and it doesn’t have to be just words, or just documents. How else can you convey the information? Some people work better with visuals, some with words. Also think about how you embed your governance day-to-day. If you have a checklist for something to do with data protection, does it have to be a stand-alone thing? Can you make it part of something else that your staff are doing anyway?

What works for your people?

Ultimately, you have to do what works for your organisation. And by that I mean your people. If you know at the start what outcomes you want, then you can create policies that achieve those outcomes.

  • Do you just need people to spot something and escalate it?

  • Do you need them to take a range of actions and decisions themselves?

  • Are you just giving them information?

Most small organisations are very busy. Staff have jobs that are not data protection, and they are not going to spend hours reading a long list of policies.

What is crucial that they know?

Many people will only refer to a policy when they need it. Or look for a process when something has happened. So is your content well-labelled and easy to find? Can you quickly find the information on what to do if your laptop is stolen, after your laptop has been stolen?

My word, this is dull!

Most people think policies are boring. Many of them are. No-one likes writing them, and even fewer like reading them. So what’s the point?

That is the key question. It’s how you get started and how you create something that people read, understand and follow. And maybe, that isn’t dull after all!

If you are a small organisation struggling with your governance, or perhaps struggling to even get started, get in touch, and let’s get you sorted.

Scrabble tiles spelling out the words make it so on a blue background
Scrabble tiles spelling out the words make it so on a blue background