What should an internal data protection policy contain?

An internal data protection policy should describe how personal data is processed, allocation of responsibilities, technical and organisational measures, how data subject rights are handled, and procedures for incident reporting and follow-up.

How does an internal data protection policy differ from an external privacy policy?

An internal data protection policy governs employees’ internal processing activities and routines, while an external privacy policy informs customers, suppliers or other data subjects about how their personal data is processed; both should align for consistent transparency.

Internal data protection policy

Q: When should an organisation update its internal data protection policy?

It should be reviewed regularly, for example annually, and updated when the organisation introduces new systems, services or processing affecting personal data, or when legislation, guidance or case law changes.

An internal data protection policy, also referred to simply as a data protection policy, sets out how an organisation handles personal data under GDPR and other data protection legislation.

Glossary
Internal data protection policy

Explained – what is an internal data protection policy under GDPR?

An internal data protection policy is a governance document describing how personal data must be processed within an organisation. It defines responsibilities, procedures and security measures that ensure processing of personal data is carried out in accordance with the General Data Protection Regulation (GDPR). It serves as a practical tool for accountability under GDPR and can be complemented by guidelines, instructions and data protection training for employees. Many companies seek GDPR legal advice to develop or update the policy correctly.

When is an internal data protection policy needed under GDPR?

The need for an internal data protection policy arises whenever an organisation processes personal data, regardless of size or sector. The policy is particularly relevant when launching new projects that involve personal data, when implementing new IT systems, or when meeting requirements from the Data Protection Agency or business partners. In the event of incidents or regulatory oversight by the Data Protection Agency, the policy demonstrates that the organisation has effective routines for data protection and privacy compliance.

Data protection lawyer advising business client on internal data protection policy, GDPR compliance and privacy documentation, with legal and security icons in the background.

Key considerations for an internal data protection policy (GDPR and personal data)

To be effective and meet GDPR requirements, an internal data protection policy must be clear, practical and tailored to the organisation’s actual data processing activities. Below are central points to consider when creating or updating the policy.

Describe the organisation’s overarching aims for data protection compliance and set out data protection responsibilities.
Define the types of personal data processed and the purposes for processing of personal data.
Include procedures for, for example, retention of personal data, rectification of personal data, erasure of personal data and restriction of processing.
Explain how the organisation ensures information security and access control.
Set out how incident reporting is handled in the event of a personal data breach, including incident handling and incident management.
Describe how training and ongoing capability-building are delivered for staff, including GDPR training for employees and employee data protection awareness.
Ensure the policy is regularly reviewed and updated in line with changes in the business or new case law.

A clear and up-to-date internal data protection policy strengthens compliance and supports a trusted way of working when handling personal data.

Internal data protection policy

Why an internal data protection policy matters for GDPR compliance

An internal data protection policy provides structure and transparency for how the organisation handles personal data. It is a common point of reference for everyone involved in data processing and makes it easier to evidence GDPR compliance.

The policy also reduces the risk of unlawful processing and ensures that the rights of data subjects are respected, including the right of access, the right to rectification and the right to erasure. With well-defined procedures and data protection safeguards, the organisation can act quickly when variances occur.

From a trust perspective, a well-developed data protection policy shows that the organisation takes responsibility for protecting personal data. It strengthens relationships with customers, suppliers and employees and can be decisive in procurements or collaborations where data protection transparency is central.

An internal data protection policy should describe how personal data is processed, the allocation of responsibilities, data protection measures, rights of data subjects and procedures for handling incidents. It must be clear and tailored to operational needs.

The policy should be reviewed at least annually and updated whenever the organisation introduces new systems, services or processing that affect personal data. It should also be revised when legislation or case law changes.

An internal policy is for employees and governs internal processing activities. An external privacy policy is intended for customers, suppliers or other data subjects. In short:

Internal policy: governs internal work and responsibilities.
External policy: informs external parties about how their personal data is processed.
Both documents should align to ensure transparency.

Ultimate responsibility rests with senior management, while operational responsibility sits with those who decide on and carry out the processing of personal data. All staff who handle personal data must follow the established procedures.

Training ensures staff understand organisational procedures and the lawful bases in Article 6 GDPR. Ongoing training helps prevent mistakes and strengthens responsibility for data protection.

Morling Consulting provides GDPR compliance consulting and support in the development and implementation of data protection policies. The work includes:

Review of existing governance documents and data protection documentation.
Establishing new procedures for data processing activities.
Training staff in data protection and privacy compliance.
Practical support with incident reporting, incident handling and follow-up.

Through professional data protection legal services, an organisation can ensure that the policy meets both legal requirements and operational needs.

Where relevant, the Data Protection Agency may issue guidance or conduct oversight. A well-governed policy helps demonstrate accountability under GDPR and readiness to cooperate with the authority.

Related areas include information security, access control and appropriate technical and organisational measures. Clearly documented responsibilities and procedures support lawful processing and a consistent, high standard of data protection for employees and other data subjects.

For clarity, your external privacy policy for suppliers should complement the internal data protection policy for employees to ensure alignment across the organisation.

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields

Explained – what is an internal data protection policy under GDPR?

When is an internal data protection policy needed under GDPR?

Key considerations for an internal data protection policy (GDPR and personal data)

Why an internal data protection policy matters for GDPR compliance

Frequently asked questions on internal data protection policy and GDPR

Read more about our services

Advisory

Legal Interim

Training