How to Create a Data Policy

There are many reasons why you might need to consider how to work with personal data. Maybe you are managing a mailing list, but you’re not sure about the privacy standards you should be applying. Maybe you are a small organisation about to start a larger data collection project to improve your communications, but you don’t know where to start. Or you might be regularly organising events that are getting larger and with more personal data stored, but you don’t have the software needed to keep the data secure.

Working with data requires care due to the risks around the security of sensitive information, the ethics of collecting personal data, the effectiveness of the practices, and the impact on the organisation. Advice about data collection and storage can be legal or technical, and it may not be clear how to apply the guidance in specific contexts. This guide provides four steps you can follow, either in your own time or throughout a workshop, to create a data-use policy. It also provides some activities to help you get started.

  1. Get familiar with talking about data
  2. Conduct a data audit of the data you use
  3. Understand and analyse the risks for you and your audience
  4. Combine your data audit, risks and values to create your data policy


1. Get familiar with talking about data – alone and with your co-workers

The first step in making a data policy is to familiarise yourself with the topic so you feel comfortable thinking, talking, and making decisions about data.

We may shy away from conversations about data because we feel we don’t know enough to have an opinion worth sharing. We can start to feel comfortable talking about personal data by connecting it with our surroundings – personal data is a representation of information about people, including ourselves, and the way we interact with the world. By describing ourselves, our actions, our personalities, the people around us, and how we interact, we already begin to talk about personal data.

Unpack the terms and ideas that immediately come to mind when you think of personal data. Perhaps you’ve felt targeted by advertising on social media, or you work with Google Analytics, or you remember details about the surveillance systems used by governments revealed by the whistle-blower, Edward Snowden. Begin to connect these stories and uses of personal data to how you work with personal data – do they feel very different or the same? In what way? If you work with others, you will also need to feel comfortable discussing data with them, so involve them in conversations and ask what they know.

You do not have to try to learn everything there is – it would be an impossible task. Instead, take time to get to know what you already know about data and its ethical implications, as well as what you do not feel confident about and what you may want to ask more about from colleagues or outside your organisation.

The familiarisation stage is helpful both for those who feel unsure about working with data and technology, as well as for those who are already working with data by helping unpack the habits, routines, and acronyms for everyone to take agency over their understanding of the topic.

Activities to get you started

Working alone: Check out "Your Motivation to Learn About Personal Data" in Introduction to Personal Data and Events

Working in a team: Check out the ‘Flight Search' and discover the types of data that might be given away when you take a flight, talk as a group about what data you already knew about and which you didn’t – look up any terms no one knew.

flight search

2. Conduct a data audit of what data you use, what tools and software you work with and what purpose it has for the organisation

The second step to creating your data policy is to examine what data you interact with in your work – at what points you collect data, or create data about yourself and others, and with which tools you interact that may also create and collect personal data. This can include a wide variety of data, including contact details of your partners, social media activity of your audiences or travel details of people attending events you are organising.

It may be useful to consider various angles to understanding where you interact with data. Start with what comes from your mind and then ask your colleagues. You may think about what tools you use, both in-house and those you rely on a third party for. For the third-party tools, check their terms and conditions and privacy policies to learn about what data the tools use. Another approach is to go through your day-to-day routine and each function of your work – such as fundraising, membership engagement, or grant management - and consider if you work with data in each part. Consider who you work with and whether you need to take them into account in your own data practices. You might have data you are not sure what the use is, but which a colleague may require in their role. Can you ask them why they use the data? (See stage 1 about becoming familiar with talking about data.) It is likely you will find a lot more data than you were expecting.

Activities to get you started

Working in a team: Split the team into three groups and set up three lists or spaces to add post-it notes.

  1. Types of data: e.g. email addresses, names, statistics, analytics, HR data
  2. Tools: such as what email provider or databases or social media you use
  3. Uses: what do you collect the data for? Call one ‘data uses’ and tone ‘data types’ and under each list everything that comes to mind.

List as many as you can under each that you work with. After five minutes, rotate the groups so each group has a chance to review and build on each section. After everyone has had a chance to review each section, discuss as a full group: was anything surprising, anything missing, or anything you didn’t know before?

Working alone: Check out "Your Data Contact Points" in An Introduction to Personal Data and Events

flight search

3. Understand and analyse risks for you and your audience

After understanding what data you have, now take some time to understand your risks, your values and your organisation’s approach to ethics, applying it to understand what you need to account for when working with the data.

There are many different concerns and approaches to considering the risks of working with personal data. Some of the risks may depend on the environment the organisation is working in – whether the topic is controversial or whether there are specific groups in opposition to the cause of the organisation. There are risks related to privacy concerns when collecting data and how to gather appropriate consent – including what the consent is for and its limits – and the responsibility of keeping the data secure. When engaging with data at a large scale, such as through Facebook analytics or website traffic numbers, it remains a question as to whether data is accurate or representative – and the contribution of these practices to biases in a system that could exacerbate inequalities in society.

Begin with your own concerns: have you been targeted with adverts or are you concerned about your communications being monitored? Once you have an idea of your own concerns, expand this to your audience and unpack what contexts your audience are part of, and what risks and concerns they might have. It is important to talk to the people who you are collecting data from, who know their own risks best, and can outline important details you may need to consider when considering how to use their data. There is guidance on how to get others involved at the Responsible Data Project from the Engine Room.

Activities to get you started

Working alone: Check out "Put Yourself in Their Shoes" in the Event Registration and Participant Data chapter of The Organiser’s Activity Book

Working in a team: In a meeting, conduct a poll on whether people Agree or Disagree with the following statements:

  • Some people should have more privacy than others
  • There are certain situations that you can use someone's personal data without their consent
  • Some issues are more important than privacy
  • I don't need privacy because I have nothing to hide

Discuss the results afterward. It is common for people to find there is more diversity in opinion on the topics than expected. See if you find a way to understand different approaches or if you can find common ground.

4. Combine your data audit and your risks and values to create your data policy

Finally, you can take the information from stage 2 – the data audit - and stage 3 – in which you evaluated your risks, concerns and values – and combine them to produce a data policy.

Below are two examples of formats for the policy that you can start with. It might be easier to start with a spreadsheet, in which you document the types of data and what you have to answer, as in the top image. Then you can consider where you would host the data policy and what format would work best. Where you host the document will depend on who you want the data policy to be accessible to – your website is a good choice if you want a public audience to access the policy, but perhaps you also want to make it clear on other social media channels or at the end of your emails. You may also consider different formats, such as a short infographic for quick access or a video explainer for anyone who would want more information.

If this is a guide for yourself and your colleagues, can you have an easy print-out of the essentials or an internal drive to host the information and share it with colleagues? Can you also include helpful reminders and hints throughout processes, such as at the top of a database or whenever you enter a new email address into your mailing system? Remember, the policy itself may contain personal data or sensitive information about where you host information – so find a place to keep it secure as needed.

Your data policy will be a living document, changing as your organisation changes. Reflect regularly on whether there is anything missing or that needs to change.

Example 1: Spreadsheet showing the types of data you might collect in the columns and the questions you may need to answer in the rows

flight search

Example 1: A template for a written policy with different sections based on types of data, uses of data and types of risks

Download here

6th July 2021, Written by Dr. Amber Macintyre, Project Lead

Thanks to Daisy Kidd for creation of the data policy template, and to the Tactical Tech team for their comments and support

Examples of Data Use Policies:

Privacy International

Electronic Frontier Foundation

Tactical Tech

Responsible Data Policy from Engine Room