What's in a policy

What's in a policy

Nov 11, 2021

Data protection policy

With the emergence of new laws around the world like the GDPR it has become needful for organisations to demonstrate adherence to data protection laws. The policy sets out how an organisation protects and handles personal data. This is not a privacy policy. It should include lawful processing, roles and responsibilities, technical and organisational methods and training of staff to handle personal data.

Bring your device policy (BYOD policy)

The trend for individuals to use their own devices for work activities continues to grow. Allowing individuals access to work data or work related networks with a device that is not owned by the business needs to governed. An ungoverned device is a security risk. It is therefore needed to govern devices that are owned by employees but access business infrastructure through a BYOD policy.

Acceptable use policy

A business provides infrastructure to further the business objectives and mission. This infrastructure is not intended for activities that are not in keeping with the business stated aims. The acceptable use policy helps employees understand what activities are not acceptable and what is acceptable with the business computer and network infrastructure. It also describes obvious activities that are not acceptable and would place the business at risk of a data breach. This includes guidelines with regards to email and social media.

Data management policy

Organisation data sets continue to grow as organisations store more information. Storage needs must be managed in the most cost efficient way. Data management and its policy is aimed at ensuring that organisation storage is sufficient, safe, and cost effective. It must consider third party providers, cloud storage, internal data storage devices and the SLA’s of the data.

Information management policy

Organisations collect information from a number of sources and in a variety of ways. How his information is collected and what is done with this information is a information management function. The policy needs to consider the number of places the same information is duplicated. What derived information sets are produced and how this information meets legal and stakeholder requirements. A policy should also set out the rules and ways the organisation assigns data ownership and responsibility.

Data governance policy

Governance is the process of establishing rules and standards. This is related to the above policies and especially closely related to information management. Elements specific to this policy include who can access the data and what will it be used for. How will data be classified, how long data will be held and distribution of data.