Data Sec 01
Data Sec 01
Data Sec 01
POLICY
TEMPLATE
Scope
Outline the scope of the data security policy. Create a list of the people, data types and networks that are
governed by the provisions in the policy. Must everyone, including third-party vendors and processors,
follow the rules of the policy? On any network? Relating to any data? If yes, clarify. If no, clarify.
For example:
The provisions in this policy apply to all equipment owned and operated by the Company, including all network domains set up by the
Company. The roles and responsibilities outlined in this policy refer to any and all employees, managers, investors or contractors of
the Company.
Definitions
Provide definitions for terms the average reader might not know. Remember that your audience is not
solely data security experts. Define concepts like personal data and roles like data processor or controller.
Also outline data categories if you will be referring to them in the policy (e.g., public data, private data
and/or proprietary data).
For example:
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person
is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person. (GDPR)
Noncompliance
In this section, state that policy violations will not be tolerated and that violators are subject to discipline
appropriate to the circumstances. Then, explain the company’s disciplinary action procedure. What are the
consequences if a person deliberately steals data? What if they accidentally cause a breach?
For example:
The company is committed to data safety and takes a zero-tolerance approach to carelessness. Any violations of the provisions and
procedures in this policy will be disciplined as per the company’s disciplinary action procedure, up to and including immediate
termination.
Reporting Mechanisms
In this section, detail how to report suspicious behaviors or a security incident. List what to report, such as
lost or stolen equipment, unknown visitors or phishing attempts, and where to report. Most companies will
provide an online form or the contact information of the Data Protection Officer (DPO).
In this section you’ll also want to encourage people to be vocal. Explain that it’s everyone’s duty to report
incidents.
For example:
All concerns, questions and suspected or known security incidents must be reported using one of the following methods:
Accessing the online form at [URL]
Contacting the Data Protection Officer by [PHONE] or [EMAIL]
Contacting a member of the Incident Response Team [CONTACT INFORMATION].
Messages sent via the online form will be directed to the Data Protection Officer (DPO) who will then identify, assess and handle the
matter in accordance with the procedures and best practices in this policy. Under no circumstances should an individual attempt to
cover up or ignore a data security incident.