Article 24 states that data controllers must implement “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation”.
Where proportionate to the processing activity, these measures “shall include the implementation of appropriate data protection policies by the controller”. In practice, there will be very few processing activities that will not require a policy.
