MAKE YOUR FREE GDPR Documents
What we'll cover
What are GDPR Documents?
In the UK, the main data protection laws are the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018. All UK organisations (eg businesses and charities) need to take care when processing staff or customer personal data and must be aware of their data protection responsibilities and obligations. Creating GDPR-compliant documents helps organisations to comply with their legal obligations.
These documents are GDPR compliant.
When should I use a GDPR document?
Use these GDPR Documents:
-
if you are a business (or other organisation) operating in the UK
-
if you process (eg store or handle) personal data (eg staff members’ or customers’ names and addresses)
-
to comply with your data protection obligations under the UK’s data protection laws
Sample GDPR Documents
The terms in your document will update based on the information you provide
About GDPR Documents
Learn more about making your GDPR Document
-
How to make a GDPR Document
Making a GDPR Document online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
What information you need to make your GDPR Document will depend on the document in question. However, the types of questions you may be asked include:
Party details
-
What are your organisation’s details (eg its legal structure, name and address)?
-
Who has overall responsibility for data protection compliance in your organisation? Is it the Data Protection Officer (DPO) or another person?
Data protection
-
What types of personal data are being processed and why?
-
Who are the data subjects (ie the people to which the data relates)?
Data transfers
-
Will personal data be transferred outside of the UK and the European Economic Area (EEA)?
Data retention
-
Where is information on how data is stored securely set out (eg in a Data retention policy)?
-
-
Common terms in a GDPR Document
GDPR Documents are designed to help organisations comply with their data protection obligations under the law. While the terms of GDPR Documents vary depending on the document in question, examples of provisions include:
Data protection principles
This section sets out the data protection principles under the UK GDPR and how the organisation complies with them.
Data retention
This section details for how long an organisation stores personal data before deleting it.
International transfers of personal data
This section discusses international data transfers (ie transfers of personal data to organisations based outside of the UK). It details when, if at all, such international transfers can be made.
Rights of data subjects
This section sets out the rights that data subjects have in relation to their personal data. Data subjects have various rights, which include the rights to:
-
make subject access requests (using a Data subject access request (DSAR))
-
have their personal data deleted after making a Data erasure request
If you want your GDPR Document to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the GDPR Document for you to ensure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
-
Legal tips for making a GDPR Document
Ensure that you have a legal basis for processing all personal data
Under data protection law anyone who processes personal data must have a legal basis for doing so. Data protection laws set out specific legal grounds that permit the processing of personal data. Examples include the processing being in the public interest, the processing being necessary for compliance with a legal obligation (eg workplace health and safety obligations), or the data subject consenting to the processing.
Before you process any personal data, you must make sure that you can rely on a legal basis for processing.
Ensure your organisation is entirely GDPR-compliant
The laws on data protection are complex and, as an organisation, it is fundamental that you comply with all applicable aspects of data protection requirements. While making all necessary GDPR Documents is an important step towards ensuring data protection compliance, you should consider seeking specialist advice on how to implement data protection practices for your situation. Failure to comply with your data protection obligations can result in steep fines and further penalties. Consider following our How to make a business GDPR-compliant checklist and making use of our GDPR compliance service.
Understand when to seek advice from a lawyer
Ask a lawyer for advice if:
-
you do not know which document(s) you need
-
these GDPR Documents do not cover what you need
-
you require advice on data protection
-
GDPR Documents FAQs
-
What is included in a GDPR document?
These GDPR document templates cover a variety of different types of information, including:
-
the organisation’s details
-
the types of personal data covered
-
how personal data is processed
-
how transfers of data outside of the UK or European Economic Area (EEA) are made
-
the rights of data subjects (ie private individuals) in relation to their personal data
-
-
Which GDPR Document do I need?
Which GDPR-compliance documents you will need depends on your specific situation. However, generally speaking, you should use:
-
a Privacy policy - if you run a website, to inform website visitors about how you protect their personal data
-
a Data protection and security policy - to set out your detailed internal policies and procedures for processing staff and client personal data
-
an Employee privacy notice - to inform staff about how you collect, use, retain and disclose personal information in an easily understandable way
-
a Consultant privacy notice - to inform consultants about how you collect, store, retain and disclose their personal data
-
a Data processing agreement (DPA) - to supplement a master Services agreement by setting out the specifics of how personal data will be processed
-
a Data protection impact assessment (DPIA) - to identify and minimise the data protection risks of a project, where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals
-
an Appropriate policy document (APD) - where required under a DPIA to outline compliance measures and data retention policies used when processing special category or criminal offence personal data
-
a Legitimate interest assessment (LIA) - to identify whether you can process personal data on the ground of legitimate interest
-
a Data retention policy - to tell staff how long they should store personal data for and what they should do once it’s no longer needed
For more information, read Data protection for businesses.
-
-
What are personal data and data processing?
Data processing is any use of personal data other than for personal reasons, like gathering and storing staff or customer personal data for use in your organisation.
Personal data is any data about individuals who can personally be identified from that data. Examples include names, addresses and birthdates.
There is also a further 'special category' of 'sensitive personal data', which is awarded greater protection. Examples include information about sexual life, genetics, and physical or mental health.
Criminal offence data (ie personal data relating to criminal convictions, criminal offences, and related security measures) is treated separately from personal data and special category personal data. It is also subject to stringent controls.
-
What are my data protection obligations?
UK businesses that process personal data need to protect that information.
In order to meet their data protection obligations, organisations must comply with the data protection principles. This means that personal data must be:
-
processed in a fair, lawful and transparent manner (eg justified by a lawful basis such as consent, performance of a contract, or legitimate interest)
-
collected only for specified, explicit and legitimate purposes
-
adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed
-
accurate and kept up to date
-
kept in a form that enables identification of the person to whom it belongs (known as the ‘data subject’) for no longer than necessary
-
processed in a way that ensures it is appropriately secure
-
not transferred outside the UK without adequate protection
Failure to comply with your data protection obligations can result in a fine of up to 4% of an organisation’s total global annual turnover or of £17.5 million, whichever is higher.
For more information, read Complying with the GDRR and follow our How to make a business GDPR-compliant checklist. If you require an evaluation of your data protection practices, consider making use of our Data protection health check.
-
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.