What is included in a GDPR document?

These GDPR document templates cover a variety of different types of information, including: the organisation’s details the types of personal data covered how personal data is processed how transfers of data outside of the UK or European Economic Area (EEA) are made data retention periods the rights of data subjects (ie private individuals) in relation to their personal data

Which GDPR Document do I need?

Which GDPR-compliance documents you will need depends on your specific situation. However, generally speaking, you should use: a Privacy policy - if you run a website, to inform website visitors about how you protect their personal data a Data protection and security policy - to set out your detailed internal policies and procedures for processing staff and client personal data an Employee privacy notice - to inform staff about how you collect, use, retain and disclose personal information in an easily understandable way a Consultant privacy notice - to inform consultants about how you collect, store, retain and disclose their personal data a Data processing agreement (DPA) - to supplement a master Services agreement by setting out the specifics of how personal data will be processed a Data protection impact assessment (DPIA) - to identify and minimise the data protection risks of a project, where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals an Appropriate policy document (APD) - where required under a DPIA to outline compliance measures and data retention policies used when processing special category or criminal offence personal data a Legitimate interest assessment (LIA) - to identify whether you can process personal data on the ground of legitimate interest For more information, read Data protection for businesses .

What are personal data and data processing?

Data processing is any use of personal data other than for personal reasons, like gathering and storing staff or customer personal data for use in your organisation. Personal data is any data about individuals who can personally be identified from that data. Examples include names, addresses and birthdates. There is also a further 'special category' of 'sensitive personal data' , which is awarded greater protection. Examples include information about sexual life, genetics, and physical or mental health. Criminal offence data (ie personal data relating to criminal convictions, criminal offences, and related security measures) is treated separately from personal data and special category personal data. It is also subject to stringent controls.

What are my data protection obligations?

UK businesses that process personal data need to protect that information. In order to meet their data protection obligations, organisations must comply with the data protection principles . This means that personal data must be: processed in a fair, lawful and transparent manner (eg justified by a lawful basis such as consent , performance of a contract, or legitimate interest) collected only for specified, explicit and legitimate purposes adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed accurate and kept up to date kept in a form that enables identification of the person to whom it belongs (known as the ‘data subject’) for no longer than necessary processed in a way that ensures it is appropriately secure not transferred outside the UK without adequate protection Failure to comply with your data protection obligations can result in a fine of up to 4% of an organisation’s total global annual turnover or of £17.5 million, whichever is higher. For more information, read Complying with the GDRR and follow our How to make a business GDPR-compliant checklist . If you require an evaluation of your data protection practices, consider making use of our Data protection health check .

MAKE YOUR FREE GDPR Documents

Make Your Document In 3 Easy Steps:

Build your document

Answer a few questions to customise your document in minutes

Save now, finish later

Start now and save your progress, finish on any device

Download, print & share

Store securely, share online and make copies

OTHER NAMES GDPR documentation GDPR compliant documents Documents for GDPR compliance Data protection documents UK GDPR document

What are GDPR Documents?

In the UK, the main data protection laws are the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018. All UK organisations (eg businesses and charities) need to take care when processing staff or customer personal data and must be aware of their data protection responsibilities and obligations. Creating GDPR-compliant documents helps organisations to comply with their legal obligations.

When should I use a GDPR document?

Use these GDPR Documents:

if you are a business (or other organisation) operating in the UK
if you process (eg store or handle) personal data (eg staff members’ or customers’ names and addresses)
to comply with your data protection obligations under the UK’s data protection laws

These documents have been customised over 247.1K times

Complies with relevant laws

Ask a lawyer questions about your document

Data Protection and Data Security Policy

Statement and purpose of policy

(the Employer) is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.
We confirm for the purposes of the data protection laws, that the Employer is a data controller of the personal data in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal data is processed.
The purpose of this policy is to help us achieve our data protection and data security aims by:
1. notifying our staff of the types of personal information that we may hold about them, our customers, suppliers and other third parties and what we do with that information;
2. setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards; and
3. clarifying the responsibilities and duties of staff in respect of data protection and data security.
This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.
For the purposes of this policy:
1. Data protection laws means all applicable laws relating to the processing of personal data, including, for the period during which it is in force, the UK General Data Protection Regulation.
2. Data subject means the individual to whom the personal data relates.
3. Personal data means any information that relates to an individual who can be identified from that information.
4. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
5. Special categories of personal data means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

