Importance of Policies and Procedures in the GDPR world

Updated: Apr 13, 2020

IT strategy should be in sync with goals & strategy of the business, and IT governance is the foundation to help you do so. Some notable examples of this are COBIT and ISO.  In the era of the GDPR, habits of the employees may need to change so set of specific guidelines and standards that workers to follow would be useful. Recording these standards would help ensure the business remains compliant and out of trouble.

IT governance should also cover a strong security management effort. Sturdy policies that are compliant to the present standards e.g Non-use of SSL, decoded passwords in a database and, no password policy on sensitive forms or payments is unacceptable in the age of digitalizing, would all be important.

One factor in formulating great policies is to know the risks that could potentially threaten the business assets.  Another thing to acknowledge is making these policies clear and understandable to employees.

IT handbooks/Standards are also important and these should be used alongside policies.

For example, policies would require the employees to have a password with technical specifications while the IT handbook will provide the requirements for the password and what they can do should they decide to change it.

Control Procedures

Upon creating policies, it is also important to be able to control the procedures. Policies are no good when no one complies. Having control procedures would demonstrate how compliance in a policy can be measured. We need to consider and assess the risks which will then determine how frequently some policies should be audited depending on how it is performed.

It is also important to note that documentation and proof with regards to compliance and non-compliance whenever performing an audit. The higher management should be notified immediately when there is non-compliance present so that sanctions will be given accordingly.

This is relevant to GDPR for the regulation requires companies to handle risks and threats first-hand. This would include risk and threat assessments, having a robust IT strategy with matching policies, controls, and audits, will help your company increase the level of information and reduce the possibility of experiencing security and personal data breaches which will be a very bad look for you to the GDPR.