How do I write a Data Protection Policy?

Hopefully everyone’s well on the way to being compliant with the new GDPR – remember, it kicks in on 25th May, so not much time now! However, there are two important areas we haven’t covered yet. The first is how we deal with the huge pile of paperwork that is required to prove that we are “accountable” and “compliant” – that’s what we’re going to look at here. The second we’ll look at in a week or so, and that’s Staff Training.

There are three vital sets of documents that you’ll need if you are going to be compliant with the new law. These are:

  • Privacy Policy – also known as a Privacy Notice, this is where you tell your clients and visitors about the data you collect on them. We discussed these back in February here.

  • Data Processor Agreements – these are the contracts that bind any of your data processors to abide by the GDPR and your rules. Those of you who are our clients should have received one from us by now – remember, without a signed DPA, your processors aren’t permitted to handle data for you!

  • Data Protection Policy – this might be considered the master document, setting out what data you hold, how you handle and process it, how you keep it secure, and what your legal justifications are. The contents will be unique to your practice, but in general this needs to be something of a monster. The good news is that if you’ve been following our step-by-step guidance, you should be ready to pull it all together now!


So, let’s look at how we can structure this potentially enormous file. There are many different ways to do it, but this seems to me to be the simplest approach.

  1. Introduction – This is probably the only bit that will be read in detail by most of your staff (except the Code of Conduct), so make sure it contains the key points – a summary of what the new data protection law says and why it’s important to you at your practice.

  2. Data Management and Security Responsibilities – Details of who has what responsibilities regarding data: as a minimum, a Data Protection Representative or Officer, and a Records Management Officer. It is helpful to emphasise here, though, that all staff have some responsibility!

  3. Data Audit – It is important to list every type of personal data record you hold, describing whether it is sensitive data, personal data, confidential data, or public data; and whether it is high, medium or low risk. Including the legal basis for processing it under Article 6(1) is also required. While this can go in the Records Management section below, it might be helpful to summarise it here, especially if you intend to classify material by risk and then adjust its level of protection based on that classification.

  4. Physical Security – For offline (hard copy) data, and for computers and other devices holding sensitive, personal or confidential data, you will need policies governing access controls and anti-theft measures. For example, how the files are secured, who has access to the building, where the keys are, etc.

  5. Network and IT Security – For information held on computer, you will need policies and protocols covering a number of areas. Firstly, you will need some Electronic Security Protocols (antivirus, firewall, update and patch protocols, plus secure access arrangements and network traffic monitoring). If any staff take work home or can access data from outside the practice, you’ll also need a Mobile Working Policy including a protocol for working on unsecure networks if needed, a list of devices holding or able to access data, and a device control policy for mobile devices – e.g. phones or tablets – used to access data. At a bare minimum, this should include the ability to remotely wipe the device if it is lost or stolen. Finally, this can be summed up in a Code of Conduct summarising the Safe Working Protocols and Password Policy. This document should be distributed to staff and should contain all the key Dos and Don’ts, but be phrased in easy-to-understand terms, clearly and concisely phrased.

  6. Breach Recognition and Management – You could include your Information Security Risk Analysis here, plus you MUST include a protocol for suspected data breaches and records of them. This should include how a breach might be recognised, who needs to be informed, and guidelines for where to go from there.

  7. Record Management Policy – This is a logical place to put a copy of your publicly available Privacy Policies (the Privacy Notice and the Data Retention Notice) and you could also include a formal Data Collection Policy (listing what data you collect and why), although this must form part of your Privacy Notice too. You should also include the full details of your Data Audit (what data you hold, where it is held, and who holds or has access to it) and Data Flow Map (i.e. where data comes from, where it goes, and what systems or personnel it passes through in the meantime). This leads on to your Data Retention Plan. This plan comprises your Retention Policy (how long you hold what sets of data for), Data Disposal Protocol (how you destroy it securely – remember, clicking “delete” on a computer does NOT delete the information irrecoverably, nor does throwing paperwork out in the rubbish!) and Data Destruction Schedule and Log (detailing when you need to destroy particular datasets and a record that you have done so) and a summary of any Data Access Controls you have in place (for example, who has need to know, and what do you do when someone leaves the practice?). Somewhere in here you must also include your Rights Request Protocols (for when people wish to exercise their GDPR Data Subject Rights, including how you will respond to requests, and records of all such request). Finally, this must also include your Data Transfer Policy (a Data Transfer Protocol describing how data is moved around the organisation, details of your processors and all your Data Protection Agreements, and ideally a Template Data Processor Agreement for contractors and processors).

  8. Privacy Proof Protocol – All businesses are now legally required to have a Data Protection Impact Assessment Protocol, including an assessment and reassessment programme for any new projects they might decide to use in future.

  9. Continuity and Recovery Plan – Your Continuity Plan should explain how you would rebuild your records in case of a disaster such as flood, fire or theft, and include details of what backups you make, how they are stored, how often they are made, and a log demonstrating that they have been made.

  10. Training Policy – All organisations have a legal duty to train their staff and volunteers in Data Protection, and this should be reflected here. Ideally, it should state how they will be trained, list any relevant resources, and include a log of training events or procedures.

  11. Compliance Log – The DPO or Representative must make periodic spot-checks of compliance with this Policy – this is where these are recorded.

  12. Review Dates – The Policy must be updated periodically – this process should be recorded here.

Sounds like a lot of work, I know! But actually, you should have most of this information available by now – it just needs writing ou
t in a central document. Good luck!

If you have any questions about marketing under the GDPR, please feel free to give us a call and talk to our expert staff!