What is the world of internal policies and assessments under the GDPR like?

Who cares?

The creation of internal policies often takes a back seat, both when starting a business and throughout its subsequent activities. When it comes to privacy, companies often focus on the external aspects. When a company turns to privacy lawyers, the primary tasks are usually related to the external appearance: attractive public documents, user-friendly banners, data processing agreements, i.e., everything that users, contractors, or regulators see. Internal policies and processes that form the foundation are put off until later.

External expressions of concern for privacy within the company are important, but without well-established internal processes, clear procedures, and certainty, achieving privacy compliance is impossible. It is important to understand that internal policies and assessments are not optional, an ideal approach to privacy, or the pipe dreams of a privacy lawyer. These are basic requirements and real obligations imposed by the GDPR.

The need for internal policies and procedures stems from several key articles that establish the obligation to comply with the principles of the GDPR and the ability to demonstrate this compliance. In the article on the controller’s responsibility (Art. 24 GDPR), internal policies are explicitly mentioned as an element of the implementation of technical and organizational measures. Without them, it is impossible to fully comply with the requirements for accountability, security, and compliance. Policies are, in essence, internal mechanisms that ensure consistency in employee actions, control over data processing, and the ability to prove GDPR compliance in the event of an audit or incident. Policies actually go beyond privacy and are not limited to data protection. They generally regulate many internal company processes, from information handling to team interactions.

Internal policies – what and why

In the course of their work, companies encounter recurring situations: they receive requests from users or employees for access to data, and they interact with contractors. There are also less frequent but more problematic situations, such as data leaks or other incidents that require an immediate and clear response.

Policies are necessary to respond effectively and quickly. A basic set of policies will be suitable for most companies across all fields of activity. Regardless of what you do – sell goods, develop IT solutions, or manage a platform – you will need these policies. Below, I will discuss the types in more detail.

1. Internal privacy policy. A document that regulates how the company processes personal data internally, for what purposes and on what grounds, and who has access to it. It sets expectations and rules for all interactions with data (collection, use, transfer, storage). It helps to ensure that everyone in the company processes data consistently and in accordance with requirements.
2. Security policy. Defines technical and organizational data protection measures, principles, and rules, and regulates the company’s approach to the confidentiality and integrity of personal data and other information. It establishes the procedure for accessing data, rules for responding to security incidents, and uniform standards of conduct for employees regarding data processing and storage. The policy sets uniform standards and consistency in employee actions. Without it, each employee can act at their own discretion, leading to inconsistent decisions, security breaches, and, as a result, serious incidents or data leaks.
3. Data Subject Access Requests Policy (DSAR). Establishes an algorithm of actions when receiving requests from data subjects (for example, for access, deletion, correction of data), deadlines, and responsible persons. The policy allows the company to act in a coordinated manner and comply with the deadlines set by the GDPR.
4. Incident Response Procedure. Establishes how to act in the event of a data leak, security breach, or other critical situations where speed and coordination are important. Who is responsible, who needs to be notified (by authority or position), and within what timeframe? It is also important to keep a register of requests and incidents, as well as to update the ROPA (Record of Processing Activities), an internal register of personal data processing operations, where all data-related actions are recorded.

No, internal policies do not necessarily have to be separate documents. You can prepare one general policy that covers all aspects.

The main thing is not the number of documents, but what and how you describe in them, how well they will work, and, of course, whether your team will read these documents. They should describe real processes, not just be for show.

About LIA, TIA, DPIA in simple terms

Next, let’s talk about other privacy tools hidden behind the abbreviations LIA, TIA, and DPIA. These are different types of assessments that should be applied depending on how and with whom the company interacts when processing personal data. For example, when processing large amounts of data, sensitive data, transferring data abroad, or without the consent of the individual. An assessment is needed to verify the legality of processing such data.

Not all assessments are mandatory under the GDPR, but they help to fulfill the principle of accountability and, in the event of an audit, demonstrate that the company has grounds for processing data and does so in accordance with the rules.

Legitimate Interests Assessment (LIA) is a check to see if you can process and use personal data without the person’s consent or other grounds. It is similar to a checklist where you must meet certain criteria in order to have the right to process data on the basis of legitimate interest. For example, when you need to store a user’s activity history to provide better service, send a notification about a change in the Terms of Use, or check CCTV recordings.

The LIA consists of questions that help ensure that your interest is truly legitimate, that data processing is necessary to achieve it, and that the company’s interests do not outweigh human rights. If you answered all the questions honestly and passed the check, the data can be processed. If not, you need to find an alternative basis for processing, such as obtaining consent or adjusting your approach.

Transfer Impact Assessment (TIA) is conducted when a company transfers personal data outside the EU (for example, to the US). Its purpose is to verify whether the recipient country has an adequate level of data protection and what additional measures need to be taken to keep the data secure.

Data Protection Impact Assessment (DPIA), or data protection impact assessment,

is used when the processing of personal data may pose a high risk to the rights and freedoms of individuals. A DPIA is a risk analysis and a plan on how to mitigate those risks. This is required if you conduct video surveillance, profiling, or process large amounts of sensitive data. You analyze whether there is a risk of such data being disclosed or leaked, and what needs to be done to prevent this from happening.

A typical case where a DPIA should be conducted is when the marketing department launches a mailing with personalized offers using data on previous purchases and customer behavior on the website. Or when the HR department starts collecting and storing employee medical records for sick leave.

A company’s transition to a new CRM system, where all customer data is uploaded, may also require a DPIA, especially if the system stores a lot of sensitive information and provides access to a large number of employees.

I also mentioned above RoPA, a register of personal data processing operations, which helps to record all actions with personal data. Although RoPA does not relate to assessments, it is also one of the desirable steps for a company: it allows you to conduct an initial analysis of all data flows, understand where and how they are processed, what measures are already in place, and what else needs to be implemented.

How to implement this in practice, and who is ultimately responsible

How to conduct assessments: you describe the processes, analyze the risks, plan appropriate measures, and put it all into a document.

Depending on the company, assessments can be carried out by a data protection officer (DPO), if there is one, or a lawyer or compliance officer. Usually, technical specialists who assess technical risks and the level of data protection are also involved in the process, as well as department or project managers who explain how data is collected, used, and transferred in practice. This is often done collaboratively: the lawyer/manager describes the process and risks, the technical team suggests how to minimize them, and the manager approves.

Having internal policies and conducting assessments primarily benefits the company and is not just an unpleasant legal requirement. Don’t think of it as a burden — it’s more about internal rules, smooth cooperation, and efficiency, especially for you. If you don’t want to do it all yourself, Axon Partners can take care of it for you, from the initial step to the fully integrated system.