MAKE YOUR FREE Data Protection and Data Security Policy
What we'll cover
What is a Data Protection Policy?
A Data Protection Policy is a comprehensive internal document that sets out the procedures your business will comply with when dealing with personal information and personal data (ie information about individuals who can be identified from the data, eg names and addresses). Data Protection Policies are used to notify staff about your use of their personal data and their use of clients' personal data.
This document is GDPR compliant.
When should I use a Data Protection and Data Security Policy?
Use this Data Protection and Data Security Policy template to:
-
inform staff about your use of their personal data, as required by data protection laws
-
educate staff about the data protection principles they must adhere to in processing (eg collecting or storing) personal data
-
comply with your duty to protect the security of personal data
Sample Data Protection and Data Security Policy
The terms in your document will update based on the information you provide
About Data Protection and Data Security Policies
Learn more about making your Data Protection and Data Security Policy
-
How to make a Data Protection and Data Security Policy
Making a Data Protection and Data Security Policy online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
To make your Data Protection Policy, you will need the following information:
Your business details
-
Your business’ details (including its name and legal structure).
-
Who has overall responsibility for data protection compliance in your business? Is it the Data Protection Officer (DPO) or another person?
-
What email address should staff contact about their data rights?
-
What email address should staff contact to ask you to rectify or stop processing their data?
Personal data processing
-
Will you collect staff home contact details?
-
Will you collect information about race, ethnicity or nationality to conduct equal opportunities monitoring?
-
Will you transfer staff personal information outside of the European Economic Area (EEA) in the course of carrying out business?
-
Will you process criminal records (also known as ‘criminal offence data’)?
-
Will you collect or use types of staff personal information that are unusual or which would not be obvious to employees? If so, what data will you process and why?
Data security
-
Do you have an Information security policy or data retention policy in place setting out how data is stored securely?
-
Do staff members have to follow additional rules to ensure data security? If so, what are these additional rules and/or measures?
-
-
Common terms in a Data Protection and Data Security Policy
A Data Protection and Data Security Policy sets out your business’ policies and procedures for keeping staff and customer data safe and secure. To do this, data protection and data security policies will typically include:
-
a statement and purpose of policy - sets out your commitment to processing personal data in accordance with the relevant laws and regulations and an overview of how you will do this
-
definitions - explain what is meant by key terms such as ‘Data protection laws’, ‘Personal data’, ‘Processing’ and ‘Special categories of personal data’. This helps to provide clarity for anyone reading the Data Protection Policy and helps you demonstrate your business’ data protection compliance
-
data protection principles - this section sets out the data protection principles under the UK General Data Protection Regulation (GDPR) and how they are complied with. This includes how staff personal data and personal data belonging to others (eg customers and clients) is handled
-
who is responsible for data protection and data security - sets out that all staff have a responsibility to comply with this Policy and the principles contained within. It also sets out who can answer any questions about and handle non-compliance with this Policy
-
what personal data and activities are covered by this Policy - sets out the personal data this Policy applies to, including personal data held electronically and personal data in the form of opinions or facts
-
what personal data do we process about staff - sets out the types of staff personal data that you process (eg addresses, contact details and information about pay). It also sets out how the personal data is provided to you (eg data provided by members of staff before or during employment or data already available in the public domain)
-
sensitive personal data - sets out that special categories of personal data (eg information about racial or ethnic origin or information about mental or physical health) may be processed if there is a valid reason for doing so. It also informs staff members that they must speak to the DPO or other person responsible for data protection compliance before doing so
-
criminal records information - sets out that, if you do process criminal records information, this is done in accordance with your criminal records information policy
-
how we use your personal data - sets out the reasons for processing the personal data, how it will be used and the legal basis for processing in accordance with a separate privacy notice. This section also provides examples of when personal data may be used (eg to maintain a record of your sickness absence, carry out performance reviews and monitor IT systems)
-
accuracy and relevance - sets out that you comply with the data protection principles requiring personal data to be accurate and kept up to date and only be collected for specified, explicit and legitimate purposes
-
storage and retention - sets out that personal data will only be stored for a certain period of time, as set out in your privacy notice. It also sets out that personal data is kept securely in accordance with the relevant data retention or information security policy
-
individual rights - sets out the rights of data subjects in relation to their personal data. This includes data subjects’ right to make data subject access requests (and how this can be done), to object to the use of personal data, to have personal data deleted, and to report their employer to the ICO
-
data security - sets out how you will ensure the security of personal data, including the technical and organisational measures used to do so
-
data impact assessments - sets out that you will carry out a Data protection impact assessment (DPIA) if the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals
-
data breaches - sets out how you will handle any breaches of staff personal data, including that they will be recorded
-
international data transfers - sets out that personal data may be transferred to parties outside the UK and EEA, provided that adequate protections are in place. For more information, read International transfers of personal data
-
individual responsibilities - sets out what responsibilities staff members have in relation to their personal data that is held by you (eg ensuring that personal data is up to date). It also sets out that staff members who have access to others’ personal data have certain responsibilities in relation to that data (eg to keep personal data secure and not to store it on personal devices)
-
training - sets out that you will provide training about data protection responsibilities to all staff members
If you want your Data Protection and Data Security Policy to include further or more detailed provisions, you can edit your document. However, you may want a lawyer to review the document (or make changes) for you to ensure that your modified Data Protection Policy complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
-
Legal tips for businesses
Make sure that the business complies with the commitments you’ve made in your Policy
Recording how your business will meet its data protection obligations in writing is a fundamental first step toward compliance. However, simply having a Data Protection and Security Policy in place is not enough to demonstrate that you’ve actually complied with your legal obligations. You need to ensure that the steps set out in your Policy are followed. It is, therefore, crucial that you make a plan for the implementation of the Data Protection and Data Security Policy. If you need help with data protection compliance, seek GDPR compliance advice.
