How to review data protection policies and procedures

Organisations of all sizes rely on data protection policies and procedures to ensure that they process information effectively and in line with their regulatory requirements.

But creating this documentation is often harder than it looks, with a lack of resources and necessary skills contributing to documents that are potentially unfit for purpose.

In this blog, we provide our top tips to help you review your data protection policies and procedures, ensuring that they remain relevant and useful.

Developing a review schedule

The first thing to note is that a policy and procedure review isn’t a one-time thing, or even something you can all at once.

Rather, it is an ongoing process that needs to be carefully scheduled. That might involve reviewing one business area per month, one top-level policy and all subordinate documents per month – or whatever best suits your organisation.

When developing your review schedule, it can be helpful to map the relationship between the various policies and procedures within your organisation.

You can do this by first listing the top-level policies: data protection policy, information security policy, quality policy, etc.

Next, you should draw lines to show the connections between the top-level policy and any subordinate documents, such as sub-policies, procedures and work instructions.

This map is useful for several reasons. For one, linking between the ‘parent’ policy and all related documents makes it easier to ensure that subordinate documents accurately reflect the parent policy.

It also highlights ‘orphaned’ documents that are no longer linked to a policy, and helps you understand the scale of work a given review might involve, enabling you to plan according to the necessary time and available resources.

Reviewing data protection policies

Now we move on to the actual review process. This should begin with top-level policies – e.g., information security, data privacy, business continuity – and what those policies mean to your organisation in broad terms.

They should define your organisation’s strategic approach to the topic and the key high-level risks that need to be managed.

Top-level policies tend to change less frequently than subordinate documents, as the organisation’s general strategic approach and the wider risks it faces evolve relatively slowly.

As a result, reviews of top-level policies often focus more on aspects such as effective implementation and whether relevant legal requirements are fully accounted for.

Once you have confirmed that the top-level policy meets all necessary requirements, the next step is to review any subordinate policies.

Subordinate policies define the organisation’s approach to a specific aspect of the topic covered by the top-level policy.

For example, an information security policy – which defines the organisation’s broad approach to information security – is often supported by subordinate policies on Internet use, hardware use, data storage and disposal, cryptography, etc.

Reviewing data protection procedures

The nature of procedures, work instructions and similar operational documents mean that they generally need to be reviewed more often than the policies that govern them. Even seemingly minor procedural changes or discrepancies can result in significant disruption if they are allowed to persist.

Your first task is to confirm that procedures are aligned to the parent policy just as you have done in previous steps. Only then can you check the specifics of the procedure itself.

To do this, you should talk to the people who use the procedure to find out how it is really used and whether it is accurate.

You should also check whether all necessary procedural steps are present, that they are in the right order, and that they are clear and easy to understand – especially in cases where they will be used to train new employees.

If the procedure is subject to monitoring or measurement, review recent results to see if they indicate any problems or improvement opportunities.

Looking for more advice?

This blog is based on our guide Reviewing Data Protection Policies and Procedures – Guidance for practitioners, which is available to download for free from our website.

It contains an in-depth discussion on the data protection policy and review process, and includes tips to ensure your practices comply with relevant regulations, such as the GDPR (General Data Protection Regulation).

By downloading this green paper, you’ll gain a clear understanding of your requirements when it comes to reviewing data protection documentation and how to implement those changes.


  • Luke Irwin

    Luke Irwin is a former writer for DQM GRC. He has a master's degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

    View all posts

Add a Comment

Your email address will not be published. Required fields are marked *