On a couple of occasions I’ve mentioned the importance of Standard Operating Procedures and how they can benefit both your business and your privacy exercises. In today’s article, I’m going to show you just how easy it is to get started in mapping these out. Each of the headings used below can be used as a heading in your own template. The headings I use have been adapted from ISO standards, however, they do not include Privacy by Design – that’s a topic for another upcoming post.


This is where you introduce the procedure. Remember, if a process is what you do, the procedure is how you do it. You want to give a high-level description of the procedure you are documenting.

Change Log

Include a table that details any revisions to the document. I use four columns:

  1. Revision Number – what versions of the procedure are there
  2. Date Changed – when each change was made
  3. Changed By – who made the changes to the procedure
  4. Details of Change – what was the change that was made


This is simply the purpose of the procedure. Why does it exist in the first place? It doesn’t have to be a lot of information, but it needs to give the reader context as to why you have designed this in the first place.


Who is responsible for managing this procedure? It can be a job title if the individual changes, or it can be a named individual in the business. I use the follow columns in a table:

  1. Responsible Person
  2. Department
  3. Contact Details


What does the procedure include, and what does it specifically exclude. Is it restricted to a particular department? Does it deal with other clients? Or is there another procedure that should be referred to for exceptions to this one? You need to detail where the procedure is applicable and who the audience is.


This is where you detail the procedure, step-by-step. How does this procedure get completed. This can be very simple, or it can be long and complicated. Follow a numeric order detailing how each process step is completed.

Process Flow

The overall process diagram that someone can view. I normally use a flowchart here, however I will likely start using OBASHI methods in the near future as they are very well suited to data flows and privacy.

There you have it! These are the headings needed for a good SOP and are hardly as complicated as we often make them out to be. The sooner you can draw up these documents for your organisation the better it will be for your accountability, privacy exercises, and general business flow.

Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.

Share This

Share this post with your friends!