2022.01.20All blog posts

10 ways to ensure a successful policies and procedures strategy

If you’re reading this blog, chances are you’re already aware of the importance of policies and procedures in the workplace.

Besides being a powerful legal tool for GDPR, policies and procedures play a vital role in safeguarding your company’s compliance plan. The general guidelines of a policy, supported by the corresponding step-by-step instructions of its procedures, provide employees with a clear roadmap to follow, giving them the information and structure they need to execute compliance strategies as planned. 

However, in order to deliver consistency and compliance across your organisation, it’s not enough for these policy structures to simply exist. They need to be implemented and maintained effectively if you want to achieve real results and impact.

A smart approach to your policy and procedure strategy is the subject of the sixth episode in our webinar series ‘Compliance best practices’ featuring DPO Catherin Raasdal from Basisbank. With a background working for the Danish Data Protection Agency, as well as Ernst & Young, Catherin shared some of her in-depth knowledge around planning, implementing and maintaining policies and procedures.

Read on for our main takeaways from the conversation, including advice on policy creation, which factors to consider for the long-term success of your policy structure, and how to ensure your colleagues engage with new policies and procedures. 

First up, what is a policy? And how does it differ from a procedure?

Before we get to our key learnings from the webinar, here’s a quick breakdown of some key definitions within this GDPR space.

  • Policies are internal documents that outline where a company stands on different GDPR issues. They don’t need to be too detailed as their main aims are to show a company’s commitment to GDPR and provide an overall strategy for a business’ data protection activity.

    Some areas you may cover in a policy include: the purpose of the policy, who the policy applies to (internally), relevant principles or legislation (e.g. Article 30) and information about data subject rights. 
  • Procedures support policies by detailing practical information relating to policy implementation. They should bring a policy’s intent to life through step-by-step tasks.

    For example, if a policy dictates an employee must delete customer data that has been stored for over a year, a procedure would then outline the numerous steps involved in deleting that data within a specific system. 
  • Policy structure is another way of saying ‘document hierarchy’, which covers any documents or internal files relating to a policy.

    Typically a policy structure would look something like this:
    1. Policy
    2. Procedure
    3. Supporting documents such as manuals, guidelines and handbooks

    For every step that’s further down the document hierarchy, files get more practical and hands-on.

10 ways to ensure a successful policies and procedures strategy 

If you want to set your policy and procedure strategies up for success, Catherin asks you to consider several factors in your policies and procedure setup, as well as your approach to implementation and maintenance. 

You’ll find ten of her top tips below and you can watch the full webinar here.

1. Invest time in your initial overview

At the start of your journey, you need to have a good overview of all your processing activities, especially regarding GDPR regulations. 

You should use your Article 30 record or gap analysis to clearly identify any weaknesses or missing documentation. For example, do you have up-to-date retention policies in place and how thorough are your procedures for handling data subject requests? If you jump straight into policy creation or do a half-hearted job on your overview, you risk missing out on the protection of vital policies and procedures. 

Data mapping software will be helpful during this stage to provide a central location for all your information and assist you in easily visualising your data flows, as well as establishing any links or dependencies between documents. 

2. Get buy-in from your C-suite

As discussed regularly on the Complyon blog in articles such as ‘Why you need buy-in from the top for your compliance strategy to succeed’ and ‘How to set your privacy program up for success’, C-suite buy-in is essential for any compliance activity, including policies and procedures. 

Top-level management needs to allocate enough resources for you to effectively carry out your role, whether that’s giving you the time to create a clear overview of current data activities or providing you with the support you need for frequent training programs. 

The C-suite also set the tone for the entire organisation’s attitude to GDPR and compliance. If maintaining the integrity of data processes and cultivating a GDPR compliant culture aren’t priorities for those running the business, you can bet it won’t be a top concern for the rest of the company.

Aligning with your C-suite before you begin your policies and procedures journey will give you the backing, resources, and support you need to successfully implement and manage your policies and procedures. 

3. Think about who is reading your documents

It’s also important to remember that policies and procedures start with people – specifically the people who will be reading your compliance documents. 

To begin with, you need to consider whether or not employees are used to following policies and procedures. If not, do you need to create more detailed supporting documentation to help guide people through your compliance steps? Or will too much detail frustrate colleagues who are used to interpreting high-level policies and procedures? 

Next, think about how you’re communicating your information. Are you using language that they can connect with and understand? Do your procedures include relatable work flows and scenarios that employees will recognise and engage with?

Understanding the different mindsets and levels of compliance knowledge in your organisation will go a long way in ensuring people understand and follow the documents you’ve tasked them with reading. 

4. Drill down into the different needs of your departments 

Just as one policy structure will work for one organisation, but not another, you may realise that some policies and procedures work well for one department, but aren’t picked up by others.

