When running a business, you’re likely to be using personal data in some form or other, whether it’s personal data of your staff, customers or other business contacts. As soon as you start processing any personal data at all, you’ll need to make sure you comply with data protection law. This includes putting in place appropriate policies and procedures to make sure your business is GDPR compliant. This GDPR policy template toolkit provides templates for 8 key data protection policies that your business is likely to need.
What is a GDPR policy template?
You can find all the data protection policies your business is likely to need in our GDPR policy template toolkit. This includes:
- A data protection policy, which sets out what responsibilities your staff are under when they are processing personal data on behalf of your business.
- A staff privacy notice, which sets out the information you are required to give your staff about how you will use their data.
- A staff recruitment privacy notice to use during a recruitment exercise to let job applicants know what personal data you will collect about them and why.
- A data subject request policy, which sets out how your business will deal with requests from individuals about their personal data.
- A personal data breach policy, which governs how your business will deal with a data breach.
- A data protection impact assessment policy, which sets out how you intend to carry out data protection impact assessments when they are necessary.
Steps to generate your own GDPR policy template
- Download the GDPR policy template toolkit
- Read the ‘How-to’ Guide
- Complete the questionnaires to generate bespoke GDPR policies for your business
- Download your completed policies
Do I need a GDPR policy?
The specific GDPR policy templates your business needs will depend on its operations and whether it is a data controller or a data processor. If you are a data controller, you must put in place necessary measures to comply with your data protection obligations. This includes having appropriate data protection policies to demonstrate how you comply with those obligations. You must also provide the people whose data you have some key information about what that data is, what you will do with it, how long you will keep it, what their rights are etc. In most cases, this will mean having appropriate privacy notices setting out this information.
What is a data controller?
If you use personal data for the purposes of your own business, for example, when you use staff members’ personal details to pay them or customers’ personal details to process their orders for your product or services, your role is known as data controller. For most businesses, most or all of the data processing they carry out is as a data controller.
Whenever your business handles personal data as a data controller, there are various legal requirements that you must comply with. These obligations extend to any form of using, or processing, the data, covering almost anything you may be doing with it.
Note that you have fewer data protection obligations if you are dealing with personal data on behalf of someone else and in accordance with their instructions (this role is called data processor) (see below).
What is a data processor?
You are a data processor if you are dealing with personal data on behalf of someone else and in accordance with their instructions. For example, you may be hired by another company to carry out marketing for it, in which case you will likely be dealing with the personal data of its customers in accordance with its instructions.
If my business is a data controller, what are my data protection obligations?
When using personal data for the purposes of your own business, you must:
- Ensure that you only collect and use personal data which is relevant and necessary in order to fulfil the purpose for which you are collecting it.
- Store any personal data securely and not keep it for longer than necessary, establishing time limits for deleting data or reviewing whether it needs to be deleted.
- Do what you can to make sure that data you hold is accurate and where necessary, is kept up to date; if you become aware that data you hold is inaccurate then you must erase or amend it without delay.
- Ensure that you have a lawful reason for processing personal data.
- Pay a modest annual fee to the ICO if you qualify to do so.
- Have a procedure to be followed if you receive any request from an individual about the data you hold on them.
- Have comprehensive data protection policies and procedures in place (use our GDPR policy template toolkit to generate bespoke policies for your business.
- Devise and implement a data protection impact assessment (DPIA) procedure to use when your data processing is likely to result in a high risk to the rights and freedoms of individuals.
- Consider whether you need to appoint a data protection officer (DPO) or alternatively a member of staff who takes responsibility for data protection matters within your business.
- Provide appropriate data protection training for staff.
- Keep suitable records to demonstrate your compliance with data protection law.
- Create an internal process to deal with any data breaches (eg the loss, theft or misuse of personal data in your possession) and train your staff to carry it out.
- If you wish to share personal data with another person or business, review your data sharing agreement to ensure it complies with your obligations under the GDPR.
- If you operate an online service which is likely to be accessed by children, ensure that you comply with the ICO’s Age Appropriate Design Code (see our Guide on the Children’s Code).
For detailed guidance on your data protection obligations as a controller, see our Q&A on Data protection obligations.
If my business is a data processor, what are my data protection obligations?
Your business has different data protection obligations when acting as the data processor rather than the data controller. You will have fewer responsibilities than you have when dealing with personal data that you process for your own purposes (eg your own staff data and your own customer or client lists).
Your chief data protection obligations when acting as a data processor are:
- provide appropriate data protection training for staff;
- keep suitable records to demonstrate your compliance with data protection law;
- create an internal process to deal with any data breaches (eg the loss, theft or misuse of personal data in your possession) and train your staff to carry that process out;
- store any personal data securely and do not keep it for longer than necessary;
- consider whether you need to appoint a data protection officer (DPO) or alternatively a member of staff who takes responsibility for data protection matters within your business; and
- if you need to share the data with another person or business, you need to get written permission from the business under whose direction you are using the data.
Note that you may also be required to help the person or persons for whom you are processing the data to carry out a DPIA where necessary.
For detailed guidance on your data protection obligations as a processor, see our Q&A on Data protection obligations.
What happens if I don’t comply with my GDPR obligations?
Your GDPR obligations are ongoing, so you will need to ensure that you continually keep your processes under review. Failure to comply with data protection law can have serious financial and reputational consequences for your business, including fines of up to €20 million or 4% of your global annual turnover (whichever is higher) in some cases. It is therefore important to take your obligations seriously.
Can I insure against fines for failing to follow data protection law?
Probably not. Fines for breaching your data protection obligations can potentially be very damaging, the maximum amount being 20 million EUR or 4% of your annual global turnover, depending on the type of breach. Even if you can find an insurer who will provide affordable coverage for these fines, any such policy is likely to ultimately prove legally unenforceable if you try to make a claim. The main reason for this is that the fine is intended to have a deterrent effect and if businesses are able to mitigate against the risk of a fine by having insurance, the deterrent effect will be lost.
How will Brexit affect my GDPR policy template?
Following the UK’s exit from the EU on 31 January 2020, we are now in a transition period until 31 December 2020 during which the EU and the UK are negotiating their future relationship. During this period, there are no immediate changes to data protection law in the UK and the GDPR continues to apply.
The ICO has advised that businesses already complying with their data protection obligations prior to Brexit and which have no contacts or customers in the EEA, will not have much more to do to prepare for the end of the transition period as the GDPR will be brought into UK law.
However, if your business does have contacts or customers in the EEA or internationally then you will likely need to take additional steps to prepare.
You should review your GDPR policy templates to identify any references to the EU or EU law so that your business is prepared to make any changes required following the end of the transition period. You should also review any provisions about sharing personal data outside the UK (either to the EEA or countries outside the EEA); see our guide on Brexit contingency planning for more information.