Data Protection Policy (A251)

£19.50 plus VAT
Buy Excluding 0% tax

This Data Protection  Policy is for internal use by a business that sells goods and/or services and has a website from which sales can be made and/or on which personal data can be collected.   It covers the main GDPR issues that a small business is likely to encounter and how they will ensure compliance with the basic requirements of the EU’s GDPR (General Data Protection Regulation) and the UK’s Data Protection Act.

The GDPR says that any business or organisation that is a data controller – i.e. one that collects personal data for processing – must implement appropriate technical and organisational measures to ensure it can demonstrate that processing is performed in compliance with the regulations.  And, when proportionate, this includes implementing appropriate data protection policies.

The Data Protection Policy will cover

  • the categories of personal data you collect and why – the types of people from whom you collect it (employees, customers, etc.,) and the type of data in each category
  • Location and Security of data – where you keep it, how you secure it (encryption, password protection etc.)
  • Third party processors who you use and the basis of your agreement with each of them
  • How long you keep personal data and the reasons
  • Destruction & Disposal of personal data – how this will be handled to ensure there are no problems
  • The rights of individuals to access, rectify and remove their personal data
  • How you will deal with subject access requests
  • Data Breaches – duties and actions if you suffer a data breach
  • Training
  • Reviewing the data policy – this is needed periodically

You may also find these contracts of use:

£29.50 Plus VAT

This Data Processor Agreement is for  a company or organisation that is a data controller and appoints a third party to provide services as a data processor.  The contract is designed to comply with GDPR…

Add to cart Excluding 0% tax

£8.50 Plus VAT

This Privacy Notice template - previously known as a Privacy Policy - is for use on a website where the website owner collects data on visitors or customers. It meets the basic requirements of the…

Add to cart Excluding 0% tax

Explanatory Notes

The General Data Protection Regulation (GDPR) is effective from 25 May 2018.  It is an EU regulation and there is also a new Data Protection Act in the UK.  The new regulations are designed to strengthen data protection for all individuals in EU and give citizens more control of their personal data.  The rules apply to all businesses, charities, companies and organisations and public bodies that collect and process personal data and there are potentially severe fines for breaches – up to 4% of turnover.

The GDPR says that any business or organisation that is a data controller – i.e. one that collects personal data for processing – must implement appropriate technical and organisational measures to ensure it can demonstrate that processing is performed in compliance with the regulations.  And, when proportionate, this includes implementing appropriate data protection policies.

Our template Data Protection Policy is useful both for covering the main requirements of the GDPR and setting out the rules that apply to your business.  All personnel with an administrative function need to understand and comply with the policy.

Our template policy is largely self-explanatory and it needs to be tailored to the particular requirements of your business.  The Policy is divided as follows:

Collection & Processing of personal data

 This has the following subheadings:

  • Data that we collect
  • Security of Data
  • Third Party Processors
  • Retention of Data
  • Anonymised Data

Rights of Individuals and Procedures for dealing with them

 Information to be provided to the individual

  • obligations to provide/rectify/erase information when requested

Data Breaches

Training•& Review

The policy can therefore cover:

  • the categories of personal data you collect and why – the types of people from whom you collect it (employees, customers, etc.,) and the type of data in each category
  • Location and Security of data – where you keep it, how you secure it (encryption, password protection etc.)
  • Third party processors who you use and the basis of your agreement with each of them
  • How long you keep personal data and the reasons
  • Destruction & Disposal of personal data – how this will be handled to ensure there are no problems
  • The rights of individuals to access, rectify and remove their personal data
  • How you will deal with subject access requests
  • Data Breaches – duties and actions if you suffer a data breach
  • Training
  • Reviewing the data policy – this is needed periodically