Data protection principles

Staff whose work involves using personal data relating to Staff or others must comply with this policy and with the following data protection principles which require that personal information is:
1. processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
2. collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If we want to change the way we use personal data, we must first tell the data subject.
3. processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. We will only collect personal data to the extent required for the specific purpose notified to the data subject.
4. accurate and the Employer takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information.
5. kept only for the period necessary for processing. Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, contact the .
6. secure, and appropriate measures are adopted by the Employer to ensure as such.

Who is responsible for data protection and data security?

Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all staff of the Employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).
Questions about this policy, or requests for further information, should be directed to the .
All Staff have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. The must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Staff or customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

What personal data and activities are covered by this policy?

This policy covers personal data:
1. which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
2. is stored electronically or on paper in a filing system;
3. in the form of statements of opinion as well as facts;
4. which relates to Staff (present, past or future) or to any other individual whose personal data we handle or control;
5. which we obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
This personal data is subject to the legal safeguards set out in the data protection laws.

What personal data do we process about Staff?

We collect personal data about you which:
1. you provide or we gather before or during your employment or engagement with us;
2. is provided by third parties, such as references or information from suppliers or another party that we do business with; or
3. is in the public domain.
The types of personal data that we may collect, store and use about you include records relating to your:
1. home address, contact details and contact details for your next of kin;
2. recruitment (including your application form or curriculum vitae, references received and details of your qualifications);
3. pay records, national insurance number and details of taxes and any employment benefits such as pension and health insurance (including details of any claims made);
4. telephone, email, internet, fax or instant messenger use;
5. performance and any disciplinary matters, grievances, complaints or concerns in which you are involved.

Sensitive personal data

We may from time to time need to process sensitive personal information (sometimes referred to as 'special categories of personal data').
We will only process sensitive personal information if:
1. we have a lawful basis for doing so, eg it is necessary for the performance of the employment contract; and
2. one of the following special conditions for processing personal information applies:
  1. the data subject has given explicit consent.
  2. the processing is necessary for the purposes of exercising the employment law rights or obligations of the Company or the data subject.
  3. the processing is necessary to protect the data subject's vital interests, and the data subject is physically incapable of giving consent.
  4. processing relates to personal data which are manifestly made public by the data subject.
  5. the processing is necessary for the establishment, exercise, or defence or legal claims; or
  6. the processing is necessary for reasons of substantial public interest.
Before processing any sensitive personal information, Staff must notify the of the proposed processing, in order for the to assess whether the processing complies with the criteria noted above.
Sensitive personal information will not be processed until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
Our Privacy Notice sets out the type of sensitive personal information that we process, what it is used for and the lawful basis for the processing.

How we use your personal data

We will tell you the reasons for processing your personal data, how we use such information and the legal basis for processing in our Privacy Notice. We will not process Staff personal information for any other reason.
In general, we will use information to carry out our business, to administer your employment or engagement and to deal with any problems or concerns you may have, including, but not limited to:
1. Sickness records: to maintain a record of your sickness absence and copies of any doctor's notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence levels.
2. Monitoring IT systems: to monitor your use of e-mails, internet, telephone and fax, computer or other communications or IT resources.
3. Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve you.
4. Performance reviews: to carry out performance reviews.

Accuracy and relevance

We will:
1. ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
2. not process personal data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this.
If you consider that any information held about you is inaccurate or out of date, then you should tell the . If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note your comments.

Storage and retention

Personal data (and sensitive personal information) will be kept securely in accordance with our
The periods for which we hold personal data are contained in our Privacy Notices.

