GDPR policy template: how to customise yours

What is a GDPR policy template and why does my business need one?

The UK GDPR requires businesses to demonstrate that they comply with the principles set out in the UK GDPR. These principles are:

1. Lawfulness, fairness and transparency;

2. Purpose limitation;

3. Data minimisation;

4. Accuracy;

5. Storage limitation;

6. Integrity and confidentiality (security); and

7. Accountability.

A GDPR policy template can be a key tool in helping businesses to address data protection in a consistent manner across the business and demonstrate accountability under the UK GDPR.

A company's GDPR policy should clearly set out the business’s approach to data protection, together with the responsibilities for implementing the policy and monitoring compliance. The business’s management should approve the policy and it should be published and communicated to all staff. The policy should then be reviewed and updated at planned intervals or when required to ensure it remains relevant.

How do I customise my GDPR policy template?

It is really important that your company’s GDPR policy is tailored to reflect the specific processing activities carried out by your business - a generic policy that is not adapted to your business’s activities will not be enough to demonstrate compliance with the UK GDPR.

Docue’s GDPR policy template can be easily customised to reflect your business activities, including in the following ways:

1. Details of processing - processing means taking any action with someone’s personal data. If you hold information on someone, it counts as processing even if you do not do anything else with it. The GDPR policy template should be customised to include details of the processing being carried out by your specific business, including all ways personal data is used (e.g. in relation to employees, customers and suppliers).

2. Key people - it is important that employees know who has responsibility for data protection matters within the business and who they can contact with queries or when issues occur. Docue’s GDPR policy template includes the option to add different key people with responsibilities for different areas. For example, the person who could be contacted if a data breach occurs may be different to the person who has overall responsibility for the GDPR policy.

3. Lawful basis - where personal data is processed, there must be a lawful basis in place to justify that processing (e.g. consent, legitimate interest). A GDPR policy should not only set out the different lawful bases that can be relied upon under UK data protection laws, but also be customised to refer to the specific lawful bases being relied upon by your business.

4. Other policies - if your business has other data protection policies in place, they should be referred to within the GDPR policy in order to ensure that all policies are integrated and aligned. This could include:

   • Data Retention Policy - UK data protection laws include principles relating to storage limitation and data minimisation. These principles mean that personal data should only be kept by your business for as long as it is necessary to achieve a particular purpose. Having a clear data retention policy in place that is followed by your staff can be crucial to be able to achieve (and demonstrate) these principles;

   • Data Breach Policy - a business has 72 hours to report a data breach to the ICO. Having a data breach policy in place can ensure that there are clear procedures in place for your staff to identify, minimise and report a data breach, in compliance with UK data protection laws;

   • Data Subject Requests Policy - individuals (known as data subjects) have a range of rights under data protection laws. A clear policy can be key for a business to be data protection compliant and handle requests legally. This policy will provide practical guidance for the business's staff, including setting out procedures to identify the individual making the request, when requests can be refused, and ensuring that requests are handled quickly (and within the timeframes set by the UK GDPR).

5. Review process - it is important to include a process for reviewing and updating the policy if there are legal changes or the business’s operations change. This should include a review frequency, and a process for informing employees of the changes.

Is there anything else my business needs to do to implement our company's GDPR policy?

Yes - whilst getting a written UK GDPR policy in place is the first step to demonstrating compliance with the UK GDPR, a written policy alone is not enough. It is vital that employees receive training on the principles and procedures that are set out in the policy so that they are integrated into the business’s day-to-day operations and followed by all employees. Training employees is key to ensuring that all employees receive appropriate training about the business’s privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up-to-date and should be provided at regular intervals.

How can Docue help? Use our GDPR Policy (UK)

Docue’s dynamic GDPR policy template has been drafted by privacy lawyers to help you comply with UK data protection laws. The template is easily customisable to suit your requirements - all you have to do is answer a series of simple questions and you will have a tailored policy in no time.

Sign up now to use Docue’s data protection policy and other privacy templates.