Free preview: Data Protection Policy

Policy Statement and Objectives

[Company Name] collects and uses personal data about customers, employees, suppliers, website visitors, and other individuals in the course of its business. This policy sets the mandatory internal rules for how that data must be handled so that all processing complies with the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR and the Data Protection Act 2018.

This policy is approved by [the Managing Director / the Board] and takes effect on [effective date]. Compliance is a condition of employment and of engagement for contractors. Breach of this policy may expose the organization to regulatory fines, contractual claims, and reputational damage, and may result in disciplinary action up to and including termination for individual staff.

• Embed the data protection principles of Art. 5 GDPR into day-to-day operations, with a named owner for each obligation.
• Implement and document technical and organizational measures appropriate to risk, as required of controllers by Art. 24 GDPR.
• Give staff practical rules and a clear escalation path so privacy issues are identified, reported, and resolved early.
• Maintain documentation sufficient to demonstrate compliance to supervisory authorities, customers, and auditors on request.

Scope and Applicability

This policy applies to all processing of personal data carried out by or on behalf of [Company Name], in any format (electronic, paper, audio, or video), on any system or device, and at any location, including processing performed by remote workers and by processors acting under contract.

It binds all employees, workers, contractors, temporary staff, and interns (collectively, staff). Where [Company Name] acts as a processor on behalf of a client, the client contract governs the processing; the [Privacy Lead] must review any client term that conflicts with this policy before the contract is signed and must record the resolution of the conflict.

Key Definitions

The following working definitions apply throughout this policy and all subordinate privacy documents. They are plain-language summaries for operational use; where a legal question turns on a precise definition, the [Privacy Lead] must consult the text of the GDPR or external counsel.

Data Protection Principles

All processing must satisfy the seven principles of Art. 5 GDPR. The table below states what each principle requires in practice at [Company Name], who owns it, and the evidence that must exist to demonstrate it. Department managers must confirm during the [annual] compliance attestation that the processing they own meets each requirement.