Individual rights

You have the following rights in relation to your personal data.
Subject access requests:
1. You have the right to make a subject access request. If you make a subject access request, we will tell you:
  1. whether or not your personal data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you;
  2. to whom your personal data is or may be disclosed.
  3. for how long your personal data is stored (or how that period is decided);
  4. your rights of rectification or erasure of data, or to restrict or object to processing;
  5. your right to right to complain to the Information Commissioner if you think we have failed to comply with your data protection rights; and
  6. whether or not we carry out automated decision-making and the logic involved in any such decision making.
2. We will provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.
3. To make a subject access request, contact us at .
4. We may need to ask for proof of identification before your request can be processed. We will let you know if we need to verify your identity and the documents we require.
5. We will normally respond to your request within 28 days from the date your request is received. In some cases, eg where there is a large amount of personal data being processed, we may respond within 3 months of the date your request is received. We will write to you within 28 days of receiving your original request if this is the case.
6. If your request is manifestly unfounded or excessive, we are not obliged to comply with it.
Other rights:
1. You have a number of other rights in relation to your personal data. You can require us to:
  1. rectify inaccurate data;
  2. stop processing or erase data that is no longer necessary for the purposes of processing;
  3. stop processing or erase data if your interests override our legitimate grounds for processing the data (where we rely on our legitimate interests as a reason for processing data);
  4. stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the Employer's legitimate grounds for processing the data.
2. To request that we take any of these steps, please send the request to .

Data security

We will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Maintaining data security means making sure that:
1. only people who are authorised to use the information can access it;
2. where possible, personal data is pseudonymised or encrypted;
3. information is accurate and suitable for the purpose for which it is processed; and
4. authorised persons can access information if they need it for authorised purposes.
By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.
Personal information must not be transferred to any person to process (eg while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.
Security procedures include:
1. Any desk or cupboard containing confidential information must be kept locked.
2. Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
3. Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
4. The must approve of any cloud used to store data.
5. Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
6. All servers containing sensitive personal data must be approved and protected by security software.
7. Servers containing personal data must be kept in a secure location, away from general office space.
8. Data should be regularly backed up in line with the Employer's back-up procedure.
Telephone precautions. Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
1. the identity of any telephone caller must be verified before any personal information is disclosed;
2. if the caller's identity cannot be verified satisfactorily then they should be asked to put their query in writing;
3. do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the .
Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.

Data impact assessments

Some of the processing that the Employer carries out may result in risks to privacy.
Where processing would result in a high risk to Staff rights and freedoms, the Employer will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Data breaches

If we discover that there has been a breach of Staff personal data that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery.
We will record all data breaches regardless of their effect in accordance with our Breach Response Policy.
If the breach is likely to result in a high risk to your rights and freedoms, we will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.

Individual responsibilities

Staff are responsible for helping the Employer keep their personal data up to date.
Staff should let the Employer know if personal data provided to the Employer changes, eg if you move house or change your bank details.
You may have access to the personal data of other Staff members and of our customers in the course of your employment. Where this is the case, the Employer relies on Staff members to help meet its data protection obligations to Staff and to customers.
Individuals who have access to personal data are required:
1. to access only personal data that they have authority to access and only for authorised purposes;
2. not to disclose personal data except to individuals (whether inside or outside of the Employer) who have appropriate authorisation;
3. to keep personal data secure (eg by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
4. not to remove personal data, or devices containing or that can be used to access personal data, from the Employer's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
5. not to store personal data on local drives or on personal devices that are used for work purposes.

Training

We will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.

Attribution

This data protection and data security was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

Our quality guarantee

We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.

Need help? No problem!

Ask a question for free or get affordable legal advice from our lawyer.

