Compliance

Data protection policy

What is Data protection policy?

A data protection policy is a company's written document explaining how it collects, uses, stores, and protects personal data, including employee data, and is one of the practical documents GDPR expects a company to have.

Where GDPR for HR is the set of rules a company has to follow, a data protection policy is the document that writes those rules down for a specific company - what data it collects, why, how long it is kept, and who can access it. It is what you would show a regulator, an auditor, or an employee who asks.

For HR specifically it should cover employee records, not just customer data, since salaries, performance notes, and health-related leave are personal data too. A retention schedule and an access-and-erasure process are usually referenced from the same policy rather than written twice.

Related terms

See also

Put these terms into practice

Flat-rate HR for European SMBs. 30 days free, no card, cancel anytime.

Start 30-day free trial