This article provides guidance on writing your own GDPR/DPA18 Policy and utilises the requirements set out under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA18).
What is a Data Protection Policy?
The GDPR advises that controllers must implement appropriate technical and organisational measures to comply with the GDPR; with those measures being reviewed and updated where necessary. Article 24(2) notes that “Where proportionate in relation to processing activities, the measures […] shall include the implementation of appropriate data protection policies”.
A policy document summarises an organisations’ scope, responsibilities, objectives and controls for achieving specified goals in relation to the policy topic. Procedures are the steps and actions that enable the organisation to achieve those objectives and comply with any legislation or regulations. Policies and procedures are designed to influence business functions, decisions and actions.
When considering how to write a GDPR data protection policy, you can have a standalone Data Protection Policy, with measures, controls and procedures being included in other procedural documents; or you can develop a Data Protection Policy & Procedures covering both aspects. As the GDPR covers such vast areas for data protection compliance; it is a good idea to have separate policies and procedures for areas such as data breaches, retention, transfers and subject rights.
What to Include in your Data Protection Policy
Whilst every company creates their policies in a bespoke manner, how to write a GDPR data protection policy should include content and objectives specific to their industry and business type; the GDPR specifies a large array of areas that must be complied with and documented; which can form the basis for your GDPR policy template.
Common sections for a Data Protection Policy Template include:-
- Purpose and Policy Statement
The GDPR procedures should provide the processes (or a summary if the full process is documented elsewhere) for complying with the GDPR. These can include (but are not limited to): –
- Legal Basis for Processing
- Processing Personal and Special Category Data
- Privacy By Design
- Technical & Organisational Measures
- Records of Processing Activities
- Data Protection Officer
- Subject Access Rights
- Privacy Notices
- International Transfers
- Data Retention & Schedule
- Data Breaches
- Data Protection Impact Assessments
Help with your GDPR Data Protection Policy Template
Some organisations are utilising their existing Data Protection Policy and are updating to comply with the GDPR and Data Protection Bill; with others are starting from scratch and creating data protection policies and procedures that meet the new requirements and legislation.
If you are unsure of how to develop your Data Protection Policy or are looking for ready-to-use templates that is fully customisable; our GDPR Documentation Toolkit and GDPR document bundles all contain our extensive Data Protection Policy & Procedures, along with bespoke policies for retention, breaches, transfers, DPO duties, Privacy Notices and much more.
Visit our GDPR Toolkit comparison page to see what is included in each set and how our straightforward, customisable GDPR documentation templates can save you time and money in your GDPR implementation and preparation. Our documents are used by thousands of organisations, from global names, univeristies, the NHS and government sectors; through to micro-businesses and SME’s.
GDPR After Brexit
The UK officially left the European Union (EU) on 31st January 2020 and entered into the transition period of Brexit, which is currently due to end on 31st December 2020. During the transition period, the GDPR will still apply to any business and organisation that processes personal data.
As the GDPR is an EU Regulation, technically it will not apply to the UK after the transition period; however, the Government intends to write the GDPR into UK law via the existing Data Protection Act 2018 (DPA18), making this the ‘UK GDPR’. This would mean that the existing regulations would still apply to UK businesses after the end of December 2020.
You can find extensive guidance on the Data Protection After Brexit on the ICO website.
It is important to understand that the EU version of the GDPR may still apply directly to you if: –
- you operate in Europe
- offer goods or services to individuals in Europe
- monitor the behaviour of individuals in Europe
We have ensured that all of our current DPA18/GDPR templates and packages comply with both the GDPR and UK’s DPA18, meaning the content will be compliant before and after the transition period. Where any amendments are made to the GDPR once it is written into UK law, our documents will be updated and provided to existing customers at no charge.