PoliclyPolicly
← All samples
Sample preview. Placeholders in [brackets] are replaced automatically with your answers from the post-purchase customisation form.
Sample

GDPR Compliance Suite

Data Protection Policy

Document 1 of [number of documents in suite] · One-time £20 for the full suite

1. Purpose

[Company Name] is committed to protecting the personal data of its clients, employees, suppliers and other stakeholders. This policy sets out how [Company Name] meets its obligations under the UK GDPR, the Data Protection Act 2018 and (where applicable) the EU GDPR.

2. Scope

This policy applies to all personal data processed by [Company Name], regardless of format or location, and to all employees, contractors and third parties acting on behalf of [Company Name].

3. Roles and responsibilities

  • Controller: [Company Name], registered at [Registered Address].
  • Data Protection Officer: [Data Protection Officer]. Contact: [DPO Email].
  • Senior Information Risk Owner: [Company Owner].
  • Data Governance Lead: [Data Governance Officer].
  • All staff are responsible for handling personal data in line with this policy.

    • 4. Data protection principles

    [Company Name] processes personal data in accordance with the seven UK GDPR principles:

  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation — see the [Company Name] Retention Schedule.
  • Integrity and confidentiality.
  • Accountability.

    • 5. Lawful bases for processing

    [Company Name] relies on the following lawful bases, recorded in the Record of Processing Activities (RoPA):

  • Performance of a contract with the data subject.
  • Compliance with a legal obligation.
  • Legitimate interests, balanced against the rights and freedoms of data subjects.
  • Consent, where no other basis applies.

    • Special category data is processed only where an Article 9 condition applies.

    6. Individual rights

    [Company Name] honours all UK GDPR rights: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. Requests should be sent to [DPO Email] and are handled within one calendar month under the Subject Access Request Procedure.

    7. Security of processing

    [Company Name] implements appropriate technical and organisational measures including access control, encryption in transit and at rest, secure backups, vulnerability management and staff training, proportionate to the risk.

    8. International transfers

    Transfers outside the UK are made only where adequacy applies, or under approved safeguards (UK Addendum, Standard Contractual Clauses, IDTA) supported by a Transfer Risk Assessment.

    9. Personal data breaches

    All suspected breaches must be reported to [DPO Email] without delay. The DPO assesses notification to the ICO within 72 hours and, where required, to affected data subjects.

    10. Training and accountability

    All staff complete data protection training on induction and annually thereafter. Records of training, RoPA entries, DPIAs and breach logs are retained as evidence of accountability.

    11. Review

    This policy is reviewed annually or after any significant change to the law, [Company Name]'s processing activities, or following a material incident.

    Approved by: [Company Owner] Effective date: [Effective Date] Next review: [Review Date]

    Like what you see?

    Get the full GDPR Compliance Suite bundle, tailored to your business, for £20.

    Other samples

    UK Data Protection PolicyAccess Control Policy (AC family)Information Security PolicyExport Compliance Program (ECP)Incident & Breach Response PolicyData Governance Policy (Enterprise Technology)Data Governance Policy (Operational Technology)Data Management PolicyPrivacy Notice (External)Acceptable Use Policy