When running a business, you’re likely to be using personal data in some form or other, whether it’s personal data of your staff, customers or other business contacts. As soon as you start processing any personal data at all, you’ll need to make sure you comply with data protection law. This includes putting in place appropriate policies and procedures to make sure your business is UK GDPR compliant. This GDPR policy template toolkit provides templates for 8 key data protection policies that your business is likely to need.

What is a GDPR policy template?

A GDPR policy template is a document setting out a business’s policy for complying with data protection law. It could refer to one of several different types of GDPR policies, including a privacy policy, a data protection policy or a cookie policy. Putting in place appropriate GDPR policies helps your business to demonstrate that it has put in place appropriate organisational measures to comply with data protection law.

You can find all the data protection policies your business is likely to need in our GDPR policy template toolkit. This includes:

1. A privacy policy (see our definite guide to privacy policy templates for everything you need to know), which sets out the information you are required to give to people about how you will use their data.

2. A cookie policy, which lets users of your website or app know how you use cookies (see our cookie policy guide to find out more).

3. A data protection policy, which sets out what responsibilities your staff are under when they are processing personal data on behalf of your business.

4. A staff privacy notice, which sets out the information you are required to give your staff about how you will use their data.

5. A staff recruitment privacy notice to use during a recruitment exercise to let job applicants know what personal data you will collect about them and why.

6. A subject request management policy, which sets out how your business will deal with requests from individuals about their personal data.

7. A personal data breach policy, which governs how your business will deal with a data breach.

8. A data protection impact assessment policy, which sets out how you intend to carry out data protection impact assessments when they are necessary.

Steps to generate your own GDPR policy template

1. Download the GDPR policy template toolkit

2. Read the ‘How-to’ Guide

3. Complete the questionnaires to generate bespoke GDPR policies for your business

4. Download your completed policies

Do I need a GDPR policy?

The specific GDPR policy templates your business needs will depend on its operations and whether it is a data controller or a data processor. If you are a data controller, you must put in place necessary measures to comply with your data protection obligations. This includes having appropriate data protection policies to demonstrate how you comply with those obligations. You must also provide the people whose data you have some key information about what that data is, what you will do with it, how long you will keep it, what their rights are etc. In most cases, this will mean having appropriate privacy notices setting out this information.

What is a data controller?

If you use personal data for the purposes of your information security policy for small business , for example, when you use staff members’ personal details to pay them or customers’ personal details to process their orders for your product or services, your role is known as data controller. For most businesses, most or all of the data processing they carry out is as a data controller.

Whenever your business handles personal data as a data controller, there are various legal requirements that you must comply with. These obligations extend to any form of using, or processing, the data, covering almost anything you may be doing with it.

Note that you have fewer data protection obligations if you are dealing with personal data on behalf of someone else and in accordance with their instructions (this role is called data processor) (see below).

If my business is a data processor, what are my data protection obligations?

Your business has different data protection obligations when acting as the data processor rather than the data controller. You will have fewer responsibilities than you have when dealing with personal data that you process for your own purposes (eg your own staff data and your own customer or client lists).

Your chief data protection obligations when acting as a data processor are:

1. provide appropriate data protection policy template for staff;

2. keep suitable records to demonstrate your compliance with data protection law;

3. create an internal process to deal with any data breaches (eg the loss, theft or misuse of personal data in your possession) and train your staff to carry that process out;

4. store any personal data securely and do not keep it for longer than necessary;

5. consider whether you need to appoint a data protection officer (DPO) or alternatively a member of staff who takes responsibility for data protection matters within your business; and

6. if you need to share the data with another person or business, you need to get written permission from the business under whose direction you are using the data.

Note that you may also be required to help the person or persons for whom you are processing the data to carry out a DPIA where necessary.

For detailed guidance on your data protection obligations as a processor, see our Q&A on Data protection obligations.

What happens if I don’t comply with my UK GDPR obligations?

Your UK GDPR obligations are ongoing, so you will need to ensure that you continually keep your processes under review. Failure to comply with data protection law can have serious financial and reputational consequences for your business, including fines of up to £17.5 million or 4% of your global annual turnover (whichever is higher) in some cases. It is therefore important to take your obligations seriously.

Can I insure against fines for failing to follow data protection law?

Probably not. Fines for breaching your data protection obligations can potentially be very damaging, the maximum amount being £17.5 million or 4% of your annual global turnover, depending on the type of breach. Even if you can find an insurer who will provide affordable coverage for these fines, any such policy is likely to ultimately prove legally unenforceable if you try to make a claim. The main reason for this is that the fine is intended to have a deterrent effect and if businesses are able to mitigate against the risk of a fine by having insurance, the deterrent effect will be lost.