GDPR and data protection policy template

£ 20

This model policy outlines how the Company will comply with statutory requirements of GDPR and data protection.

What is this policy for?

The purpose of this GDPR and data protection policy template is to provide you with a flexible and customisable document to serve as a robust and effective starting point for you.

By using our GDPR and data protection policy template, you can streamline your process, maintain consistency and accuracy, and save time, and it can be easily adapted to fit your specific scenario.

  1. Data Protection Act 2018 (DPA): This is the UK's primary data protection legislation that incorporates the GDPR into UK law. It sets out the rules and regulations for the processing of personal data, including employee data, and outlines the rights and responsibilities of data controllers and data processors.

  2. General Data Protection Regulation (GDPR): Although this is an EU regulation, it applies to the UK as well. It provides a comprehensive framework for the protection and processing of personal data for individuals within the EU, including employees.

  3. Employment Rights Act 1996: This legislation contains provisions related to employee privacy and confidentiality. It establishes the duty of employers to maintain the confidentiality of an employee's personal information and employment records.

  4. Human Rights Act 1998: This Act incorporates the European Convention on Human Rights (ECHR) into UK law. It includes the right to respect for private and family life, which has implications for how employers handle employee data and ensure data privacy.

  5. Equality Act 2010: While primarily focused on promoting equality and preventing discrimination in the workplace, this Act also contains provisions related to the handling of sensitive personal data, such as information about an employee's health or disability.

  6. Computer Misuse Act 1990: This legislation addresses unauthorized access to computer systems, which is relevant for protecting employee data stored electronically.

  7. Privacy and Electronic Communications Regulations (PECR): These regulations supplement the DPA and GDPR and provide rules on electronic communications, including email marketing and the use of cookies on websites, which may collect personal data from employees.

  8. Employment Practices Code: This code of practice, issued by the Information Commissioner's Office (ICO), provides guidance on data protection in the context of employment, helping employers understand their responsibilities when processing employee data.

  9. Trade Union and Labour Relations (Consolidation) Act 1992: This legislation ensures that trade unions have access to certain employee data for collective bargaining purposes while maintaining data protection requirements.

  10. Whistleblowing Policy: Although not a specific piece of legislation, implementing a whistleblowing policy is essential to encourage employees to report any data protection breaches or concerns they may have.


Reading time icon
Time to read / prep / use
5 mins
Document specs icon
Word count / length
170 words, 1 page A4
Date last reviewed icon
Date last reviewed
1 June 2024
gdpr and data protection policy template

GDPR and data protection


This policy outlines how the Company complies with all statutory requirements of GDPR.


This policy is applicable to all employees of [company name].

General principles

[Company] will comply with all statutory requirements of the GDPR by registering all personal data held on its computer and/or related electronic equipment and by taking all reasonable steps to ensure the accuracy and confidentiality of such information.

The Data Protection Act protects individual's rights concerning information about them held on computer. Anyone processing personal data must comply with the eight principles of good practice. Data must be:

  1. fairly and lawfully processed
  2. processed for limited purposes
  3. adequate, relevant and not excessive
  4. accurate
  5. not kept longer than necessary
  6. processed in accordance with the data subject’s rights
  7. secure
  8. not transferred to countries without adequate protection

Employees can request access to the information held on them by the Company. All requests by employees to gain access to their personnel records should be made in writing. There is no charge for this service.

🔒 To view this you will need to make a purchase.

🔒 To view this you will need to make a purchase.

This policy [does not] form[s] part of your terms and conditions of employment.

Version: [1.0]

Issue date: [date]

Author: [name, job title]

Why choose our GDPR and data protection policy template?

Our content:

Is easy to edit and execute, with comprehensive implementation guidance.
Is designed by accredited, experienced HR practitioners.
Maintains your compliance with ACAS guidelines, legislation, and industry best practices.
Includes 12 months access to your purchase, with email alerts if updated or expanded.

Stop doing this:

Wasting money buying documents that don't meet best practice or legislation.
Wasting effort searching for free documents that lack implementation support.
Wasting time creating documents from scratch.

I have just renewed our membership for another year for HRdocbox. It's an extremely useful resource with a wide variety of documents and knowledge...
- Rachel Masing, ETM Group

I have been using the service now for around 6 months and it has been really useful in developing and updating polices and processes.
- Jamie Allan, Armstrong Craven

Excellent library of resources and templates which have made my job in my small business so much easier to manage HR for my employees...
- Emma Hunt

Great value and the site contains an extensive library of essential HR documents. I access the site probably once a week...
- Laura Alliss-Etty

HRDocBox is a great resource. It is incredibly good value, providing a large selection of HR guidance materials as well as...
- Emma Beauchamp