[{"data":1,"prerenderedAt":515},["ShallowReactive",2],{"document-gdpr-internal-security-policy-D13444":3},{"document":4,"label":23,"preview":11,"thumb":24,"thumb600":25,"description":5,"descriptionCustom":6,"apiDescription":5,"pages":8,"extension":10,"parents":26,"breadcrumb":30,"related":38,"customDescModule":174,"customdescription":6,"mdFm":175,"mdProseHtml":514},{"description":5,"descriptionCustom":6,"label":7,"pages":8,"size":9,"extension":10,"preview":11,"thumb":12,"svgFrame":13,"seoMetadata":14,"parents":16,"keywords":15},"INTERNAL SECURITY POLICY GENERAL DATA PROTECTION REGULATION (GDPR) This GDPR Internal Security Policy is intended to provide a framework for [COMPANY NAME] to safeguard personal data in compliance with the General Data Protection Regulation (GDPR). The Policy outlines the steps that our organization will take to protect the confidentiality, integrity, and availability of personal data processed by our organization. This Policy applies to all employees, contractors, and third-party vendors who process personal data on behalf of [COMPANY NAME]. SCOPE This Policy applies to all personal data processed by our organization, including but not limited to: Personal data of customers Personal data of employees Personal data of suppliers Personal data of partners SECURITY OF PROCESSING The controller and processor of personal data must consider the state of technology, costs of implementation, and the nature and scope of processing, as well as the potential risks to the rights and freedoms of individuals. They must implement appropriate technical and organizational measures to ensure an adequate level of security in proportion to the risk, including measures like: the pseudonymisation and encryption of personal data; ensuring that confidentiality, integrity, availability, and resilience are maintained on an ongoing basis; the ability to quickly restore the availability and access to personal data in case of a physical or technical incident; regular testing, assessment, and evaluation to ensure the effectiveness of technical and organizational measures for maintaining the security of processing. The risks associated with processing personal data must be assessed, particularly in regards to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Adherence to an approved code of conduct or certification mechanism can be used to show compliance with these requirements. Anyone who has access to personal data must only process it according to the controller's instructions, unless required by law. ACCESS CONTROL Access to personal data must be strictly controlled and restricted to individuals who require access to perform their duties. Access to personal data must be granted based on the principle of least privilege. All access to personal data must be logged, and access logs must be retained for at least six months. ENCRYPTION [COMPANY NAME] will take additional measures such as the use of VPN, two-factor authentication, device encryption, strong passwords, and encrypted email to further enhance the security of personal data. The VPN will ensure secure access to the organization's network from remote locations, while two-factor authentication will add an extra layer of security to verify the identity of users. Device encryption will enable the organization to manage and control devices that access personal data",null,"GDPR Internal Security Policy","3",513,"doc","https://templates.business-in-a-box.com/imgs/1000px/gdpr-internal-security-policy-D13444.png","https://templates.business-in-a-box.com/imgs/250px/13444.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13444.xml",{"title":15,"description":6},"gdpr internal security policy",[17,20],{"label":18,"url":19},"Human Resources","/templates/human-resources/",{"label":21,"url":22},"Company Policies","/templates/company-policies/","GDPR Internal Security Policy Template","https://templates.business-in-a-box.com/imgs/400px/13444.png","https://templates.business-in-a-box.com/imgs/600px/13444.png",[27,17,20],{"label":28,"url":29},"Templates","/templates/",[31,32,35],{"label":28,"url":29},{"label":33,"url":34},"Software & Technology","/templates/software-technology/",{"label":36,"url":37},"Data Governance","/templates/data-governance/",[39,43,47,51,55,59,63,67,71,75,79,83,87,101,115,131,144,157],{"label":40,"url":41,"thumb":42,"extension":10},"GDPR Security Policy","/template/gdpr-security-policy-D13445","https://templates.business-in-a-box.com/imgs/250px/13445.png",{"label":44,"url":45,"thumb":46,"extension":10},"GDPR Privacy Policy","/template/gdpr-privacy-policy-D12541","https://templates.business-in-a-box.com/imgs/250px/12541.png",{"label":48,"url":49,"thumb":50,"extension":10},"Internal Control Policy","/template/internal-control-policy-D13356","https://templates.business-in-a-box.com/imgs/250px/13356.png",{"label":52,"url":53,"thumb":54,"extension":10},"Security Policy","/template/security-policy-D12645","https://templates.business-in-a-box.com/imgs/250px/12645.png",{"label":56,"url":57,"thumb":58,"extension":10},"Content Security Policy","/template/content-security-policy-D13937","https://templates.business-in-a-box.com/imgs/250px/13937.png",{"label":60,"url":61,"thumb":62,"extension":10},"Cyber Security Policy","/template/cyber-security-policy-D12867","https://templates.business-in-a-box.com/imgs/250px/12867.png",{"label":64,"url":65,"thumb":66,"extension":10},"Data Security Policy","/template/data-security-policy-D12735","https://templates.business-in-a-box.com/imgs/250px/12735.png",{"label":68,"url":69,"thumb":70,"extension":10},"Email Security Policy","/template/email-security-policy-D13961","https://templates.business-in-a-box.com/imgs/250px/13961.png",{"label":72,"url":73,"thumb":74,"extension":10},"Information Security Policy","/template/information-security-policy-D13552","https://templates.business-in-a-box.com/imgs/250px/13552.png",{"label":76,"url":77,"thumb":78,"extension":10},"IT Security Policy","/template/it-security-policy-D13722","https://templates.business-in-a-box.com/imgs/250px/13722.png",{"label":80,"url":81,"thumb":82,"extension":10},"Personnel Security Policy","/template/personnel-security-policy-D14029","https://templates.business-in-a-box.com/imgs/250px/14029.png",{"label":84,"url":85,"thumb":86,"extension":10},"Physical Security Policy","/template/physical-security-policy-D14032","https://templates.business-in-a-box.com/imgs/250px/14032.png",{"description":88,"descriptionCustom":6,"label":89,"pages":8,"size":9,"extension":10,"preview":90,"thumb":91,"svgFrame":92,"seoMetadata":93,"parents":95,"keywords":94,"url":100},"DATA PRIVACY POLICY INTRODUCTION [COMPANY NAME] is committed to protecting the privacy and confidentiality of personal data collected or processed during its business operations. This Data Privacy Policy outlines the principles and practices that govern the collection, use, and disclosure of personal data by the Company. SCOPE This Policy applies to all employees, contractors, vendors, and third parties who collect, use, or process personal data on behalf of the Company. It also applies to all personal data collected from customers, clients, partners, and other individuals. PERSONAL INFORMATION COLLECTION We may collect personal information, such as name, address, email, phone number, and job title, from customers, employees, and stakeholders. We collect personal information through various channels, such as our website, email, phone, and in-person interactions. We may also collect personal information from third-party sources, such as service providers and business partners. USE OF PERSONAL INFORMATION The Company will only use personal data for the purposes for which it was collected or as otherwise permitted by applicable laws and regulations. Personal data may be used for, but not limited to, the following purposes: Providing products or services requested by individuals; Communicating with individuals about products, services, or other business-related matters; Conducting market research, analytics, and improving business operations; Managing and administering employee or contractor relationships; Complying with legal or regulatory requirements; Protecting the rights and interests of the Company or its customers. DISCLOSURE The Company may share personal data with third parties for legitimate business purposes, including but not limited to, service providers, vendors, contractors, and business partners. Personal data may also be disclosed to comply with legal or regulatory requirements, or in response to lawful requests from public authorities. The Company will take appropriate measures to ensure that third parties receiving personal data are bound by confidentiality obligations and provide adequate protection to the personal data. DATA RETENTION","Data Privacy Policy","https://templates.business-in-a-box.com/imgs/1000px/data-privacy-policy-D13465.png","https://templates.business-in-a-box.com/imgs/250px/13465.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13465.xml",{"title":94,"description":6},"data privacy policy",[96,98],{"label":18,"url":97},"human-resources",{"label":21,"url":99},"company-policies","/template/data-privacy-policy-D13465",{"description":102,"descriptionCustom":6,"label":103,"pages":104,"size":105,"extension":10,"preview":106,"thumb":107,"svgFrame":108,"seoMetadata":109,"parents":110,"keywords":113,"url":114},"Employee Handbook Understanding employment at [YOUR COMPANY NAME] Revised on [DATE] Prepared By: [YOUR NAME] [YOUR JOB TITLE] Phone 555.555.5555 Email info@yourbusiness.com www.yourbusiness.com Table of Content Table of Content 2 Welcome to [YOUR COMPANY NAME]! 5 1. Organization Description 6 1.1 Introductory Statement 6 1.2 Customer Relations 6 1.3 Products and Services Provided 7 1.4 Facilities and Location(s) 7 1.5 The History of [YOUR COMPANY NAME] 7 1.6 Management Philosophy 7 1.7 Goals 8 2. The Employment 9 2.1 Nature of Employment 9 2.2 Employee Relations 9 2.3 Equal Employment Opportunity 10 2.4 Diversity 10 2.5 Business Ethics and Conduct 12 2.6 Personal Relationships in the Workplace 13 2.7 Conflicts of Interest 13 2.8 Outside Employment 14 2.9 Non-Disclosure 15 2.10 Disability Accommodation 16 2.11 Job Posting and Employee Referrals 17 2.12 Whistleblower Policy 18 2.13 Accident and First Aid 20 3. Employment Status and Records 21 3.1 Employment Categories 21 3.2 Access to Personnel Files 22 3.3 Personnel Data Changes 23 3.4 Probation Period 23 3.5 Employment Applications 24 3.6 Performance Evaluation 24 3.7 Job Descriptions 25 3.8 Salary Administration 25 3.9 Professional Development 26 4. Employee Benefit Programs 27 4.1 Employee Benefits 27 4.2 Vacation Benefits 27 4.3 Military Service Leave 29 4.4 Religious Observance 29 4.5 Holidays 29 4.6 Workers Insurance 30 4.7 Sick Leave Benefits 31 4.8 Bereavement Leave 32 4.9 Relocation Benefits 33 4.10 Educational Assistance 33 4.11 Health Insurance 34 4.12 Life Insurance 35 4.13 Long Term Disability 35 4.14 Marriage, Maternity and Parental Leave 36 5. Timekeeping / Payroll 40 5.1 Timekeeping 40 5.2 Paydays 40 5.3 Employment Termination 41 5.4 Administrative Pay Corrections 42 6. Work Conditions and Hours 43 6.1 Work Schedules 43 6.2 Absences 43 6.3 Jury Duty 45 6.4 Use of Phone and Mail Systems 45 6.5 Smoking 46 6.6 Meal Periods 46 6.7 Overtime 46 6.8 Use of Equipment 47 6.9 Telecommuting 47 6.10 Emergency Closing 48 6.11 Business Travel Expenses 49 6.12 Visitors in the Workplace 51 6.13 Computer and Email Usage 51 6.14 Internet Usage 52 6.15 Workplace Monitoring 54 6.16 Workplace Violence Prevention 55 7. Employee Conduct & Disciplinary Action 57 7.1 Employee Conduct and Work Rules 57 7.2 Sexual and Other Unlawful Harassment 58 7.3 Attendance and Punctuality 60 7.4 Personal Appearance 60 7.5 Return of Property 61 7.6 Resignation and Retirement 61 7.7 Security Inspections 62 7.8 Progressive Discipline 62 7.9 Problem Resolution 64 7.10 Workplace Etiquette 65 7.11 Suggestion Program 67 Acknowledgement of Receipt 68 Welcome to [YOUR COMPANY NAME]! On behalf of your colleagues, we welcome you to [YOUR COMPANY NAME] and wish you every success here. At [YOUR COMPANY NAME], we believe that each employee contributes directly to the growth and success of the company, and we hope you will take pride in being a member of our team. This handbook was developed to describe some of the expectations of our employees and to outline the policies, programs, and benefits available to eligible employees. Employees should become familiar with the contents of the employee handbook as soon as possible, for it will answer many questions about employment with [YOUR COMPANY NAME]. We believe that professional relationships are easier when all employees are aware of the culture and values of the organization. This guide will help you to better understand our vision for the future of our business and the challenges that are ahead. We hope that your experience here will be challenging, enjoyable, and rewarding. Again, welcome! [PRESIDENT NAME] President & CEO 1. Organization Description 1.1 Introductory Statement This handbook is designed to acquaint you with [YOUR COMPANY NAME] and provide you with information about working conditions, employee benefits, and some of the policies affecting your employment. You should read, understand, and comply with all provisions of the handbook. It describes many of your responsibilities as an employee and outlines the programs developed by [YOUR COMPANY NAME] to benefit employees. One of our objectives is to provide a work environment that is conducive to both personal and professional growth. No employee handbook can anticipate every circumstance or question about policy. As [YOUR COMPANY NAME] continues to grow, the need may arise and [YOUR COMPANY NAME] reserves the right to revise, supplement, or rescind any policies or portion of the handbook from time to time as it deems appropriate, in its sole and absolute discretion. Employees will be notified of such changes to the handbook as they occur. 1.2 Customer Relations Customers are among our organization's most valuable assets. Every employee represents [YOUR COMPANY NAME] to our customers and the public. The way we do our jobs presents an image of our entire organization. Customers judge all of us by how they are treated with each employee contact. Therefore, one of our first business priorities is to assist any customer or potential customer. Nothing is more important than being courteous, friendly, helpful, and prompt in the attention you give to customers. [YOUR COMPANY NAME] will provide customer relations and services training to all employees with extensive customer contact. Customers who wish to lodge specific comments or complaints should be directed to the [TITLE AND NAME OF THE PERSON RESPONSIBLE] for appropriate action. Our personal contact with the public, our manners on the telephone, and the communications we send to customers are a reflection not only of ourselves, but also of the professionalism of [YOUR COMPANY NAME]. Positive customer relations not only enhance the public's perception or image of [YOUR COMPANY NAME], but also pay off in greater customer loyalty and increased sales and profit. 1.3 Products and Services Provided You will find more information about our products and services by reading the [YOUR COMPANY NAME] Corporate Brochures. 1.4 Facilities and Location(s) Head Office: [ADDRESS] [CITY], [STATE] [ZIP/POSTAL CODE] [COUNTRY] 1.5 The History of [YOUR COMPANY NAME] [DESCRIBE THE HISTORY OF YOUR COMPANY HERE] 1.6 Management Philosophy [YOUR COMPANY NAME] management philosophy is based on responsibility and mutual respect. Our wishes are to maintain a work environment that fosters on personal and professional growth for all employees. Maintaining such an environment is the responsibility of every staff person. Because of their role, managers and supervisors have the additional responsibility to lead in a manner which fosters an environment of respect for each person. People who come to [YOUR COMPANY NAME] want to work here because we have created an environment that encourages creativity and achievement. [YOUR COMPANY NAME] aims to become a leader in [DESCRIBE YOUR COMPANY'S FIELD OF EXPERTISE]. The mainstay of our strategy will be to offer a level of client focus that is superior to that offered by our competitors. To help achieve this objective, [YOUR COMPANY NAME] seeks to attract highly motivated individuals that want to work as a team and share in the commitment, responsibility, risk taking, and discipline required to achieve our vision. Part of attracting these special individuals will be to build a culture that promotes both uniqueness and a bias for action. While we will be realistic in setting goals and expectations, [YOUR COMPANY NAME] will also be aggressive in reaching its objectives. This success will in turn enable [YOUR COMPANY NAME] to give its employees above average compensation and innovative benefits or rewards, key elements in helping us maintain our leadership position in the worldwide marketplace. 1.7 Goals [DESCRIBE YOUR COMPANY'S GOALS HERE] 2. The Employment 2","Employee Handbook","34",280,"https://templates.business-in-a-box.com/imgs/1000px/employee-handbook-D712.png","https://templates.business-in-a-box.com/imgs/250px/712.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#712.xml",{"title":6,"description":6},[111,112],{"label":18,"url":97},{"label":21,"url":99},"employee handbook","/template/employee-handbook-D712",{"description":116,"descriptionCustom":6,"label":117,"pages":8,"size":9,"extension":10,"preview":118,"thumb":119,"svgFrame":120,"seoMetadata":121,"parents":123,"keywords":122,"url":130},"NON-DISCLOSURE AGREEMENT (NDA) This Non-Disclosure Agreement (the \"Agreement\") is made and effective [DATE], BETWEEN: [YOUR COMPANY NAME] (the \"Disclosing Party\"), a corporation organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [YOUR COMPLETE ADDRESS] AND: [RECEIVING PARTY NAME] (the \"Receiving Party\"), an individual with his main address located at OR a corporation organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [COMPLETE ADDRESS] WHEREAS, Receiving Party has been or will be engaged in the performance of work on [DESCRIBE]; and in connection therewith will be given access to certain confidential and proprietary information; and WHEREAS, Receiving Party and Disclosing Party wish to evidence by this Agreement the manner in which said confidential and proprietary material will be treated. NOW, THEREFORE, it is agreed as follows: NON-DISCLOSURE OF CONFIDENTIAL INFORMATION Both Parties understand and agree that each Party may have access to the confidential information of the other party. For the purposes of this Agreement, \"Confidential Information\" means proprietary and confidential information about the Disclosing Party's (or it's suppliers') business or activities. Such information includes all business, financial, technical, and other information marked or designated by such Party as \"confidential\" or \"proprietary.\" Confidential Information also includes information which, by the nature of the circumstances surrounding the disclosure, ought in good faith to be treated as confidential. For the purposes of this Agreement, Confidential Information does not include: Information that is currently in the public domain or that enters the public domain after the signing of this Agreement. Information a Party lawfully receives from a third Party without restriction on disclosure and without breach of a non-disclosure obligation. Information that the Receiving Party knew prior to receiving any Confidential Information from the Disclosing Party. Information that the Receiving Party independently develops without reliance on any Confidential Information from the Disclosing Party. Each Party agrees that it will not disclose to any third Party or use any Confidential Information disclosed to it by the other Party except when expressly permitted in writing by the other Party. Each Party also agrees that it will take all reasonable measures to maintain the confidentiality of all Confidential Information of the other Party in its possession or control. TERM The term of this Agreement is [number] of [years/months] from the date of execution by both Parties. TITLE The Receiving Party agrees that all Confidential Information furnished by the Disclosing Party shall remain the sole property of the Disclosing Party. DISCLAIMER","Non Disclosure Agreement Nda","https://templates.business-in-a-box.com/imgs/1000px/non-disclosure-agreement-nda-D12692.png","https://templates.business-in-a-box.com/imgs/250px/12692.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#12692.xml",{"title":122,"description":6},"non disclosure agreement nda",[124,127],{"label":125,"url":126},"Legal Agreements","business-legal-agreements",{"label":128,"url":129},"Confidentiality Agreements","confidentiality-agreement","/template/non-disclosure-agreement-nda-D12692",{"description":132,"descriptionCustom":6,"label":133,"pages":134,"size":9,"extension":10,"preview":135,"thumb":136,"svgFrame":137,"seoMetadata":138,"parents":140,"keywords":139,"url":143},"REMOTE WORK AGREEMENT This Remote Work Agreement (the \"Agreement\") is effective [DATE], BETWEEN: [NAME OF THE EMPLOYER], (the \"Employer\" or \"Company\"), a Company organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [COMPLETE ADDRESS] AND: [NAME OF THE EMPLOYEE], (the \"Employee\"), an individual with their main address located at: [COMPLETE ADDRESS] Collectively, the Employer and the Employee shall be referred to as the \"Parties.\" WHEREAS, the Company has made an offer to the Employee to work remotely in the capacity of [JOB TITLE] at the Company; NOW THEREFORE in consideration and as a condition of the Parties entering into this Agreement and other valuable considerations, the receipt and sufficiency of which consideration is acknowledged, the Parties agree as follows: APPOINTMENT The Company hereby offers the Employee appointment, and the Employee agrees to serve the Company to work remotely in the capacity of [JOB TITLE] as of [DATE] (the \"Effective Date\"). PROBATION PERIOD The Employee will be on a Probation Period for a period of [MONTHS/DAYS]. The Employee's confirmation as a permanent employee is subject to the Employee making a positive contribution to the Company and is further subject to meeting certain standards and qualifying criteria during the Probation Period. PLACE OF WORK The Employee shall perform their duties at the location of their choice. The Employee will report to the [SPECIFY THE DESIGNATION] on a needs basis in the following manner: [SPECIFY THE MANNER OF COMMUNICATION]. REMOTE WORK While working remotely, the Employee will remain accessible during the remote work. The Employee will check in with the supervisor to discuss status and open issues and be available for video/teleconferences, scheduled on an as-needed basis. The Employee will take rest and meal breaks while working remotely in full compliance with all applicable policies or collective bargaining agreements, and request supervisor approval to use vacation or sick leave. To ensure that the Employee's performance will not suffer in a remote work arrangement, the Employee is advised to choose a quiet and distraction-free working space, have an internet connection that is adequate for their job and dedicate their full attention to their job duties during working hours. Equipment. The Company will provide the Employee with equipment that is essential to their job duties, like laptops and headsets. The Employee will install VPN and company-required software when the Employee receives their equipment. The Employee must keep their equipment password protected, follow all data encryption, protection standards and settings, and refrain from downloading suspicious, unauthorized or illegal software. NOTICE PERIOD During the Probation Period, if the Employee's performance is found to be unsatisfactory or if it does not meet the prescribed criteria, the Employee's employment can be terminated by the Company with [NUMBER OF DAYS] day's notice or salary thereof. The Employee will be required to give [NUMBER OF MONTHS] months' notice or salary thereof in case the Employee decides to leave the Company. DUTIES The Employee shall perform all such duties as may be delegated by the Company and comply with all such directions as the Managing Director and/or his/her nominated deputies may from time to time assign or give to the Employee. [SPECIFY DUTIES] WORKING HOURS The total working hours will be [SPECIFY HOURS] hours on Mondays to Saturdays. It is expected that the Employee will be flexible with the working hours and work such additional hours as might be necessary to efficiently perform duties under this Agreement. The Company reserves the right to change the working days and the working hours. The Employee shall be entitled to leave and holidays as per the Leave Policy of the Company. In the event the Employee is absent from work and unable to perform duties satisfactorily by reason of any injury, illness or other reason acceptable to the Company, the Employee will be entitled to receive salary and other benefits for up to [NUMBER OF DAYS] consecutive working days during any such absence, within a period of 12 consecutive months. REMUNERATION The Employee's starting total monthly gross salary and during the Probation Period will be as per details in the annexure, hereinafter known as Exhibit A. Any bonus is subject to review in accordance with the Company's practice and policies from time to time, however, there shall be no obligation on the Company to increase the salary or award bonuses at any point of time, save and except at its sole discretion. The Company shall pay or refund or procure to be paid or refunded all reasonable travelling and other similar out of pocket expenses necessarily and incurred by the Employee wholly in the proper performance of duties, subject to production by the Employee of such evidence of the expenses as the Company may reasonably require. The Employee will be required to fill in the claims forms in which the Employee shall provide the correct information of the expenses incurred. CONFIDENTIALITY AND INTELLECTUAL PROPERTY If at any time during the Employee's employment under this Agreement, the Employee participates in the making or discovery of any Intellectual Property directly or indirectly relating to or capable of being used by the Company, full details of the Intellectual Property shall immediately be disclosed in writing by the Employee to the Company and the Intellectual Property shall be the absolute property of the Company. At the request and expense of the Company, the Employee shall give and supply all such information, data, drawings, and assistance as may be necessary or in the opinion of the Company desirable to enable the Company to exploit the Intellectual Property to the best advantage as decided by the Company. The Employee shall execute all documents and do all things which may, in the opinion of the Company, be necessary or desirable for obtaining copyright, design or other protection for the Intellectual Property and for vesting the same in the Company, as the Company may direct. As Confidential Information will from time to time become known to the Employee, the Company considers and the Employee agrees that the restraints set forth in this Agreement are necessary for the reasonable protection by the Company of its business or the business of the Group, the clients thereof or their respective affairs. The Employee shall not at any time, either during the continuance of or after the termination of Employment with the Company, use, disclose or communicate to any person whatsoever any Confidential Information which the Employee has or of which he may have become possessed during employment with the Company nor shall he supply the names or addresses of any clients, customers, vendors or agents of the Company or any company of the Group to any person except as authorised by the Company or as ordered by a court of competent jurisdiction. The Employee consents to the Company holding and processing, both electronically and manually, the data it collects relating to the Employee in the course of employment, for the purpose of the Company's administration and management of its employees, its business and to comply with applicable procedures, laws and regulations. ","Remote Work Agreement","8","https://templates.business-in-a-box.com/imgs/1000px/remote-work-agreement-D13282.png","https://templates.business-in-a-box.com/imgs/250px/13282.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13282.xml",{"title":139,"description":6},"remote work agreement",[141,142],{"label":18,"url":97},{"label":21,"url":99},"/template/remote-work-agreement-D13282",{"description":145,"descriptionCustom":6,"label":146,"pages":147,"size":9,"extension":10,"preview":148,"thumb":149,"svgFrame":150,"seoMetadata":151,"parents":153,"keywords":152,"url":156},"Environmental Impact Assessment [Your Company Name] Address City Postal Code Phone 555.555.5555 Email info@yourbusiness.com www.yourbusiness.com Table of Contents 1. Executive Summary 3 1.1 Overview 3 1.2 Goals 3 1.3 Key Findings 3 2. Project Description 4 2.1 Project Background 4 2.2 Project Location 4 2.3 Project Components 4 3. Environmental Baseline 5 3.1 Physical Environment 5 3.2 Biological Environment 5 3.3 Socio-economic Environment 5 4. Environmental Impact Analysis 6 4.1 Impact Identification 6 4.2 Impact Prediction 6 4.3 Impact Evaluation 6 5. Mitigation Measures 7 5.1 Proposed Mitigation 7 5.2 Mitigation Plan 7 6. Alternatives Analysis 8 6.1 Project Alternatives 8 6.2 Environmental Comparison 8 7. Public Consultation and Disclosure 9 7.1 Stakeholder Engagement 9 7.2 Public Feedback 9 8. Environmental Management Plan 10 8.1 Monitoring Plan 10 8.2 Reporting Mechanisms 10 9. Conclusion 11 9.1 Summary of Findings 11 9.2 Recommendations 11 9.3 Commitment to Environmental Stewardship 11 1. Executive Summary 1.1 Overview Briefly describe the purpose and scope of the Environmental Impact Assessment (EIA). 1.2 Goals Summarize the main objectives of the EIA, including the protection of environmental resources and compliance with regulations. 1.3 Key Findings Highlight the major outcomes of the assessment, including significant impacts and proposed mitigation measures. 2. Project Description 2.1 Project Background Provide background information on the project, including its purpose and need. 2.2 Project Location Describe the location of the project, including geographic and environmental context. 2.3 Project Components Detail the main components and activities involved in the project. 3. Environmental Baseline 3.1 Physical Environment Describe the current state of the physical environment, including climate, air quality, and geology. 3","Environmental Impact Assessment","11","https://templates.business-in-a-box.com/imgs/1000px/environmental-impact-assessment-D13965.png","https://templates.business-in-a-box.com/imgs/250px/13965.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13965.xml",{"title":152,"description":6},"environmental impact assessment",[154,155],{"label":18,"url":97},{"label":21,"url":99},"/template/environmental-impact-assessment-D13965",{"description":158,"descriptionCustom":6,"label":159,"pages":160,"size":9,"extension":10,"preview":161,"thumb":162,"svgFrame":163,"seoMetadata":164,"parents":166,"keywords":165,"url":173},"VENDOR AGREEMENT This Vendor Agreement (the \"Agreement\") is effective [DATE], BETWEEN: [NAME OF THE COMPANY], (the \"Company\"), a Company organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [COMPLETE ADDRESS] AND: [NAME OF THE VENDOR], (the \"Vendor\"), an individual with his main address located at OR a Company organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [COMPLETE ADDRESS] Collectively, the Company and Vendor shall be referred to as the \"Parties.\" WHEREAS, the Company desires to engage the Vendor for the purpose of supplying Products [SPECIFY PRODUCTS] or Services [SPECIFY SERVICES] as mentioned and described in EXHIBIT A GOOD/SERVICES; WHEREAS, the Vendor is interested in supplying the Products/performing the Services that the Company wishes; WHEREAS, both the Parties wish to evidence their contract in writing and both the Parties have the capacity to enter into and perform this contract; NOW THEREFORE in consideration and as a condition of the Parties entering into this Agreement and other valuable considerations, the receipt and sufficiency of which consideration is acknowledged, the Parties agree as follows: INCORPORATION OF RECITALS The Parties agree that the Recitals are true and correct and are incorporated into this Agreement as though set forth in full. RELATIONSHIP The Vendor acknowledges that they are solely an Independent Contractor and not an employee, agent, partner or joint venture of the Company. The Company will provide the Vendor with the details of the Services/Products it wants the Vendor to undertake and supply/perform henceforth. The Company shall not withhold any taxes or any amount or payment due to the Vendor and which it owes to the Vendor in regard to the Services rendered by it to the Company. TERM The present Agreement shall come into force on the Effective Date hereof and shall remain in force for a period of [NUMBER OF MONTHS] months starting from the Effective Date hereof and shall terminate at the expiration of the Term hereof. SERVICES/PRODUCTS The Vendor shall provide such Services/Products as mentioned in Exhibit A attached to the present Agreement. PAYMENT As consideration for, and subject to the Vendor's continued performance of, all of the Vendor Services, the Vendor will receive a lump sum cash fee of [AMOUNT] for each full calendar month during which the Vendor provides the Vendor's Services to the Company. The said payment shall be paid via [SPECIFY MODE OF PAYMENT]. VENDOR'S DOCUMENTATION At the time of Vendor registration and/or at any time thereafter and/or from time to time as may be required, the Company may seek information, data or documents as may be specified by the Company which clearly and unambiguously verify the details, including the Vendor's bank account provided by Vendor at the time of registration with or at any subsequent date. The Company has the right to reject any one or more of the documents submitted by the Vendor and may ask for other documents or further information. WARRANTIES BY THE VENDOR The Vendor warrants that the signatory to the present Agreement has the right and full authority to enter into this Agreement with the Company and the Agreement so executed is binding in nature. All obligations narrated under this Agreement are legal, valid, binding, and enforceable in law against the Vendor. There are no proceedings pending against the Vendor, which may have a material adverse effect on its ability to perform and meet the obligations under this Agreement. The Vendor warrants that it is an authorized business establishment and holds all the requisite permissions, authorities, approvals, and sanctions to conduct its business and to enter into the present Agreement with the Company. The Vendor shall always ensure compliance with all the requirements applicable to its business and for the purposes of this Agreement including but not limited to Intellectual Property rights. It further declares and confirms that it has paid and shall continue to discharge all its obligations towards statutory authorities. The Vendor warrants that it has adequate rights under relevant laws including but not limited to various Intellectual Property legislation(s) to enter into this Agreement with the Company and perform the obligations contained herein and that it has not violated/infringed any Intellectual Property rights of any third party. LIMITATION OF LIABILITY It is expressly agreed by the Vendor that the Company shall under no circumstances be liable or responsible for any loss, injury or damage to the Vendor or any other Party whomsoever, arising on account of any transaction under this Agreement. The Vendor agrees and acknowledges that it shall be solely liable for any claims, damages, or allegations arising out of the Products/Services and shall hold the Company harmless and indemnified against all such claims and damages. Further, the Company shall not be liable for any claims or damages arising out of any negligence, misconduct, or misrepresentation by the Vendor or any of its Representatives. The Company under no circumstances shall be liable to the Vendor for loss and/or anticipated loss of profits, or for any direct or indirect, incidental, consequential, special or exemplary damages arising from the subject matter of this Agreement, regardless of the type of claim and even if the Vendor has been advised of the possibility of such damages, such as, but not limited to loss of revenue or anticipated profits or loss of business, unless such loss or damages are proven by the Vendor to have been deliberately caused by the Company. CONFIDENTIALITY Definition: \"Confidential Information\" means any proprietary information, technical data, trade secrets or know-how of the Company, including, but not limited to, research, business plans or models, product plans, products, services, computer software and code, developments, inventions, processes, formulas, technology, designs, drawings, engineering, customer lists and customers (including, but not limited to, customers of the Company on whom the Vendor called or with whom the Vendor became acquainted during the Term of his performance of the Services), markets, finances or other business information disclosed by the Company either directly or indirectly in writing, orally or by drawings or inspection of parts or equipment. Confidential Information does not include information which: (a) is known to the Vendor at the time of disclosure to the Vendor by the Company as evidenced by written records of the Vendor, (b) has become publicly known and made generally available through no wrongful act of the Vendor, or (c) has been rightfully received by the Vendor from a third party who is authorized to make such disclosure. Non-Use and Non-Disclosure. The Vendor shall not, during or after the Term of this Agreement: (i) use the Company's Confidential Information for any purpose whatsoever other than the performance of the Services on behalf of the Company, or (ii) disclose the Company's Confidential Information to any third party. It is understood that said Confidential Information is and will remain the sole property of the Company. The Vendor shall take all commercially reasonable precautions to prevent any unauthorized use or disclosure of such Confidential Information. The Vendor, his/her servants, agents, and employees shall not use, disseminate, or distribute to any person, firm or entity, incorporate, reproduce, modify, reverse engineer, decompile or network any Confidential Information, or any portion thereof, for any purpose, commercial, personal, or otherwise, except as expressly authorized in writing by the Manager then appointed by the Company","Vendor Agreement","9","https://templates.business-in-a-box.com/imgs/1000px/vendor-agreement-D13292.png","https://templates.business-in-a-box.com/imgs/250px/13292.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13292.xml",{"title":165,"description":6},"vendor agreement",[167,170],{"label":168,"url":169},"Sales & Marketing","sales-marketing",{"label":171,"url":172},"Advertising","advertising","/template/vendor-agreement-D13292",false,{"seo":176,"reviewer":187,"quick_facts":191,"at_a_glance":193,"personas":197,"variants":222,"glossary":250,"sections":287,"how_to_fill":338,"common_mistakes":379,"faqs":404,"industries":432,"comparisons":456,"diy_vs_pro":471,"educational_modules":484,"related_template_ids_curated":487,"schema":499,"classification":501},{"meta_title":177,"meta_description":178,"primary_keyword":179,"secondary_keywords":180},"GDPR Internal Security Policy Template (Free Word)","Free GDPR Internal Security Policy template covering data protection controls, access management, breach response, and staff obligations. Free Word and PDF download.","gdpr internal security policy template",[181,182,183,184,185,186],"gdpr data protection policy template","gdpr policy template word","gdpr internal policy free download","data security policy template gdpr","gdpr compliance policy template","information security policy gdpr",{"name":188,"credential":189,"reviewed_date":190},"Bruno Goulet","CEO, Business in a Box","2026-05-02",{"difficulty":192,"legal_review_recommended":174,"signature_required":174},"advanced",{"what_it_is":194,"when_you_need_it":195,"whats_inside":196},"A GDPR Internal Security Policy is an operational document that defines how an organization protects personal data in line with the European Union's General Data Protection Regulation (GDPR). This free Word download gives you a structured, editable policy covering access controls, data handling procedures, breach response, and staff obligations — ready to adapt to your organization and export as PDF for distribution or regulatory review.\n","Use it when processing personal data of EU or UK residents, when preparing for a regulatory audit, or when onboarding staff who handle customer, employee, or partner data. It is also required before most enterprise procurement teams will approve a vendor relationship involving personal data.\n","The policy covers purpose and scope, data classification, access controls, physical and technical safeguards, data retention and deletion, breach detection and notification procedures, staff training obligations, and roles and responsibilities — all mapped to GDPR Article requirements.\n",[198,202,206,210,214,218],{"title":199,"use_case":200,"icon_asset_id":201},"Data protection officers","Documenting security measures to satisfy GDPR Article 32 obligations","persona-compliance-officer",{"title":203,"use_case":204,"icon_asset_id":205},"IT and security managers","Formalizing technical and organizational measures for personal data protection","persona-it-manager",{"title":207,"use_case":208,"icon_asset_id":209},"Small business owners","Establishing a compliant security policy before EU market entry or data processing","persona-small-business-owner",{"title":211,"use_case":212,"icon_asset_id":213},"HR managers","Setting employee data-handling rules and training obligations across the organization","persona-hr-manager",{"title":215,"use_case":216,"icon_asset_id":217},"SaaS founders","Satisfying enterprise customer due diligence requests that require a written GDPR security policy","persona-startup-founder",{"title":219,"use_case":220,"icon_asset_id":221},"Legal and compliance teams","Building a policy library that evidences accountability under GDPR's accountability principle","persona-legal-counsel",[223,226,230,234,238,242,246],{"situation":224,"recommended_template":7,"slug":225},"General internal policy for all staff handling personal data","gdpr-internal-security-policy-D13444",{"situation":227,"recommended_template":228,"slug":229},"Policy governing third-party vendors processing data on your behalf","GDPR Data Processing Agreement","data-processing-agreement-D13954",{"situation":231,"recommended_template":232,"slug":233},"Policy for responding to a personal data breach","Data Breach Response Plan","data-breach-response-and-notification-policy-D13650",{"situation":235,"recommended_template":236,"slug":237},"Policy governing how long personal data is retained and deleted","Data Retention Policy","data-retention-policy-D13955",{"situation":239,"recommended_template":240,"slug":241},"Public-facing document explaining how personal data is used","Privacy Policy","data-privacy-policy-D13465",{"situation":243,"recommended_template":244,"slug":245},"Employee acknowledgment of data protection responsibilities","GDPR Staff Confidentiality Agreement","confidentiality-agreement-D950",{"situation":247,"recommended_template":248,"slug":249},"Register of all personal data processing activities","Records of Processing Activities (RoPA)","prohibited-activities-D729",[251,254,257,260,263,266,269,272,275,278,281,284],{"term":252,"definition":253},"Personal Data","Any information relating to an identified or identifiable natural person — including names, email addresses, IP addresses, and device identifiers.",{"term":255,"definition":256},"Data Controller","The organization that determines the purposes and means of processing personal data and bears primary GDPR accountability.",{"term":258,"definition":259},"Data Processor","A third party that processes personal data on behalf of the controller — such as a cloud provider or payroll service.",{"term":261,"definition":262},"Article 32","The GDPR provision requiring controllers and processors to implement appropriate technical and organizational security measures proportionate to the risk of processing.",{"term":264,"definition":265},"Technical and Organizational Measures (TOMs)","The combination of technical controls (encryption, access logs) and procedural controls (training, policies) used to protect personal data.",{"term":267,"definition":268},"Data Breach","A security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.",{"term":270,"definition":271},"Pseudonymization","Processing personal data in a way that it can no longer be attributed to a specific individual without additional information kept separately and securely.",{"term":273,"definition":274},"Data Minimization","The GDPR principle requiring organizations to collect and process only the minimum personal data necessary for a specific, stated purpose.",{"term":276,"definition":277},"Accountability Principle","The GDPR requirement that controllers not only comply with the regulation but actively demonstrate compliance through documented policies and records.",{"term":279,"definition":280},"Supervisory Authority","The national data protection regulator in each EU member state — such as the ICO in the UK or the CNIL in France — responsible for enforcing GDPR.",{"term":282,"definition":283},"Lawful Basis","One of six legal grounds under GDPR (consent, contract, legal obligation, vital interests, public task, or legitimate interests) that must underpin every processing activity.",{"term":285,"definition":286},"Data Subject","The identified or identifiable natural person whose personal data is being processed — a customer, employee, website visitor, or supplier contact.",[288,293,298,303,308,313,318,323,328,333],{"name":289,"plain_english":290,"sample_language":291,"common_mistake":292},"Purpose, scope, and policy statement","States why the policy exists, which data and systems it covers, which legal obligations it fulfills, and who is bound by it.","This policy sets out [ORGANIZATION NAME]'s approach to securing personal data in accordance with GDPR Article 32. It applies to all employees, contractors, and third parties who access personal data processed by [ORGANIZATION NAME] in connection with [SCOPE OF OPERATIONS].","Scoping the policy only to customer data and forgetting employee HR records — a common GDPR audit finding that leaves the organization exposed on a high-volume data category.",{"name":294,"plain_english":295,"sample_language":296,"common_mistake":297},"Roles and responsibilities","Assigns accountability for data security — naming the Data Protection Officer (or equivalent), system owners, line managers, and all staff — with a one-sentence description of each party's obligations.","The Data Protection Officer ([NAME / ROLE]) is responsible for overseeing compliance with this policy. System owners are responsible for implementing technical controls within their systems. All staff are responsible for following the procedures set out in Section [X].","Listing the DPO as the sole responsible party. GDPR places accountability on the organization as a whole — excluding line managers and system owners from the policy creates a single point of failure.",{"name":299,"plain_english":300,"sample_language":301,"common_mistake":302},"Data classification","Defines categories of personal data the organization handles — standard, sensitive (special category), and confidential — and assigns handling requirements to each tier.","Personal data is classified as: Standard (e.g., name, contact details), Sensitive / Special Category (e.g., health data, criminal records, racial or ethnic origin), and Confidential (e.g., financial account data, authentication credentials). Sensitive data requires [ENCRYPTION STANDARD] at rest and in transit.","Treating all personal data identically regardless of sensitivity. Special category data under GDPR Article 9 requires additional safeguards — a flat classification scheme fails this requirement.",{"name":304,"plain_english":305,"sample_language":306,"common_mistake":307},"Access controls and authentication","Specifies who may access personal data, on what systems, under what authentication requirements, and how access is granted, reviewed, and revoked.","Access to personal data systems is granted on a least-privilege basis and requires approval from [ROLE]. All accounts must use multi-factor authentication. Access rights are reviewed every [X] months and revoked within [24 hours / X business days] of staff departure.","Granting access based on seniority rather than demonstrated need. Broad access rights are among the most frequently cited findings in GDPR breach investigations.",{"name":309,"plain_english":310,"sample_language":311,"common_mistake":312},"Technical security measures","Documents the technical controls protecting personal data — encryption standards, network security, logging, patch management, and backup procedures.","Personal data is encrypted at rest using [AES-256 / STANDARD] and in transit using [TLS 1.2+ / STANDARD]. Systems are patched within [X days] of a critical vulnerability disclosure. Access logs are retained for [X months] and reviewed [FREQUENCY].","Describing desired controls without stating the actual standard applied. Auditors and enterprise customers expect specific encryption standards and patch windows, not aspirational language.",{"name":314,"plain_english":315,"sample_language":316,"common_mistake":317},"Physical security measures","Covers controls protecting physical environments where personal data is stored or processed — offices, server rooms, paper records, and clean-desk requirements.","Server infrastructure is housed in [LOCATION / PROVIDER] facilities with [ISO 27001 / SOC 2] certification. Paper records containing personal data must be stored in locked cabinets and shredded using [CROSS-CUT / STANDARD] shredders when no longer required. Visitors to areas where personal data is processed must be escorted at all times.","Omitting physical security entirely for cloud-first organizations. Physical controls still apply to laptops, printed reports, and shared workspaces — regulators have issued fines for physical data exposure.",{"name":319,"plain_english":320,"sample_language":321,"common_mistake":322},"Data retention and secure deletion","Defines how long each category of personal data is kept, where the retention schedule is maintained, and the method used to delete or anonymize data at end-of-life.","Personal data is retained in accordance with the [ORGANIZATION NAME] Data Retention Schedule (Appendix [X]). At the end of the retention period, data is deleted using [SECURE DELETION METHOD] and the deletion is logged in [SYSTEM / REGISTER]. Backups containing personal data are purged within [X days] of the scheduled deletion date.","Setting a single retention period for all data types. GDPR's storage limitation principle requires retention to be tied to the specific purpose — a blanket seven-year policy is rarely defensible for all categories.",{"name":324,"plain_english":325,"sample_language":326,"common_mistake":327},"Data breach detection and notification","Sets out how staff identify and report potential breaches internally, how the organization assesses severity, and the timelines and process for notifying the supervisory authority and affected data subjects.","Any suspected personal data breach must be reported to [DPO / SECURITY TEAM] within [2 hours] of discovery. The DPO will assess severity within [24 hours]. Breaches meeting the reporting threshold will be notified to [SUPERVISORY AUTHORITY] within 72 hours of discovery, and to affected data subjects without undue delay where a high risk to their rights is identified.","Starting the 72-hour GDPR notification clock from when the DPO is informed rather than from when the organization first became aware. The clock starts the moment any member of staff discovers the incident.",{"name":329,"plain_english":330,"sample_language":331,"common_mistake":332},"Staff training and awareness","Defines mandatory data protection training — who must complete it, how often, what it covers, and how completion is recorded.","All staff with access to personal data must complete GDPR awareness training within [30 days] of joining and annually thereafter. Training records are maintained by [HR / DPO] and are available for inspection on request. Staff handling special category data complete an additional [X-hour] module covering [TOPICS].","Treating a one-time induction training as sufficient. GDPR's accountability principle requires demonstrable, ongoing awareness — regulators have cited organizations where training records couldn't be produced.",{"name":334,"plain_english":335,"sample_language":336,"common_mistake":337},"Policy review and version control","States how frequently the policy is reviewed, who approves changes, and how version history is maintained and communicated to staff.","This policy is reviewed annually by the DPO and approved by [SENIOR LEADERSHIP / BOARD]. Material changes are communicated to all staff within [X days] of approval. The version history is maintained in [DOCUMENT MANAGEMENT SYSTEM / LOCATION]. Current version: [VERSION NUMBER], effective [DATE].","Publishing a policy with no review date or version number. Without evidence of regular review, regulators treat the policy as stale — undermining the accountability principle regardless of its content.",[339,344,349,354,359,364,369,374],{"step":340,"title":341,"description":342,"tip":343},1,"Define your scope and insert your organization's name","Replace all [ORGANIZATION NAME] placeholders and specify exactly which systems, departments, and data types fall within scope. Include employee data, customer data, and supplier contacts if your organization processes all three.","Scope creep in the other direction is also a risk — if you include systems outside your actual processing activities, you create obligations you cannot meet.",{"step":345,"title":346,"description":347,"tip":348},2,"Assign named roles and responsibilities","Replace role placeholders with actual job titles or named individuals. Confirm whether your organization is required to appoint a formal DPO under GDPR Article 37 — required for public authorities, large-scale systematic monitoring, or large-scale special category processing.","Even if a formal DPO is not legally required, designating a named contact for data protection queries in the policy satisfies regulators and enterprise vendor audits.",{"step":350,"title":351,"description":352,"tip":353},3,"Complete the data classification table","List every category of personal data your organization processes and assign each to