GDPR Policy Toolkit

The General Data Protection Regulation (GDPR) came into force on the 25th of May 2018 but are you compliant?  It represented the biggest change in data protection law in the previous 20 years and it has had a profound effect on the way your organisation gathers, stores, secures and maintains its data. As part of the Brexit agreement, the UK adopted the GDPR into national law, known as the UK GDPR. Therefore, organisations based in the UK and those handling the personal data of UK residents must now comply with the UK GDPR and Data Protection Act 2018.

The DPO Centre has compiled the following policy toolkit that includes core template policy documents that most organisations require as part of their DPA2018/GDPR compliance.

Click on each of the headings to download the template document.

 

1. Data Protection Policy
This is an internal document, used to set out to your staff your expectations on them on how to protect the data you are responsible for.

 

2. General Privacy Notice
This should be published on your website and alongside any request you make to provide Personally Identifiable Information (PII).  You should therefore tailor a version of this document for your website, employees, suppliers, customers etc.

 

3. Data Processor Agreement
The GDPR requires that a written agreement be put in place with your Data Processors.  This document should be used when you have an existing contract (or you have agreed to a set of terms and conditions) with a 3rd party that you pass PII data to (i.e. your payroll bureau), or who is protecting it on your behalf (such as a cloud service provider), or who has access to your data (such as your web development company).

 

4. Employee Privacy Policy
Policy that sets out how your organisation will use and protect the personal data you store on them.  This policy needs to be provided to and signed by all employees.

 

5. General Consent Notice
To be added to any requests for consent to ensure consent is specific, informed, granular, unambiguous, prominent and separate from other terms, as required by the GDPR.

 

6. Data Sharing Agreement
An agreement put in place between two or more legal entities, to define how data shared between them can be used.

 

7. Breach Register
A tool used to maintain a record of all breaches that occur within an organisation.

 

8. Retention Policy
Internal policy document that sets the requirement for how data are stored and archived, and how long data are retained.

 

9. Risk Register
Internal document used to record risks identified within your systems and processing activities, such that they become known within your organisation and appropriate decisions on how to mitigate those risks can be taken.

 

Important: It should be noted that these documents are only templates and therefore may not be suitable for your precise needs.  Any document you base upon these templates should be reviewed by your solicitors before being published.

These documents are provided for your personal use by your organisation only.  They cannot be used, in whole or in part, for any further commercial purposes.

E&OE.