How to write a GDPR data protection policy – with policy template

Updated 7 November 2018. This blog was originally published before the GDPR took effect in May 2018.

An integral part of your EU GDPR (General Data Protection Regulation) project is producing appropriate documentation to demonstrate your compliance – in line with the requirement for accountability set out in Article 5(2).

Part of this obligation is producing a data protection policy.

This blog post outlines what a GDPR data protection policy is, what you should include in yours and what tools you can use to help your organisation produce this essential documentation.

What is a GDPR data protection policy?

Article 24 of the GDPR states that data controllers must implement “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation”.

These measures “shall include the implementation of appropriate data protection policies by the controller”.

Policies are high-level internal documents that set principles, rather than details of how, what and when things should be done – which are covered by procedures.

Policies must:

  • Be capable of implementation and enforceable;
  • Be concise and easy to understand; and
  • Balance protection with productivity.

Who should have a data protection policy?

Every organisation that processes personal data should have a data protection policy.

What should a GDPR data protection policy say?

The accountability principle set out in Article 5 is key to GDPR compliance. It holds that data controllers must not only comply, but also be able to demonstrate their compliance with, six data processing principles.

These state that personal data must be:

  • Processed lawfully, fairly and transparently;
  • Collected only for specific legitimate purposes;
  • Adequate, relevant and limited to what is necessary;
  • Accurate and, where necessary, kept up to date;
  • Stored only as long as is necessary; and
  • Processed in a manner that ensures appropriate security.

A data protection policy should therefore set out how your organisation will comply with these obligations.

As a high-level document, it needn’t go into detail, but we recommend it includes:

  • Topics covered by the policy;
  • Reasons the policy is needed;
  • Contacts and responsibilities;
  • Objectives; and
  • How to handle violations.

For example, your data protection policy might include instructions for staff involved in collecting client data, specifying that they only collect the minimal amount required.

As well as guiding your organisation’s compliance with the GDPR, your data protection policy will demonstrate to the Information Commissioner’s Office that you are making every effort to comply with the law if it has to investigate a data breach.

Help creating a data protection policy template

Knowing where to start when creating a GDPR data protection policy can be difficult, especially if yours is a large organisation with many objectives, contacts and responsibilities.

Fortunately, help is at hand.

You can download a customisable data protection policy template from IT Governance here >>


Example of the data protection policy template included in the EU GDPR Documentation Toolkit.

Example of the data protection policy template available from IT Governance.


Easily create your GDPR data protection policy with our customisable template >>