Make Your Document In 3 Easy Steps:
Make Your Document In 3 Easy Steps:
*Subject to terms and conditions
These GDPR document templates cover a variety of different types of information, including:
the organisation’s details
the types of personal data covered
how personal data is processed
how transfers of data outside of the UK or European Economic Area (EEA) are made
Which GDPR-compliance documents you will need depends on your specific situation. However, generally speaking, you should use:
a Data protection and security policy - to set out your detailed internal policies and procedures for processing staff and client personal data
a Data protection impact assessment (DPIA) - to identify and minimise the data protection risks of a project, where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals
an Appropriate policy document (APD) - where required under a DPIA to outline compliance measures and data retention policies used when processing special category or criminal offence personal data
For more information, read Data protection for businesses.
Data processing is any use of personal data other than for personal reasons, like gathering and storing staff or customer personal data for use in your organisation.
Personal data is any data about individuals who can personally be identified from that data. Examples include names, addresses and birthdates.
There is also a further 'special category' of 'sensitive personal data', which is awarded greater protection. Examples include information about sexual life, genetics, and physical or mental health.
Criminal offence data (ie personal data relating to criminal convictions, criminal offences, and related security measures) is treated separately from personal data and special category personal data. It is also subject to stringent controls.
UK businesses that process personal data need to protect that information.
In order to meet their data protection obligations, organisations must comply with the data protection principles. This means that personal data must be:
processed in a fair, lawful and transparent manner (eg justified by a lawful basis such as consent, performance of a contract, or legitimate interest)
collected only for specified, explicit and legitimate purposes
adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed
accurate and kept up to date
kept in a form that enables identification of the person to whom it belongs (known as the ‘data subject’) for no longer than necessary
processed in a way that ensures it is appropriately secure
not transferred outside the UK without adequate protection
Failure to comply with your data protection obligations can result in a fine of up to 4% of an organisation’s total global annual turnover or of £17.5 million, whichever is higher.
For more information, read Complying with the GDRR and follow our How to make a business GDPR-compliant checklist. If you require an evaluation of your data protection practices, consider making use of our Data protection health check.
Making a GDPR Document online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
What information you need to make your GDPR Document will depend on the document in question. However, the types of questions you may be asked include:
What are your organisation’s details (eg its legal structure, name and address)?
Who has overall responsibility for data protection compliance in your organisation? Is it the Data Protection Officer (DPO) or another person?
What types of personal data are being processed and why?
Who are the data subjects (ie the people to which the data relates)?
Will personal data be transferred outside of the UK and the European Economic Area (EEA)?
Where is information on how data is stored securely set out (eg in a data retention policy)?
GDPR Documents are designed to help organisations comply with their data protection obligations under the law. While the terms of GDPR Documents vary depending on the document in question, examples of provisions include:
Data protection principles
This section sets out the data protection principles under the UK GDPR and how the organisation complies with them.
This section details for how long an organisation stores personal data before deleting it.
International transfers of personal data
This section discusses international data transfers (ie transfers of personal data to organisations based outside of the UK). It details when, if at all, such international transfers can be made.
Rights of data subjects
This section sets out the rights that data subjects have in relation to their personal data. Data subjects have various rights, which include the rights to:
If you want your GDPR Document to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the GDPR Document for you to ensure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
Ensure that you have a legal basis for processing all personal data
Under data protection law anyone who processes personal data must have a legal basis for doing so. Data protection laws set out specific legal grounds that permit the processing of personal data. Examples include the processing being in the public interest, the processing being necessary for compliance with a legal obligation (eg workplace health and safety obligations), or the data subject consenting to the processing.
Before you process any personal data, you must make sure that you can rely on a legal basis for processing.
Ensure your organisation is entirely GDPR-compliant
The laws on data protection are complex and, as an organisation, it is fundamental that you comply with all applicable aspects of data protection requirements. While making all necessary GDPR Documents is an important step towards ensuring data protection compliance, you should consider seeking specialist advice on how to implement data protection practices for your situation. Failure to comply with your data protection obligations can result in steep fines and further penalties. Consider following our How to make a business GDPR-compliant checklist and making use of our GDPR compliance service.
Understand when to seek advice from a lawyer
Ask a lawyer for advice if:
you do not know which document(s) you need
these GDPR Documents do not cover what you need
you require advice on data protection