Make your Free GDPR Documents

In the UK, the main data protection laws are the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018. All UK businesses (and other organisations, such as charities) need to take care when processing staff or customer personal data and must be aware of their data protection responsibilities and obligations. Creating GDPR-compliant documents helps businesses to meet their data protection obligations.

Which GDPR-compliance documents you will need depends on your business’ specific situation. However, generally speaking, you should use:

• a Privacy policy - if you run a website, to inform website visitors about how you protect their personal data

• a Data protection and security policy - to set out your detailed internal policies and procedures for processing staff and client personal data

• an Employee privacy notice - to inform staff about how you collect, use, retain and disclose personal information in an easily understandable way

• a Consultant privacy notice - to inform consultants about how you collect, store, retain and disclose their personal data

• a Data processing agreement (DPA) - to supplement a master Services agreement by setting out the specifics of how personal data will be processed

• a Data protection impact assessment (DPIA) - to identify and minimise the data protection risks of a project, where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals

• an Appropriate policy document (APD) - where required under a DPIA to outline compliance measures and data retention policies when processing special category or criminal offence personal data

• a Legitimate interest assessment (LIA) - to identify whether you can process personal data on the ground of legitimate interest  

For more information, read Data protection for businesses.

Data processing is any use of personal data other than for personal reasons, like gathering and storing staff of customer personal data for use in your business. 

Personal data is any data about individuals who can personally be identified from that data. Examples include names, addresses and birthdays. 

There is also a further 'special category' of 'sensitive personal data' which is awarded greater protection. Examples include information about sexual life, genetics, and physical or mental health. 

Criminal offence data (ie personal data relating to criminal convictions, criminal offences and related security measures) is treated separately from personal data and special category personal data. It is also subject to stringent controls.

UK businesses that process personal data need to protect that information. 

In order to meet their data protection obligations, businesses must comply with the data protection principles. This means that personal data must be:

• processed in a fair, lawful and transparent manner

• collected for specified, explicit and legitimate purposes (eg consent, performance of a contract or legitimate interest)

• adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed

• accurate and kept up to date

• kept in a form that enables identification of the person to whom it belongs (known as the ‘data subjects’) for no longer than necessary

• processed in a way that ensures it is appropriately secure

• not transferred outside the UK without adequate protection

Failure to comply with your data protection obligations can result in a fine of up to 4% of a business’ total global annual turnover or £17.5 million, whichever is higher. 

For more information, read Complying with the GDRR and follow our How to make a business GDPR-compliant checklist. If you require an evaluation of your data protection practices, consider making use of our Data protection health check.

Ask a lawyer for advice if:

• you do not know which document(s) you need

• the documents do not cover what you need

• you require advice on data protection