5 documents to make your business GDPR-compliant

On Wednesday 25 May the General Data Protection Regulation (GDPR) turned 4! 

When the GDPR first came into force on 18 May 2018 it drastically changed the data protection landscape and imposed stringent requirements on anyone processing (eg storing or handling) personal data (ie identifiable information relating to individuals, such as names and addresses). Businesses handling personal data need to make sure they comply with their data protection obligations. Read this blog to learn more about the documents that help make your business GDPR-compliant.

Privacy policy

A Website privacy policy is a document that outlines: 

  • why your website collects personal data
  • the types of information collected
  • the scope and limitation of data processing on your website

In other words, a privacy policy explains a business’ practices in relation to the collection, storage and use of personal data gathered on a website.

You should have a privacy policy in place if you run any e-commerce, blog or other website that asks users to disclose personal information. As well as reassuring online customers and users, it can also ensure that you have their permission to store cookies on their computers. 

Data protection and data security policy

Businesses must comply with data protection rules in relation to any data they process in relation to staff members. Failure to comply with data protection laws in relation to staff could automatically breach other duties employers owe them (eg a serious data protection breach could lead to a contract breach due to a failure in the duty to maintain trust and confidence).

If you employ staff, consider putting in place a Data protection and data security policy, which sets out the policies and procedures your business will comply with when dealing with personal information and data. This document helps: 

  • establish a set process that a business will follow, and
  • confidence to employees and help avoid any potential claims

For more information, read Data protection and employees.

Privacy notice

A privacy notice is a document that explains the ‘what, how, where, why and when?’ of how you process personal data. In other words, it is a statement detailing and explaining to data subject (ie the people the data relates to) how you collect, use, retain and disclose their personal data.

Consider putting in place an Employee privacy notice to inform your employees about how you process their data in an easy to understand format. If you engage any consultants, consider putting in place a Consultant privacy notice to inform them about how you process their personal data.

Data protection impact assessment

A Data protection impact assessment (DPIA) is a process designed to help businesses identify and minimise the data protection risks of a project. It’s an essential component of a business’ accountability obligation and helps them assess and demonstrate how they comply with their data protection obligations

You will need to complete a DPIA where any processing of personal data is likely to result in a high risk (ie potential for any significant physical, material or non-material harm) to the rights and freedoms of individuals. Whether a risk is ‘high risk’, depends on the likelihood and severity of any potential harm to individuals. For example, you will need to carry out a DPIA if you are processing staff health data (eg vaccination status) and is likely to result in a high risk (eg denial of work opportunities). Read Data protection impact assessments for more information.

Data processing agreement

A Data processing agreement (DPA) is an agreement between a data controller (ie the party that decided on the purposes for and means of processing personal data) and a data processor (eg a third-party service provider) that regulates any processing of personal data conducted for business purposes.

Data controllers are required to ensure the protection of any personal data they process. Having in place a DPA helps with this, as it sets out technical requirements for the parties to follow when processing personal data. 

You should create a DPA whenever you wish to outsource data processing to a third party, to ensure the safety of the personal data. For more information, read Data processing agreements.


For more information on the GDPR, read Complying with the GDPR, Data protection, Processing personal data and Data protection for businesses. Remember that you can always Ask a lawyer if you have any questions or concerns and do not hesitate to make use of our Legal drafting service if you require a bespoke document.

Rebecca Neumann