12/07/2022

Data protection policies (UK Templates)

In recent years the need for data protection policy and contract templates has grown, driven by an evolution in the way data is collected, stored, and shared.

An informed approach to data protection obligations goes beyond the reach of avoiding fines and allows businesses to build trust with their consumers, act ethically, and have a more comprehensive handle on the data the business carries. But that doesn’t mean that adhering to data protection obligations is simple stuff.

Renowned for its jargon, many businesses have struggled to grapple with updates to UK data protection laws, leaving many in the dark as to how best to protect their business and their customers. 

In this blog, we explain the difference between a data protection policy and a privacy policy, how to write a data protection policy for your SME, and how to meet data protection obligations.

So, let’s start. What’s the difference between a data protection policy and a privacy policy?

Data protection policy vs privacy policy: what’s the difference?

While a data protection policy and a privacy policy have their similarities, there are a number of important distinctions. Both of these documents cover how a business handles personal data, but a data protection policy is an internal facing document, and a privacy policy is an external facing document. But what do each of these documents cover?

What is a data protection policy?

As an internal document, a data protection policy will outline how a company intends to comply with data protection obligations, and how it sets out to achieve compliance with the main principles of data protection law. This document’s main function is to provide information for staff on the actions they should take to enable the business to remain compliant. This might include who to contact if they have questions, how to handle data protection requests, and how long (and where!) they should store personal data. 

As an internal company document, a data protection policy might be joined by numerous other data protection documents, such as a data breach policy (which would cover what would happen in the event of a breach) and a data protection requests policy. 

What is a privacy policy?

As an external document, a privacy policy is an important part of ensuring companies meet their UK data protection law obligations. This document is considered to be a “transparency notice”, meaning that its main focus is to provide information rather than instructions (and helps businesses meet their transparency obligations under data protection laws).  

 

This policy tells people outside of the business how their personal data will be handled, on what legal grounds, who it will be shared with, how it will be shared, and so on. This document needs to meet certain criteria under UK data protection law, meaning it's much less flexible than a data protection policy can be. 

 

A business will need to have a privacy policy where it is a “controller” of personal data. A controller of personal data means they make decisions about how personal data will be used. Most companies have privacy policies to cover their website users (including customers) and their employees to explain clearly how their personal data will be handled. 

 

How to write a data protection policy for a UK company

A data protection policy should include useful information to help a company comply with data protection obligations. 

When creating a data protection policy for a UK SME, you’ll want to accurately reflect the practices of your company. Here you should take the time to identify different roles in the company. Take the time to think about:

  • Who is responsible for dealing with data protection requests?

  • Who should a staff member go to if they have any questions?

  • Who gets to decide if personal data is used for a new purpose? 

You will also want to identify what other policies are already in place and how they work together. This will help you define and outline how existing policies work together to provide a useful data protection compliance framework for the company. As this document is intended for the benefit of your internal team, you’ll want to stay away from legal jargon where possible. 

Unfortunately, the world of data protection has a few set terms that are difficult to get away from, meaning you’ll need to set out the terms in use, and what they mean. Using a template is particularly helpful here, as it will give you solid foundations to build on. 

Can I write my own data protection policy or should I hire a lawyer?

Good news! Unlike a privacy policy, a data protection policy doesn’t have a strict list of requirements to meet. As a result, you can write your own data protection policy if you so wish. While getting a lawyer can be helpful, it's not essential if the company has a robust template to start with. That’s where Docue comes in. Our platform allows businesses to create, customise and store a compliant data protection policy at the touch of a button using a lawyer-grade template as a starting point and automated guidelines to steer you in the right direction from start to finish. Sign up to a free trial on the Docue platform today to get your data protection policy sorted in just a few clicks.

If you are opting to write your own data protection policy, there are a few topics which can be useful to include: 

  • Data protection principles

  • How the company processes personal data in a lawful, fair, and transparent manner

  • Using data for specific purposes

  • How the company keeps personal data safe

  • How the company share personal data with others

  • How it decides what data to delete and when it deletes it 

  • What records the business keeps

  • Who to contact with questions about the policy

  • What other relevant data protection related policies the business has 

 

Take the time to consider what’s most relevant to the business, and to your staff, and create something fit-for-purpose, with the benefit of a template that covers the basics.

Use this UK GDPR wording


If you’ve been operating in the UK, it’s highly likely you’ve heard of the UK GDPR. If not, the GDPR stands for General Data Protection Regulation and is an important piece of European Union legislation designed to protect the privacy rights of individuals. After Brexit, the wording of the GDPR was copied across into UK law in the UK GDPR. The UK GDPR essentially sets the standard for data protection obligations and has a set of seven key principles. These are:

  • Use personal data in a lawful, fair and transparent way.

  • Only collect personal data for a specific, explicit and legitimate purpose (purpose limitation).

  • Collect the least amount of personal data needed to achieve an aim (data minimisation).

  • Make sure personal data is accurate.