Steps to make your free GDPR document

Make your document

Create your document by following Rocket Lawyer’s step by step interview process. If you need to edit your answers after creating your document, you can return to the interview to do so. Get started now!
Check and agree

Read your GDPR document to make sure it meets your needs. Remember that if you have any questions you can easily Ask a lawyer.
Sign to make it legal

Depending on which GDPR document you are making, each party involved may need to sign it. In most cases, your document can be signed online using RocketSign or in print.
Securely sign online and invite others to sign with RocketSign®
Publish

Depending on which GDPR document you are making, you should generally make your document easily available to your staff members. For example, by including it in induction packs, attaching it to their Employment contracts, including it in a Staff handbook, or by emailing it to them.
Store your document

Keep a record of your GDPR Document. A copy will be stored automatically in your Rocket Lawyer account ‘Dashboard’.
Important details
- Ensure that your GDPR document accurately reflects how your organisation processes personal data.
- Take steps to regularly review your GDPR document to ensure it remains applicable. Keep a record of all previous GDPR Documents your business has used.

Try Rocket Lawyer FREE for 7 days

Start your Premium Membership now and get legal services you can trust at prices you can afford. You’ll get:

All the legal documents you need—customise, share, print & more

Unlimited electronic signatures with RocketSign^®

Ask a lawyer questions* and get a response within one business day

Access to legal guides on 100s of topics

A 30-minute consultation with a lawyer about any new issue

33% off hourly rates or a fixed price if you need further legal help

Try it free for 7 days

SEE MEMBERSHIP DETAILS

*Subject to terms and conditions

FAQs about making GDPR Documents

Collapse all

Expand all

What is included in a GDPR document?
These GDPR document templates cover a variety of different types of information, including:
- the organisation’s details
- the types of personal data covered
- how personal data is processed
- how transfers of data outside of the UK or European Economic Area (EEA) are made
- data retention periods
- the rights of data subjects (ie private individuals) in relation to their personal data
Which GDPR Document do I need?
Which GDPR-compliance documents you will need depends on your specific situation. However, generally speaking, you should use:
- a Privacy policy - if you run a website, to inform website visitors about how you protect their personal data
- a Data protection and security policy - to set out your detailed internal policies and procedures for processing staff and client personal data
- an Employee privacy notice - to inform staff about how you collect, use, retain and disclose personal information in an easily understandable way
- a Consultant privacy notice - to inform consultants about how you collect, store, retain and disclose their personal data
- a Data processing agreement (DPA) - to supplement a master Services agreement by setting out the specifics of how personal data will be processed
- a Data protection impact assessment (DPIA) - to identify and minimise the data protection risks of a project, where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals
- an Appropriate policy document (APD) - where required under a DPIA to outline compliance measures and data retention policies used when processing special category or criminal offence personal data
- a Legitimate interest assessment (LIA) - to identify whether you can process personal data on the ground of legitimate interest
For more information, read Data protection for businesses.
What are personal data and data processing?

Data processing is any use of personal data other than for personal reasons, like gathering and storing staff or customer personal data for use in your organisation.

Personal data is any data about individuals who can personally be identified from that data. Examples include names, addresses and birthdates.

There is also a further 'special category' of 'sensitive personal data', which is awarded greater protection. Examples include information about sexual life, genetics, and physical or mental health.

Criminal offence data (ie personal data relating to criminal convictions, criminal offences, and related security measures) is treated separately from personal data and special category personal data. It is also subject to stringent controls.
What are my data protection obligations?
UK businesses that process personal data need to protect that information.

In order to meet their data protection obligations, organisations must comply with the data protection principles. This means that personal data must be:
- processed in a fair, lawful and transparent manner (eg justified by a lawful basis such as consent, performance of a contract, or legitimate interest)
- collected only for specified, explicit and legitimate purposes
- adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed
- accurate and kept up to date
- kept in a form that enables identification of the person to whom it belongs (known as the ‘data subject’) for no longer than necessary
- processed in a way that ensures it is appropriately secure
- not transferred outside the UK without adequate protection
Failure to comply with your data protection obligations can result in a fine of up to 4% of an organisation’s total global annual turnover or of £17.5 million, whichever is higher.

For more information, read Complying with the GDRR and follow our How to make a business GDPR-compliant checklist. If you require an evaluation of your data protection practices, consider making use of our Data protection health check.

