GDPR Compliance Journey - 05 Policy

Gydeline

3 Apr 201805:01

Summary

TLDRThis video script from Guideline GDP discusses a unique approach to policy creation, emphasizing the importance of simplicity and applicability within organizations. It critiques the common practice of using generic templates and instead promotes succinct, easily enforceable statements linked to various policy areas and personnel. The script outlines a system for organizing policy collections, such as cybersecurity, data protection, and privacy, which can be applied across different areas for compliance with regulations like the GDPR. The speaker also highlights the ability to print policy documents for record-keeping, aiming to simplify compliance processes.

Takeaways

🗓️ The General Data Protection Regulation (GDPR) will be enforceable in seven to eight weeks, emphasizing the urgency to prepare.
📝 The speaker advocates for a unique approach to policy, criticizing the common practice of using generic templates that do not meet specific organizational needs.
🔑 The importance of creating a 'living' policy document that is applied within the organization is highlighted, as opposed to just having a static document.
📑 The script mentions the typical structure of a policy document, including an introduction, explanation, and purpose, which often leads to excessive preamble before the actual policy statements.
📈 The speaker introduces a system for creating succinct, easy-to-understand policy statements that can be linked to various policy areas and individuals within the organization.
🔗 Policy statements are broken down into individual components that can be applied to multiple policy collections, such as data collection, cybersecurity, and data quality.
🔒 A specific example is given about the policy on collecting information for cookies without identifying individuals, which is related to the cookie policy collection.
🛡️ The script discusses the creation of policy collections, such as cybersecurity, data security, data quality, backup, privacy, cookies, and retention, which are essential for GDPR compliance.
📋 The retention policy is used as an example to illustrate how the purpose and scope of policy collections are defined, and how individual statements contribute to these collections.
📘 The flexibility of the system allows for policy statements to be applied across multiple policy areas, streamlining compliance efforts.
🖨️ Once satisfied with the policy collection, the option to print a copy of the policy is available, providing a tangible record of compliance.

Q & A

What is the main focus of the video script?
-The main focus of the video script is to discuss the approach to creating and managing company policies, especially in compliance with the General Data Protection Regulation (GDPR).
What is the unique view on policy held by the speaker's company?
-The speaker's company believes in creating a living policy document that is easily understandable, enforceable, and can be applied across various policy areas and individuals within the organization, rather than a static document that doesn't meet the company's needs.
Why does the speaker criticize the standard approach to policy creation?
-The speaker criticizes the standard approach because it often results in a document that is not a living policy, is not applied within the organization, and is filled with unnecessary introductions and explanations before getting to the actual policy statements.
What is the speaker's company's approach to policy statements?
-The company's approach involves creating succinct statements that are easy to understand and enforce, and can be linked to various policy areas and people within the organization.
How does the speaker's company organize policy statements?
-The company organizes policy statements into individual statements that can be applied to multiple policy collections, allowing for flexibility and efficiency in policy management.
What is the purpose of the 'retention policy' mentioned in the script?
-The purpose of the retention policy is to define the retention period for each category of information stored by the company.
What does the speaker mean by 'doing things once and keeping it simple'?
-The speaker is emphasizing the importance of creating policy statements that can be applied across multiple policy areas, avoiding redundancy, and maintaining simplicity in policy management.
How does the company's policy system relate to the GDPR?
-The company's policy system is designed to help organizations comply with the GDPR by providing a structured and efficient way to manage policies related to data protection, privacy, and cybersecurity.
What is the next topic the speaker plans to discuss after policies?
-The next topic the speaker plans to discuss is the data protection impact assessment.
What is the speaker's final message to the audience?
-The speaker's final message is to encourage the audience to find compliance simple and to look forward to the next discussion on data protection impact assessments.