How to Write a GDPR Data Protection Policy
Discover what to include in a data protection policy and why it’s essential for GDPR compliance.
As part of your accountability obligations, you should implement appropriate procedures, policies and measures to minimise risk and promote high standards across your organisation.
A data protection policy is one way to demonstrate compliance with the UK GDPR. In this blog, we explain this policy, why it matters and what to include when writing one.
What Is a Data Protection Policy?
A data protection policy is an internal document that outlines the GDPR requirements relevant to your organisation and employees. This policy demonstrates your commitment to compliance and acts as a guide for employees on how to handle personal data safely and securely.
While this policy shows your commitment, your procedures will clarify how you will achieve your obligations. For example, a personal data breach notification and response procedure outlines your steps during a GDPR breach.
Why Do You Need a Data Protection Policy?
The UK GDPR is a complex legislation that can easily go over your employees’ heads if not understood. A data protection policy will explain how the GDPR applies to them and their obligations when handling personal data.
Most of your employees won’t be GDPR experts like a DPO, but with this policy, you’ll clearly define what is required so they can maintain compliance. Everyone will take a consistent approach when handling personal data, keeping risks to a minimum.
A data protection policy also shows you take the GDPR seriously, which can be crucial evidence should you experience a regulatory investigation. While one-off mistakes can be dangerous, company-wide neglect will cost you significantly through means such as damage to reputation or potentially even monetary penalty notices. Implementing this policy will ensure everyone remains on the same page.
What to Include in a Data Protection Policy
Your data protection policy doesn’t need to be an extensive document. Instead, you need to give enough direction for your employees to understand their responsibilities and roles around the UK GDPR. Here are the key areas we recommend covering:
1. Policy Purpose
Consider the purpose of your data protection policy as the introduction. You should state your overall objective and outline the importance of maintaining individuals’ privacy and rights.
Your purpose shouldn’t read like a tick-box exercise. It should show your commitment to the UK GDPR, far beyond what is needed at a satisfactory level.
2. Scope
You must outline the types of personal data your organisation collects, processes and stores, as well as the lawful basis for doing so. The UK GDPR separates information into personal data and special categories, e.g., biometric data and information on criminal offences. If your organisation handles the latter, you’re subject to extra obligations.
3. Definitions
Your policy will include extensive data protection terminology, so it’s your responsibility to explain these key terms and concepts clearly to employees.
Terms to include:
- Personal data: any information relating to an identified or identifiable natural person, e.g., name, address, location data and other identifiers.
- Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
- Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
- Data subject: an identifiable natural person is one who can be identified, directly or indirectly.
- Consent: A freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
For a complete overview of what you may want to add, head to our glossary of 30 data protection terms.
4. Data Protection Principles
The next section should cover the seven principles for data protection. You should also note how you will meet these obligations so your employees know how they will contribute.
The principles to cover:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Our guide on data protection principles provides insight into each obligation and what measures you can take to meet them.
5. Lawful Basis of Processing
Your data protection policy should outline the six lawful bases for processing personal data and how your organisation determines and documents the legal basis for each processing activity.
All processing should be carried out using one of six lawful bases under the UK GDPR:
- Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Contract: The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Legal obligation: The processing is necessary to comply with a legal obligation to which the controller is subject
- Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public interest: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
6. Roles and Responsibilities
Whether you’re a small business or a global enterprise, you will have a range of roles responsible for maintaining GDPR compliance. Your policy should clearly define the roles and responsibilities of key stakeholders within the organisation such as your data protection officer (DPOs), head of IT, Data Champions, Process Owners etc.
7. Data Subject Rights
Your employees must be aware of the ten data subject rights of individuals under the UK GDPR. Your policy should define these rights and state how they will be upheld.
For example, you may explain your procedure for individuals submitting a subject access request (SAR).
8. Review and Implementation
A data protection policy is a living document that you should enforce in your daily operations. You should list ways of implementing the policy, such as adding it to an intranet site and staff handbook or raising policy awareness through posters and guidelines.
You should also outline a review and approval process to ensure policies align with UK GDPR requirements.
9. Contact Details
The final section should provide precise contact details for your appointed DPO or responsible individual within your organisation. This information should be easily accessible should a supervisory authority or data subject want to get in touch.
Are There Other GDPR Policies?
A data protection policy isn’t the only thing you need to organise. You need to factor in your privacy notice, employee privacy notice, data retention policy, and other procedures and documentation.
See our complete list of mandatory GDPR documents, or if you want to save time, simply get our GDPR toolkit. Our extensive GDPR documentation package covers policies and procedures to essential templates and checklists. We offer corporate, SME and tailored toolkits depending on your requirements.
Looking for Data Protection Support?
Data Protection People is a leading GDPR consultancy with years of experience working across sectors. Whether you require occasional SAR support or a full-time DPO, we’ll help your organisation maintain compliance. Want to learn more? Contact our team today