Ask a lawyer

Get quick answers from lawyers, easily.

Rocket Lawyer On Call<sup>™</sup> Solicitors — Rocket Lawyer On Call^™ Solicitors

About GDPR Documents

Learn more about making your GDPR Document

Collapse all

Expand all

How to make a GDPR Document
Making a GDPR Document online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.

What information you need to make your GDPR Document will depend on the document in question. However, the types of questions you may be asked include:

Party details
- What are your organisation’s details (eg its legal structure, name and address)?
- Who has overall responsibility for data protection compliance in your organisation? Is it the Data Protection Officer (DPO) or another person?
Data protection
- What types of personal data are being processed and why?
- Who are the data subjects (ie the people to which the data relates)?
Data transfers
- Will personal data be transferred outside of the UK and the European Economic Area (EEA)?
Data retention
- Where is information on how data is stored securely set out (eg in a data retention policy)?
Collapse
Common terms in a GDPR Document
GDPR Documents are designed to help organisations comply with their data protection obligations under the law. While the terms of GDPR Documents vary depending on the document in question, examples of provisions include:

Data protection principles

This section sets out the data protection principles under the UK GDPR and how the organisation complies with them.

Data retention

This section details for how long an organisation stores personal data before deleting it.

International transfers of personal data

This section discusses international data transfers (ie transfers of personal data to organisations based outside of the UK). It details when, if at all, such international transfers can be made.

Rights of data subjects

This section sets out the rights that data subjects have in relation to their personal data. Data subjects have various rights, which include the rights to:
If you want your GDPR Document to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the GDPR Document for you to ensure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
Collapse
Legal tips for making a GDPR Document
Ensure that you have a legal basis for processing all personal data

Under data protection law anyone who processes personal data must have a legal basis for doing so. Data protection laws set out specific legal grounds that permit the processing of personal data. Examples include the processing being in the public interest, the processing being necessary for compliance with a legal obligation (eg workplace health and safety obligations), or the data subject consenting to the processing.

Before you process any personal data, you must make sure that you can rely on a legal basis for processing.

Ensure your organisation is entirely GDPR-compliant

The laws on data protection are complex and, as an organisation, it is fundamental that you comply with all applicable aspects of data protection requirements. While making all necessary GDPR Documents is an important step towards ensuring data protection compliance, you should consider seeking specialist advice on how to implement data protection practices for your situation. Failure to comply with your data protection obligations can result in steep fines and further penalties. Consider following our How to make a business GDPR-compliant checklist and making use of our GDPR compliance service.

Understand when to seek advice from a lawyer

Ask a lawyer for advice if:
- you do not know which document(s) you need
- these GDPR Documents do not cover what you need
- you require advice on data protection
Collapse

Make your free GDPR Document now!

Answer a few simple questions to make your document.

Make document

Legal sources

These GDPR Documents are governed by the laws of England and Wales or Scotland. Find some of the sources and laws relevant to your GDPR Document below:

Data Protection Act 2018
Regulation (EU) 2016/679, known as the ‘UK General Data Protection Regulation’, ‘UK GDPR’ or simply ‘GDPR’

Build your document

Save now, finish later

Download, print & share

What are GDPR Documents?

When should I use a GDPR document?

What we'll cover

Data Protection and Data Security Policy

Statement and purpose of policy

Data protection principles

Who is responsible for data protection and data security?

What personal data and activities are covered by this policy?

What personal data do we process about Staff?

Sensitive personal data

How we use your personal data

Accuracy and relevance

Storage and retention

Individual rights

Data security

Data impact assessments

Data breaches

Individual responsibilities

Training

Attribution

Our quality guarantee

Need help? No problem!

Make it Legal™ checklist

Steps to make your free GDPR document

Make your document

Check and agree

Sign to make it legal

Securely sign online and invite others to sign with RocketSign®

Publish

Store your document

Important details

Related documents

Rocket Lawyer members who started a free GDPR document also made:

Employee Handbook

Employment Contract

Terms and Conditions

Website Terms and Conditions

Looking for something else?