Skip to main content

Data Protection Hero: We have read the privacy policy. It was as thrilling as you would expect.

·4 mins
Data Protection Awareness Privacy Policy Training Data Protection Hero

A data protection policy is an internal document - often part of a company’s suite of policies, and one of the organisational measures expected under GDPR. It is directed at the workforce, and sometimes at vendors where no more specific agreement exists. It is also, in most companies, a document that nobody reads - not because people do not care, but because it was written to satisfy an audit rather than to inform the people it governs. A document that causes four colleagues to fall asleep at a party is still technically a policy. It is just not a particularly useful one.

Data Protection Hero — We have read the privacy policy. It was as thrilling as you would expect.

Why it matters more than you think #

Data protection policies exist to inform the workforce about how the company handles personal data, what the rules are, and what is expected of them. Under GDPR, having appropriate organisational measures in place is a compliance requirement, and a documented policy is part of that. But a policy that exists only as a document, unread on an intranet, is an organisational measure in name only. The GDPR does not mandate a data protection policy in specific terms - but Supervisory Authorities expect organisations to demonstrate that their workforce understands and applies data protection principles. A policy nobody has read does not provide that evidence.

The consequence is predictable. Employees do not know what is expected of them, why it matters, or what to do when something goes wrong. And when something does go wrong - a data subject request mishandled, a personal data breach unreported, a retention period ignored - the gap between what the policy says and what people actually understood becomes very clear, very quickly.

The practical fix #

The policy itself needs to exist, and it needs to be accurate. But it should not be the primary way people learn about data protection in your company. The more effective approach is to translate the policy into something designed to be understood such as a concise one-pager for employees that answers the questions they actually have, contextualised guidance for specific roles or teams, or training that explains what data protection means in practice rather than in principle.

Engaging employees with data protection does not require making the law exciting. It requires making it relevant. A payroll administrator needs to understand data minimisation in the context of HR records. A sales team needs to understand consent in the context of marketing. A customer service team needs to understand data subject rights in the context of the calls they handle every day. That kind of contextual, role-specific communication is what changes behaviour, and behaviour is what the GDPR is ultimately trying to change.

If your company’s data protection policy is doing all the heavy lifting on its own, it may be time to rethink the approach. Purpose and Means can help translate your policies into accessible employee guidelines, contextual one-pagers, and engaging training programmes that make data protection meaningful rather than merely documented. Get in touch to find out more.

Frequently Asked Questions #

Is a data protection policy required under the GDPR? The GDPR does not mandate a data protection policy by name, but it does require companies to implement appropriate organisational measures, and to be able to demonstrate compliance under the accountability principle. A documented policy is one of the most common ways companies evidence those obligations, but it only counts if the workforce it governs has actually engaged with it.

What is the difference between a data protection policy and a privacy notice? A data protection policy is an internal document directed at employees and, where relevant, vendors. It sets out how the company manages its data protection obligations. A privacy notice is a document directed at data subjects such as customers, website visitors, job applicants, as well as employees, informing them of their rights and how their data is used under Articles 13 and 14 of the GDPR. They are different documents serving different purposes, and should not be confused. Interestingly, the term ‘privacy notice’ is not mentioned at all in the GDPR.

What should companies do if employees are not engaging with data protection policies? Reframe the communication. A policy document is a reference tool, not a training programme. Companies that want employees to understand and apply data protection principles need to invest in role-specific guidance, accessible summaries, and training that connects the rules to everyday tasks. A well-designed one-pager will do more for compliance culture than a comprehensive policy that sits unread on an intranet.

#DataProtectionHero

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare history horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture privacy policy product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts