What is the difference between a code of conduct and a security policy?

A security policy describes technical and organisational measures at company level. A code of conduct describes expected behaviour of individual employees in their daily work. The code of conduct is the practical translation of the policy.

Should every employee read the code of conduct?

Yes. Every employee who works with personal data must know the rules. Have new employees read the code as part of their onboarding and repeat the key points annually.

How do I enforce compliance?

Not through penalties, but through culture. Make privacy a normal topic, lead by example, and encourage reporting. When an employee makes a mistake and reports it, that is a success, not a reason for sanctions.

Privacy Code of Conduct for Employees | GDPR Guidelines

A privacy code of conduct sets out how employees should handle personal data in their daily work. Practical guidelines you can apply immediately.

Why a code of conduct?

You can have the best systems and policies, but ultimately your employees handle personal data every day. They reply to emails, call customers, share files, and use software. In all those situations, they make choices that affect the privacy of data subjects.

A code of conduct translates the GDPR from abstract legislation into concrete rules for daily work.

What should it cover?

Handling personal data

Only collect data you truly need for your work
Do not keep data longer than necessary
Do not store personal data on USB sticks, personal folders, or unapproved tools
Delete or destroy data when you no longer need it

Email and communication

Avoid sending personal data in unencrypted emails if not necessary
Double-check the recipient before sending, especially with sensitive information
Use BCC when emailing multiple customers
Be careful when forwarding emails that contain personal data

Phone and conversations

Do not discuss personal data of customers or employees in public spaces
Verify the caller’s identity before sharing personal data
Do not leave notes with personal data on loose papers lying around

Visitors and the workplace

Do not leave visitors unattended in areas where personal data is accessible
Turn your screen away when sensitive information is displayed
Lock away documents when you leave your desk

Do not share data about customers, employees, or partners on social media
Ask permission before posting photos of colleagues or customers
Be careful with information that could indirectly identify individuals

Incidents and mistakes

Report any suspected data breach immediately, even if you caused it
Reporting mistakes is encouraged, not punished
The sooner you report, the better we can resolve it

Tips for implementation

Keep it short

Maximum 2 pages. A code of conduct that nobody reads has no value. Focus on the situations employees encounter most often.

Use examples

Instead of “handle personal data carefully”, write: “when a customer calls about their order, first verify you’re speaking to the right person by asking for the order number.”

Discuss it as a team

Don’t just circulate the code by email. Take 30 minutes in a team meeting to walk through the key points and answer questions.

Repeat annually

Privacy awareness fades if you don’t maintain it. Schedule an annual refresher, linked to your yearly privacy review.

auto_awesome Build a privacy-conscious culture

GDPRWise helps you not only with documents and records, but also with awareness. Start with your free scan and discover where you stand.

Start your free scan