Data Protection and Privacy Policy - SME

The Data Protection and Privacy Policy (P17S) provides a structured framework for protecting personal data within organizations, particularly small and medium-sized enterprises (SMEs) that may not have dedicated security teams or specialist IT departments. This SME policy is designed with simplified roles and responsibilities, such as the General Manager (GM) acting as the accountable officer, to ensure compliance is comprehensible and achievable regardless of an organization’s size or internal resources. Its structure and content are fully adapted to the realities of SMEs, with practical, risk-based measures that align with ISO/IEC 27001:2022, while maintaining readiness for audits and regulatory scrutiny. The document sets forth clear requirements for collecting, storing, processing, and deleting personal data, ensuring that all relevant activities are lawful, fair, and secure as prescribed by data protection regulations like the GDPR, NIS2, and DORA. Importantly, the policy covers personal data processed on-premises, in the cloud, or by third-party service providers, and makes compliance mandatory for all employees, contractors, and vendors. The scope is comprehensive, encompassing all systems, locations, and personnel who might handle data related to customers, staff, vendors, or any other identifiable individuals. Critical objectives of the policy include ensuring adherence to privacy laws and standards, implementing technical and organizational controls, and fostering a culture of accountability and transparency. Specific provisions are included for respecting individual privacy rights, such as the right to access, correct, or delete personal data, and for applying strict data minimization and secure deletion practices. The policy also underscores the need for documenting processing activities, maintaining robust access controls, and managing privacy incidents with well-defined escalation procedures. Roles are explicitly assigned: the General Manager is responsible for oversight and resource allocation, the Privacy Coordinator (who may be internal or outsourced) handles operational privacy tasks, IT Support ensures technical controls, Department Managers reinforce compliance in their teams, and all staff and contractors are expected to adhere to the rules and complete requisite training. Review and adaptation mechanisms are integral to this policy, requiring annual formal review and additional reviews triggered by new laws, major incidents, or new services involving data processing. Exception handling and risk management procedures ensure that deviations are controlled, time-bound, and fully documented. Finally, as an SME-compliant policy, P17S bridges the gap between regulatory rigor and operational practicality, supporting businesses in demonstrating accountability, protecting customer trust, and minimizing the risk of non-compliance.