GDPR Compatible Data Protection Policy Template

Data Protection Policy (GDPR Compatible)


The EU General Data Protection Regulation or “GDPR” is the most important change to data protection and privacy law in two decades. It was approved by the EU Parliament in April 2016 and came into force in the UK on 25th May 2018. The GDPR has replaced the Data Protection Act 1998 and, while it is similar to the current regime under the 1998 Act in many ways, it is a great deal more modern, taking into account major advances in science and technology. Most importantly for businesses it is more demanding.

This Data Protection Policy template sets out the rights of data subjects and the obligations of a business as a data controller under the GDPR, laying down a number of organisational and procedural measures to help ensure compliance.

As part of our on-going review of data protection-related documents, this policy has received updates including clearer provisions on technical data protection measures, new detail governing “special category” personal data (formerly known as “sensitive personal data”) and additional references to our Data Retention Policy.

Detail in this Data Protection Policy is extensive, aiming to reproduce key parts of the GDPR so as to aid in the establishment of knowledge and understanding throughout your business. Despite this, however, it should be noted that training remains essential and that any and all individuals handling personal data within your business should be fully aware of the GDPR and its principles as well as the procedures in place within your business.

Please note that this document is designed for business use only, and certain provisions of the GDPR relating to public authorities and other official bodies have not been incorporated fully. Please also note that this is a “living document” and will be reviewed as more best practice and official guidance on the GDPR becomes established.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This document is also available in the GDPR & Data Protection group under GDPR/Data Protection Policies.

This Data Protection Policy contains the following provisions:

1. Introduction
2. The Data Protection Principles
3. The Rights of Data Subjects
4. Lawful, Fair, and Transparent Data Processing
5. Specified, Explicit, and Legitimate Purposes
6. Adequate, Relevant, and Limited Data Processing
7. Accuracy of Data and Keeping Data Up-to-Date
8. Data Retention
9. Secure Processing
10. Accountability and Record-Keeping
11. Data Protection Impact Assessments
12. Keeping Data Subjects Informed
13. Data Subject Access
14. Rectification of Personal Data
15. Erasure of Personal Data
16. Restriction of Personal Data Processing
17. [Data Portability]
18. Objections to Data Processing
19. [Automated Decision-Making]
20. [Profiling]
21. Personal Data Collected, Held, and Processed
22. Data Security - Transferring Personal Data and Communications
23. Data Security - Storage
24. Data Security - Disposal
25. Data Security - Use of Personal Data
26. Data Security - IT Security
27. Organisational Measures
28. Transferring Personal Data to a Country Outside the EEA
29. Data Breach Notification
30. Implementation of Policy

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.