  • Only keep personal data for as long as needed (storage limitation).

  • Keep personal data safe (by ensuring its security, integrity and confidentiality).

  • Demonstrate that personal data is processed properly (accountability).

 

It’s worth noting here, that there is no requirement to list the UK GDPR principles on your website. Typically, however, these principles would be listed on a data protection policy as an example of what the company is trying to achieve, and why it's important to have the data protection policy. 

 

So what should a UK website have? Typically: 

 

  • A privacy policy (this covers how the website will process website users' personal data, including customers if customers can purchase through the website);  

  • A cookie notice (which may or may not be included within the privacy policy); and;

  • It may have several ‘just in time notices’. These are smaller notices to inform a website user before they provide their personal data. For example, if a website user signs up for a newsletter, they may be asked to consent to the company using their name and email address, and given a link to the privacy policy for more information about how the company uses their personal data.  

Here’s what the Docue Data Protection Policy Looks like 

Thinking about making your own data protection policy? Fortunately for you, we’ve created a data protection policy template that allows UK SMEs to address data protection obligations with expert input. What does it contain?

It contains the following clauses: 

  • 1. Introduction

  • 2. Definitions

  • 3. Scope

  • 4. The Data Protection Principles

  • 5. The Rights of Data Subjects

  • 6. Lawful, Fair, and Transparent Data Processing

  • 7. Consent

  • 8. Specified, Explicit, and Legitimate Purposes

  • 9. Adequate, Relevant, and Limited Data Processing

  • 10. Accuracy of Data and Keeping Data Up-to-Date

  • 11. Data Retention

  • 12. Secure Processing

  • 13. Accountability and Record-Keeping

  • 14. Data Protection Impact Assessments and Privacy by Design

  • 15. Keeping Data Subjects Informed

  • 16. Data Subject Access

  • 17. Rectification of Personal Data

  • 18. Erasure of Personal Data

  • 19. Restriction of Personal Data Processing

  • 20. Data Portability

  • 21. Objections to Data Processing

  • 22. Automated Processing, Automated Decision-Making, and Profiling

  • 23. Direct Marketing]24. Personal Data Collected, Held, and Processed

  • 25. Data Security - Transferring Personal Data and Communications

  • 26. Data Security - Storage

  • 27. Data Security - Disposal

  • 28. Data Security - Use of Personal Data

  • 29. Data Security - IT Security

  • 30. Organisational Measures

  • 31. Transferring Personal Data to a Country Outside the UK 

  • 32. Data Breach Notification

  • 33. Implementation of Policy

How much does a data protection policy cost?

The cost of a UK data protection policy varies depending on a number of things. Depending on the needs of the business, you may need someone to go through the document in detail and make it very bespoke, or you may just need a standard policy. With that in mind, you can expect on average to pay £2,000 for a well-drafted data protection policy. 

 

Fortunately, you don’t need a lawyer to write a data protection policy, which is where a well-drafted contract template can come in handy. 

 

At Docue we’ve equipped SMEs with lawyer-drafted and customisable contract templates that are cost-effective, efficient, and importantly: easy to use. Better yet, you can set legally compliant foundations using the templates on the Docue platform for just £49 + VAT per month!

 

Legal tips on protecting personal data - best practices

Given the UK GDPR threatens a fine of £17.5 million or 4% of annual global turnover (whichever is higher), it’s a no brainer to want to cover your bases when it comes to data protection. So what are some best practices when it comes to protecting personal data? 

 

This really comes down to addressing how your business handles personal data, and taking the time to understand the data the company holds and how it processes this data. Here you should think about how your staff handle personal data, and any particular training needs they might need to have in relation to this. 

 

It’s also important to review all policies, internally and externally, to ensure they’re fit for purpose for the reality of what goes on in the business. For internal policies, this will ensure your business has a useful resource for complying with data protection obligations. For external policies, failure to keep them up to date can pose a compliance risk, which could potentially be a breach of data protection law. 

 

Finally, it’s important to regularly review the personal data that your business holds to address whether it's needed. Remember, any unnecessary personal data is not just a compliance risk, it’s a security risk. 

Compliance Matters

One thing’s clear: compliance with the UK GDPR in the collection, use, and storage of personal data is pretty important. Not only does the misuse of data result in a hefty fine, but it’s also a fast track to losing the hard-earned trust of your customers and/or employees. Despite this, a data protection policy can be expensive and time-consuming.

 

Thankfully, Docue has created lawyer-grade data protection templates which are available to UK businesses via the Docue platform at a fraction of the cost of hiring a lawyer. These polices, notices, and contract templates can be customised by the business user to cover any use case, ensuring today’s SMEs stay one step ahead of their data protection obligations. So what are you waiting for? Go ahead with sign up to Docue today and, for one fixed subscription price, you’ll gain access to all the data protection-related policies, notices and contract templates via the Docue platform your business needs, including:

Docue Legal Team

12/07/2022