Part 6: Policies and Procedures

Accountabilityis one of the 7 Principles under the GDPR (General Data Protection Regulation). To ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.

As part of an ongoing series of blogs, CVG Solutions will be guiding you through the ICOs 10 framework categories, taking a closer look at the importance of each aspect and how to adhere to them.


When it comes to GDPR, having policies and procedures in place seems rather obvious. Data protection law requires organisations to put the relevant policies and procedures in place, where it is proportionate to do so. These policies and procedures are designed to provide systemic structure, thus creating clarity and consistency by laying out precisely what people need to do and why.

Policies can also be a useful means of communicating company goals, values and establishing a positive tone. So far, so simple… but there’s a bit more to it.

To help with ease of compliance, the ICO has broken down this section of the framework into 4 categories…

Direction and support

All policies, procedures, guidance, and manuals must be made readily available to operational staff so that they might be applied in practice. They should also be legible and provide staff with enough direction to understand their roles and responsibilities regarding data protection.

Policies should cover:

  • Data protection
  • Records management
  • Information security

Review and approval

Procedures and policies should be reviewed regularly – in line with recorded review dates – and updated when required by senior staff with the relevant expertise. The same staff should also be responsible for approving all new and existing policies and procedures, and ensure they adhere to an agreed format and style.

Staff awareness

All staff need to have read the relevant policies and procedures and have a clear understanding of how they should comply with them. Staff should also be made aware of any updates that take place to any policies and procedures.

Data protection by design and default

Your company must have policies and procedures that ensure data protection issues are considered when designing systems, services, products and business practices that involve personal data. Personal data should be protected by default when implemented.

When creating new policies, it is good practice to produce them with data protection in mind. They also need to safeguard individuals’ rights, such as data minimisation, pseudonymisation and purpose limitation.

Care should also be taken to ensure policies and procedures give additional protection to the personal data of vulnerable groups, such as children.


For any changes to data protection and transferring policies as a result of Brexit, or for a full breakdown of what privacy information includes, get in touch with CVG Solutions and we can help guide you through everything you need to know and ensure you meet all the requirements laid out by the ICO.


Check back for monthly updates and information regarding the ICO Accountability Framework. In April, we’ll be taking a closer look at Individual’s Rights. You can also read our other blogs in the series on:

Leadership & Oversight (Part 1) 

Training & Awareness (Part 2)

Transparency (Part 3)

Contracts and Data Sharing (Part 4)

Records Management & Security (Part 5)

If you require any further help, guidance, information or clarification, you can contact CVG Solutions at, or call us on 01775 660-506.

CVG Membership

As a brand new addition to CVG Solutions, we launched a membership option last year. Sign up for announcements and updates as they happen, so you don’t miss out on future entries of our Guide to the ICO Accountability Framework blog series.

Policies & Procedures Checklist

Not entirely sure whether your organisation is complying with the regulations laid out by the ICO? No problem, just use this checklist to see where you might be going wrong:

  • Do staff know where to find relevant policies and are they easy to find?
  • Could your staff explain their role and responsibilities and how the policies and procedures help them?
  • Is the highest level of management aware of the strategic business plan for information governance?
  • Are policies consistent?
  • Is the approval process appropriate?
  • Could your staff easily find policies on the intranet or equivalent shared area?
  • Are they aware of the main content?
  • Would we see any data protection awareness-raising materials available or on display around your office, such as posters?
  • Could your staff easily find policies on the intranet or equivalent shared area?

About the Author

Cristina is recognized as a leader in the GDPR industry and has 25+ years of experience working for large international corporations. During this time Cristina has acquired an extensive knowledge and practical application of data protection, risk management and compliance.   Cristina uses all of her expertise in helping her clients of all sizes to improve their understanding of the GDPD, how it can strengthen their brand, and how it can support them to drive business growth.  Cristina is the creator of the ‘GDPR 3 Stages Maturity Lifecycle’ and of the ‘GDPR Toolkit’.  Click here to know more.