Profile information Account settings
Sign up Log in


What do you want to achieve?

  • Make your document in minutes
  • Access from any device
  • Securely sign online

How to create GDPR documents

In the UK, the main data protection laws are the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018. All UK businesses (and other organisations, such as charities) need to take care when processing staff or customer personal data and must be aware of their data protection responsibilities and obligations. Creating GDPR-compliant documents helps businesses to meet their data protection obligations.

Which GDPR-compliance documents you will need depends on your business’ specific situation. However, generally speaking, you should use:

For more information, read Data protection for businesses.

Data processing is any use of personal data other than for personal reasons, like gathering and storing staff of customer personal data for use in your business. 

Personal data is any data about individuals who can personally be identified from that data. Examples include names, addresses and birthdays. 

There is also a further 'special category' of 'sensitive personal data' which is awarded greater protection. Examples include information about sexual life, genetics, and physical or mental health. 

Criminal offence data (ie personal data relating to criminal convictions, criminal offences and related security measures) is treated separately from personal data and special category personal data. It is also subject to stringent controls.

UK businesses that process personal data need to protect that information. 

In order to meet their data protection obligations, businesses must comply with the data protection principles. This means that personal data must be:

  • processed in a fair, lawful and transparent manner

  • collected for specified, explicit and legitimate purposes (eg consent, performance of a contract or legitimate interest)

  • adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed

  • accurate and kept up to date

  • kept in a form that enables identification of the person to whom it belongs (known as the ‘data subjects’) for no longer than necessary

  • processed in a way that ensures it is appropriately secure

  • not transferred outside the UK without adequate protection

Failure to comply with your data protection obligations can result in a fine of up to 4% of a business’ total global annual turnover or £17.5 million, whichever is higher. 

For more information, read Complying with the GDRR and follow our How to make a business GDPR-compliant checklist. If you require an evaluation of your data protection practices, consider making use of our Data protection health check.

Ask a lawyer for advice if:

  • you do not know which document(s) you need

  • the documents do not cover what you need

  • you require advice on data protection

Other names for GDPR documents

GDPR-compliant documents, Documents for GDPR compliance, Website privacy policy, Data protection policy, Privacy notice, Fair processing statement, Privacy impact assessments, Legitimate interest impact assessment.