Standard, Sensitive, or Confidential tiers. Map each tier to a specific handling requirement — encryption standard, access restriction, and retention period.","Cross-reference your Records of Processing Activities (RoPA) if you have one — classification should be consistent across both documents.",{"step":355,"title":356,"description":357,"tip":358},4,"Document your actual technical controls","Fill in the encryption standards, authentication requirements, patch timelines, and backup schedules your organization currently uses. Do not describe aspirational controls — the policy must reflect reality or you create an immediate compliance gap.","If a control in the template does not yet exist in your environment, flag it as a planned control with a target implementation date rather than deleting it.",{"step":360,"title":361,"description":362,"tip":363},5,"Set retention periods by data category","Complete the retention schedule in the appendix, assigning a specific retention period and deletion method to each data category. Tie each period to the purpose for which the data was collected — not a blanket organizational default.","Regulatory retention obligations (e.g., employment records for six years in the UK) can override GDPR minimization — note these exceptions explicitly in the schedule.",{"step":365,"title":366,"description":367,"tip":368},6,"Configure the breach notification procedure","Insert the contact details for your supervisory authority, the internal escalation chain, and the specific threshold criteria your organization uses to assess whether a breach meets the 72-hour notification bar.","Keep a printed copy of the breach notification contact details in a location accessible without systems access — you may need it precisely when systems are unavailable.",{"step":370,"title":371,"description":372,"tip":373},7,"Record the review date and version number","Set the effective date, version number, and next scheduled review date on the cover page. Add the approving officer's name and title. Store the signed version in your document management system and archive the prior version.","Schedule the annual review as a recurring calendar item owned by the DPO or equivalent — unscheduled reviews reliably get skipped.",{"step":375,"title":376,"description":377,"tip":378},8,"Distribute to staff and capture acknowledgment","Send the policy to all staff in scope and collect written or electronic acknowledgment. Store acknowledgment records alongside training logs so you can produce both in a single package during a regulatory inquiry.","A brief accompanying email summarizing the three most important changes from the previous version improves read rates significantly compared to sending the full document without context.",[380,384,388,392,396,400],{"mistake":381,"why_it_matters":382,"fix":383},"Describing aspirational controls rather than actual ones","A policy that says 'all data is encrypted' when encryption is not fully deployed creates an immediate documented compliance gap — regulators treat the policy as the benchmark.","Document only controls that are actively in place. List unimplemented controls separately as a remediation log with target dates, and update the policy once each control is live.",{"mistake":385,"why_it_matters":386,"fix":387},"Starting the 72-hour breach clock from notification to the DPO","GDPR starts the notification clock when the organization — meaning any employee — becomes aware of the breach, not when the DPO is formally notified. An internal reporting delay of 48 hours can leave as little as 24 hours for supervisory authority notification.","Train all staff to report suspected breaches immediately to a designated contact, and set an internal target of two hours from discovery to DPO awareness — not 24 or 48.",{"mistake":389,"why_it_matters":390,"fix":391},"Using a single retention period for all personal data categories","GDPR's storage limitation principle ties retention to the specific purpose of collection. A blanket seven-year policy for all data types is rarely defensible and leads to retaining data far longer than necessary for most categories.","Build a category-by-category retention schedule as a policy appendix, noting any statutory minimum periods that override GDPR minimization requirements.",{"mistake":393,"why_it_matters":394,"fix":395},"Omitting physical security controls for cloud-first organizations","Even fully cloud-hosted organizations handle personal data on laptops, in shared workspaces, and in printed reports. Regulators have issued fines for physical exposure — a policy silent on physical controls is incomplete.","Include at minimum a clean-desk rule, a device encryption requirement for portable devices, and a secure paper disposal procedure — even if the organization holds no on-premise servers.",{"mistake":397,"why_it_matters":398,"fix":399},"Listing the DPO as the sole accountable party","GDPR places the accountability obligation on the controller as an organization, not on the DPO personally. A policy that routes all responsibility through one role creates a single point of failure and does not reflect the regulation's intent.","Assign explicit responsibilities to system owners, line managers, and all staff — the DPO's role is to oversee and advise, not to bear sole accountability for every control.",{"mistake":401,"why_it_matters":402,"fix":403},"Publishing the policy without a version number or review date","A policy with no review date signals to regulators and enterprise auditors that it was written once and forgotten — undermining the accountability principle regardless of how strong the content is.","Add a cover page or header containing the version number, effective date, approving officer, and next scheduled review date. Treat these fields as mandatory before any distribution.",[405,408,411,414,417,420,423,426,429],{"question":406,"answer":407},"What is a GDPR Internal Security Policy?","A GDPR Internal Security Policy is a written operational document that defines the technical and organizational measures an organization uses to protect personal data in compliance with GDPR Article 32. It covers access controls, encryption standards, staff training obligations, breach response procedures, data retention rules, and accountability structures. It is an internal governance document — distinct from a public-facing privacy policy — and is the primary evidence an organization produces during a regulatory audit to demonstrate compliance.\n",{"question":409,"answer":410},"Is a GDPR Internal Security Policy legally required?","GDPR Article 32 requires controllers and processors to implement appropriate technical and organizational measures to ensure security appropriate to the risk — but does not prescribe a specific document format. In practice, a written internal security policy is the standard way to demonstrate these measures exist and are actively maintained. Regulators consistently cite the absence of written policies as an aggravating factor when calculating fines following a breach.\n",{"question":412,"answer":413},"Who needs a GDPR Internal Security Policy?","Any organization that processes personal data of EU or UK residents needs one — regardless of where the organization itself is located. This includes SaaS companies, e-commerce retailers, HR departments, healthcare providers, and professional services firms. Organizations with fewer than 250 employees are exempt from some RoPA obligations but are not exempt from Article 32 security requirements.\n",{"question":415,"answer":416},"What is the difference between a GDPR Internal Security Policy and a Privacy Policy?","A Privacy Policy is a public-facing document explaining to data subjects what personal data is collected, why, and how it is used — required under GDPR Articles 13 and 14. A GDPR Internal Security Policy is an internal governance document for staff, covering how the organization protects that data through technical and organizational controls. Both are required under GDPR, but they serve entirely different audiences and purposes.\n",{"question":418,"answer":419},"How often should a GDPR Internal Security Policy be reviewed?","Annual review is the accepted minimum standard. Additional reviews are triggered by any material change to data processing activities, a personal data breach, a significant change in technology infrastructure, or updated guidance from a supervisory authority. Each review should be documented with a version number, effective date, and approving officer to satisfy the accountability principle.\n",{"question":421,"answer":422},"What happens if an organization does not have a GDPR Internal Security Policy?","The absence of a written security policy is treated as evidence of inadequate technical and organizational measures under Article 32. In a breach investigation, it removes any mitigating argument that the organization had appropriate safeguards in place and is regularly cited as an aggravating factor that increases the fine. Supervisory authorities in Germany, Italy, and Ireland have all issued fines where absent or inadequate internal policies were a contributing factor.