The policy of data protection that a company uses. Access, responsibilities, and time cycles are set in place.