Consider what additional data protection documents you may need
This Policy mentions certain additional documents you may need, including:
-
a Data protection impact assessment (DPIA) - if your handling of personal data is likely to result in a high risk to individuals’ rights and freedoms
-
a Privacy notice - to detail how you collect, use, retain and disclose staff personal data
-
an Information security policy - to set out how IT assets and resources are to be used, managed and protected
-
a data retention policy - to set out how long you will store personal data for. Ask a lawyer if you need this policy drafted
-
a criminal records information policy - to set out how you will handle criminal offence data (including any Disclosure and Barring Service (DBS) checks). Ask a lawyer if you need this policy drafted
-
a breach response policy - to set out how you handle data breaches (including how you record and report them). Ask a lawyer if you need this policy drafted
Data protection is a complex area of law and you may need to put in place further documents not mentioned in this Data Protection Policy to ensure compliance with the GDPR. These include:
-
a Data processing agreement (DPA) - if you’re transferring personal data to someone else so they can process it for you (eg if they’re holding it on your behalf)
-
a Privacy policy - if you operate a website, you should inform users about the types of personal data you are collecting, the reasons for collection and how users can access their data
-
a Communications and equipment policy - to set out the rules for staff access to communications and IT equipment and resources, and how you will monitor this
For more information, read How to make a business GDPR-compliant checklist and Data protection and employees.
Make sure that you have a legal basis for processing personal data
Data protection laws set out stringent legal grounds under which the processing of personal data is permitted. Before you start processing staff (or client) personal data, you must make sure that at least one legal ground applies. Examples include the data subject consenting to the processing or your business having a legitimate interest in the processing.
Understand when to seek advice from a lawyer
Due to the complexity of data protection practices and compliance, it is good practice to Ask a lawyer for advice on your situation. This can help you ensure you’re complying with the law and that your business is well protected from risk. You should ask for advice if:
-
you want to change an existing Data Protection Policy that is contractually binding
-
you need advice on the use of covert workplace monitoring
-
your use of staff personal data may infringe their right to privacy or relates to information about what they do outside work
-
you require bespoke policies drafted
-
you are unsure about your compliance obligations under the GDPR
-
Data Protection and Data Security Policy FAQs
-
What is included in a Data Protection and Data Security Policy?
This Data Protection template covers:
-
who is responsible for data protection and data security
-
the kinds of data covered by this Policy
-
the types of data collected by the employer about staff
-
the uses the employer makes of data concerning staff
-
transfer of data overseas
-
principles that must be adhered to in processing personal data
-
measures to protect the security of personal data
-
subject access requests
-
-
Is a Data Protection Policy mandatory?
While it is not mandatory to have a Data Protection Policy, it helps ensure that your business has a systematic approach to complying with relevant laws and regulations. It also helps inform staff about their duties and clearly sets out the procedures for collecting, storing and otherwise processing data.
Setting out proper data security rules will instil confidence in your staff and clients and will help protect you from any mishandling of personal data. It also gives staff members the confidence that you are taking the necessary steps to protect them from any claims.
While you are not legally required to have a Data Protection and Data Security Policy, you need to be open with data subjects (ie private individuals whose personal data you process) about how and why you process their data. Failure to do so can result in fines from the Information Commissioner’s Office (ICO).
For more information, read Complying with the GDPR.
-
How do I implement the Data Protection Policy?
Make sure that your Data Protection and Data Security Policy is made readily available to staff and customers. This will help ensure that this Policy is incorporated into your business. You can consider:
-
including the Data Protection Policy in your Staff handbook
-
providing staff with appropriate training on the implementation of the Policy
-
attaching the Policy to any terms and conditions so customers can refer to it
Make it clear to staff that they should refer to the Data Protection Policy when they need data protection advice.
-
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.