Do you have a documented Data Protection Policy which obliges your organisation and all its employees and/or contractors to comply with Data Protection legislation?
We have an internal Data Protection Policy that we review annually or before we make significant changes to company structure or workings. We use the Privacy by Design method for everything we do. This is something the GDPR stipulates, which we are comfortable with as we have always worked on a “path of least access” methodology for our network and software.
The Data Protection policy is developed internally by our DPO and is responsible for ensuring new staff are trained accordingly and existing staff are kept up to date with regular reviews of their role. Changes to company structure and workings are directed through the DPO in the first instance to assess the impact (if any) to the protection of data.
Our internal Data Protection Policy is not available externally as it contains sensitive data.