Different departments have different needs, so to succeed with implementing various GDPR policies and procedures, you need to take into account the range of abilities, knowledge and interest that exists across your enterprise. 

Some divisions such as finance and legal may be very familiar with these types of documents, so require little management, whereas others may need much more support. Try to tailor your awareness campaigns to specific departments in order to anchor your policies across the whole organisation. 

For departments that need more support, consider tools such as templates and flowcharts that make implementation easier. Scheduling regular training workshops will help you monitor progress and spot any issues before they become a problem or start to form part of an employee’s daily habits. 

5. Try to instil a positive compliance mindset

In Catherin’s experience, keeping policies and procedures simple, fun and engaging is the best approach to achieve maximum employee engagement and buy-in.

Adding humorous, interactive or fun elements to your compliance activity makes learning about policies and procedures more enjoyable and should leave employees feeling more motivated and upbeat about your plans. Kahoot quizzes have proven a particularly successful tool for Catherin and her team.

Similarly, by keeping your approach simple, leaving out any unnecessary industry terminology or complex language and opting for easy-to-follow,  operational documents, you’re more likely to connect with your reader and get your message across.

6. Find your GDPR ambassadors

A smart way of understanding the needs of departments and their workers is to set up a GDPR ambassador program.

Working alongside your GDPR responsibles, your ambassador team should be made up of representatives from each of your key departments. These individuals will be much closer to their department’s workstreams, so will be able to pass on valuable insights about what is working and what needs more attention. This inside information will help you create policies and procedures that more accurately reflect what employees actually do, making your strategies more relevant and relatable.  

Involving employees directly in your compliance efforts will help foster a sense of connection and accountability with your plans, particularly if you’re able to assign responsibilities and documents to your ambassadors. 

This type of team setup also gives you the opportunity to demonstrate why your work is so valuable to the different departments in your company, helping to motivate key members of your organisation to get more involved and help you reach goals that benefit the entire enterprise. 

7. Make sure your plan isn’t person-dependent

While it’s important to consider the human aspect of your compliance activity, you don’t want to become too dependent on individual employees for the delivery of your policies and procedures. 

Employee turnover is a reality for all businesses. If all the knowledge and expertise needed to execute your plans sits with an individual who then leaves the company, your efforts become compromised. 

One of the most effective ways of counteracting organisational knowledge loss is to introduce a system into your compliance mix. Compliance solutions enable you to store all your information in one centralised location so that it’s available to anyone who needs access to it. Someone can leave your company, but the system will ensure vital compliance knowledge isn’t lost in the process.

Centralising your compliance documents is also extremely helpful for those carrying out internal audits on your policies and procedures and makes it easier to train new recruits, as everything you need is stored in one place. 

8. Regularly update your policies and procedures

A fundamental element of maintaining the success of policies and procedures is to ensure they reflect the current reality of your company. 

Over time your company will change, whether that’s through exposure to new business deals, third party services, market legislations or staff turnover. To keep up with this change, your policies and procedures need to be updated on a regular basis so they offer the right level of protection and guidance for your organisation. Catherin recommends reviewing your policies and procedures at least once a year to see if you need to make any changes or not. 

If you’re working with a system, these updates will be made much easier. Policies and procedures can be amended directly within your centralised system and relevant employees can be automatically notified if something in their workflow changes. This means everyone is always up-to-date with the latest state of play and are prompted if they need to change any information in the documents they manage. The end result is you’re able to achieve much more transparency with much less effort. 

9. Establish document links and dependencies

The documents that make up your policy structure don’t exist in isolation. One document is often connected to another document, whether it’s another version that sits in a different department or a corresponding policy or procedure. 

This means that when you make a change to one document, it’s likely that updates need to be made to other documentation. As a result, it’s really important to be aware of any links and dependencies between policies, procedures and supporting documents.

If you’re managing these document dependencies manually, particularly if you work for a large or complex organisation, your tasks soon become problematic. Manually keeping tabs on every change your colleagues make to their policies and procedures, and then ensuring all other documents have been edited with the correct changes, can be time-consuming and risky.

Working with a compliance system simplifies and safeguards this process. When a change is made to a document, owners of linked documents are automatically notified about the update. They are then prompted to review this change and make the necessary updates to their document. As all these updates are centralised, you’re able to easily keep track of any outstanding deadlines, sending reminders in just one click.

10. Automate as many compliance elements as possible

Automation is a key area that Catherin highlights for successful implementation and maintenance of policies and procedures. 

Complyon software facilitates many aspects of compliance automation, from data mapping to policy and procedure management. You can find an example of how Complyon enables you to easily update and automate your policies and procedures here.

If you’d like to learn more about how Complyon can help you streamline and automate your compliance plan, we’d love to talk. You can get in touch with our team here.

Want to hear more?

Let's talk about how our experience and software can help your company.