\n",{"question":424,"answer":425},"Does a GDPR Internal Security Policy need to be signed?","The policy itself does not require a signature to be effective, but staff acknowledgment — confirming they have read and understood it — should be captured in writing or electronically and retained. This acknowledgment record forms part of the evidence base that the organization actively maintains awareness, not just a paper policy.\n",{"question":427,"answer":428},"Can a small business use a template for its GDPR Internal Security Policy?","Yes. A high-quality template covers the structural and substantive requirements for most small and medium-sized businesses. The critical step is replacing placeholder controls with a factual description of the organization's actual practices — encryption standards, access management procedures, and breach escalation paths. A template describing controls that do not exist is worse than no policy because it creates a documented gap. For organizations handling special category data at scale, a brief review by a data protection consultant is advisable.\n",{"question":430,"answer":431},"What is the difference between a GDPR Internal Security Policy and an ISO 27001 Information Security Policy?","An ISO 27001 Information Security Policy is part of a formal information security management system (ISMS) and covers all information assets — not just personal data — across a comprehensive control framework of 93 controls. A GDPR Internal Security Policy is specifically scoped to the personal data protection requirements of the GDPR and is typically shorter and more accessible to non-technical staff. ISO 27001 certification satisfies GDPR Article 32 requirements and is increasingly requested by enterprise customers, but it is a significant undertaking — a GDPR security policy is the practical starting point for most organizations.\n",[433,437,441,445,449,452],{"industry":434,"icon_asset_id":435,"specifics":436},"SaaS / Technology","industry-saas","Cloud infrastructure security controls, sub-processor lists, API access management, and automated breach detection are the four areas enterprise customers most frequently audit against this policy.",{"industry":438,"icon_asset_id":439,"specifics":440},"Healthcare","industry-healthtech","Health data is special category under GDPR Article 9 and requires explicit additional safeguards — clinical systems access logging, strict retention schedules, and purpose limitation are non-negotiable policy elements.",{"industry":442,"icon_asset_id":443,"specifics":444},"Professional Services","industry-professional-services","Client confidentiality obligations and GDPR security requirements overlap significantly — the policy should address how staff handle personal data in documents, email, and shared drives used for client engagements.",{"industry":446,"icon_asset_id":447,"specifics":448},"Retail / E-commerce","industry-ecommerce","High transaction volumes mean breach scope can be large rapidly — the policy's breach detection and 72-hour notification procedure is the section most tested in this sector.",{"industry":450,"icon_asset_id":443,"specifics":451},"Human Resources / Staffing","Employee personal data — payroll records, disciplinary files, health information — is among the most sensitive data organizations process, and HR teams are frequently the subject of internal access control failures.",{"industry":453,"icon_asset_id":454,"specifics":455},"Financial Services","industry-fintech","Overlap between GDPR security obligations and FCA / PSD2 / EBA security requirements means the policy must align with sector-specific technical standards, particularly around authentication and audit logging.",[457,460,464,468],{"vs":240,"vs_template_id":458,"summary":459},"privacy-policy-D13442","A Privacy Policy is a public-facing document telling data subjects what personal data is collected and why — required under GDPR Articles 13 and 14. A GDPR Internal Security Policy is an internal staff document defining how that data is protected. Both are required, but they serve different audiences: one faces outward to data subjects, the other governs internal behavior. Conflating the two is a common compliance gap.",{"vs":461,"vs_template_id":462,"summary":463},"Data Processing Agreement","D{DATA_PROCESSING_AGREEMENT_ID}","A Data Processing Agreement (DPA) is a contract between a data controller and a data processor — a third-party vendor — specifying each party's data protection obligations under GDPR Article 28. A GDPR Internal Security Policy governs the organization's own staff and internal systems. Both are required when using third-party processors, but they operate in different directions: the DPA binds the vendor; the policy binds your employees.",{"vs":465,"vs_template_id":466,"summary":467},"Information Security Policy (ISO 27001)","D{ISO_INFORMATION_SECURITY_POLICY_ID}","An ISO 27001 Information Security Policy is part of a formal ISMS covering all information assets across 93 controls — a significant certification undertaking. A GDPR Internal Security Policy is narrower, focused specifically on personal data protection requirements, and is the practical starting point for most organizations. ISO 27001 certification satisfies GDPR Article 32 requirements, but the two documents are complementary rather than interchangeable.",{"vs":232,"vs_template_id":469,"summary":470},"D{DATA_BREACH_RESPONSE_PLAN_ID}","A Data Breach Response Plan is a standalone operational playbook covering the end-to-end incident response process — detection, containment, assessment, notification, and post-incident review. A GDPR Internal Security Policy summarizes breach notification obligations and escalation paths at a high level but does not replace a detailed response plan. Organizations handling significant personal data volumes should maintain both.",{"use_template":472,"template_plus_review":476,"custom_drafted":480},{"best_for":473,"cost":474,"time":475},"Small and medium-sized businesses processing standard personal data categories with a clear, straightforward data landscape","Free","2–4 hours to complete and distribute",{"best_for":477,"cost":478,"time":479},"Organizations processing special category data, handling cross-border transfers, or facing enterprise customer security audits","$500–$2,000 for a data protection consultant review","3–5 days",{"best_for":481,"cost":482,"time":483},"Large enterprises, regulated industries (healthcare, financial services), or organizations undergoing ISO 27001 certification","$3,000–$10,000+ for a full GDPR compliance program with legal counsel","4–12 weeks",[485,486],"gdpr-article-32-explained","personal-data-breach-notification-guide",[241,488,489,490,491,492,493,494,495,496,497,498],"employee-handbook-D712","non-disclosure-agreement-nda-D12692","it-security-policy-D13722","remote-work-agreement-D13282","environmental-impact-assessment-D13965","vendor-agreement-D13292","acceptable-use-policy-D12622","business-continuity-plan-D12788","risk-management-plan-D13391","employee-disciplinary-action-policy-D13487","incident-response-plan-D13714",{"emit_how_to":500,"emit_defined_term":500},true,{"primary_folder":502,"secondary_folder":503,"document_type":504,"industry":505,"business_stage":506,"tags":507,"confidence":513},"software-technology","data-governance","policy","general","all-stages",[508,509,510,511,512],"data-protection","compliance","privacy","gdpr","security-policy",0.95,"\u003Ch2>What is a GDPR Internal Security Policy?\u003C/h2>\n\u003Cp>A \u003Cstrong>GDPR Internal Security Policy\u003C/strong> is an internal governance document that defines how an organization protects the personal data it processes, in line with the requirements of the European Union's General Data Protection Regulation — specifically Article 32, which mandates appropriate technical and organizational security measures proportionate to the risk. It covers access controls, data classification, encryption standards, breach detection and notification procedures, staff training obligations, and data retention and deletion rules. Unlike a public-facing privacy policy, this document is directed inward at employees, contractors, and system owners, giving them clear, actionable rules for handling personal data responsibly and consistently.\u003C/p>\n\u003Ch2>Why You Need This Document\u003C/h2>\n\u003Cp>Without a written GDPR Internal Security Policy, your organization has no documented baseline against which to measure controls, train staff, or demonstrate accountability to regulators. When a data breach occurs — and supervisory authorities launch an investigation — the first document they request is evidence of the security measures you had in place before the incident. An organization that cannot produce a current, staff-acknowledged policy faces significantly higher fines, because the absence of documentation is treated as evidence that adequate measures did not exist. Beyond regulatory risk, enterprise customers and procurement teams routinely require a written GDPR security policy as a condition of vendor approval — making it a commercial prerequisite as well as a legal one. This template gives you a structured, editable starting point that covers every core requirement, so you can move from a compliance gap to a documented, distributed policy in hours rather than weeks.\u003C/p>\n",1781185975773]