Every company should establish clear written policies and procedures highlighting employees’ obligations and duties under GDPR and Data Protection legislation when processing personal data of colleagues, clients or members of the public.

Data protection training may be required for any employees who regularly process personal data as part of their role, particularly employees who process sensitive personal data.

A data protection policy should contain clear definitions of data protection terms, and guidance on the obtaining, processing, storing and disclosure of personal data.