• Startups
  • June 17, 2020

The Top 12 Documents and Policies You Need Think About Making GDPR Compliant Before May 25, 2018

GDPR policies and procedures

Our GDPR experts have put together a list of GDPR documents and policies you need to be thinking about to be on your way to GDPR compliance before 25th May 2018. Get ahead of the game and find out below which may apply to you and your business. Below we explore what these documents and policies are and what, when and where you need to use them.

This documents guidance note is also listed as part of the LawBite GDPR Documents Package, to help you on your way to data compliance.       

1. Terms and Conditions of Website Use

The website terms of use are drafted for publication on a website. They contain provisions dealing with access to, and use of, the website including information about the website owner, rights to modify or withdraw the website, disclaimers for material published on it or linked to from it and rules about how such materials may be used. 

2. Privacy Policy and Cookie Policy 

This privacy policy is for use by a business in relation to the collection, storage and use of non-sensitive personal data, for use on a website which collects such data for the purpose of supplying goods or services to users of the site, or for contacting users with direct marketing information. This privacy policy also incorporates a cookie policy which provides internet users with the necessary information about an online provider's use of cookies as required by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208).        

3. Data Processing Agreement 

You should also have a GDPR compliant data processing agreement. It covers the obligations that parties need to comply with when using third parties to process personal data. 

4. Data Processing Clauses 

This document contains clauses to be inserted into a third party supply agreement where the third party is processing personal data. The clauses contain the relevant obligations to comply with GDPR. 

5. Data Retention Policy 

A data retention policy establishes and describes how a company expects its employees to manage personal data. GDPR states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This policy will help businesses identify and establish its own rules for how long data should be retained for. 

6. Data Protection Policy 

This is a standard policy for use by a business setting out the principles and legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data used in the course of the operation and administration of the business, including customer, supplier and employee data. 

7. IT Security Policy 

This is a standard policy for use by a business setting out the IT and data security principles that a business must comply with under GDPR. Businesses are required to put in place appropriate technical and organisational measures in place to prevent personal data being damaged, lost or stolen. 

8. Consent to Data Processing 

GDPR contains rules on how a business should obtain consent. This document contains a range of consents and guidance notes on how to use each consent form.  

9. Clauses for Staff Agreements 

These clauses for staff agreements have been updated to reflect GDPR, given the new rules on consent in an employment relationship. If you are issuing agreements to new members of staff or amending contracts for some other reason from 25th May 2018, these clauses can be used. 

10. Employee Consent Form 

GDPR rules on consent in an employment relationship mean that it would not normally be appropriate to request that an employee give their consent to their employer for their data to be processed. However, there may be limited and specific circumstances when this is required. 

11. Privacy Notice to Staff 

This privacy notice is for use by employers to advise employees, workers, contractors and other individuals who are employed or engaged by the business about the collection, storage and use of personal data by the employer. A privacy notice should be given to everyone whose data is collected and processed, including job applicants. 

12. Memorandum to Board of Directors 

The board of directors of a company needs to understand GDPR and have overall responsibility for a company’s compliance with GDPR. 
This memorandum highlights the key areas that the company needs to understand with regard to GDPR so that the board understands the implications of failing to comply with GDPR. 

How to document GDPR compliance?

Documentation can help you comply with other aspects of the UK GDPR and improve your data governance. You can follow ICO's checklist:

You must document the following information:

  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

- LawBite GDPR Team: To speak to one of our GDPR lawyers for free today, simply enter an enquiry for a free 15-minute consultation. LawBite GDPR Documents Package offer

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By LawBite Team
  • May 01, 2022
What are Articles of Association?

Setting up a limited company is one of the most common routes entrepreneurs take when they start their business. If you have decided to take this r...

blog image
  • By LawBite Team
  • May 01, 2022
Do I need a privacy policy on my website?

The short answer is yes, all businesses that process personal data must have a detailed privacy policy. In most cases, a privacy policy will sit on...

blog image
  • By LawBite Team
  • April 13, 2022
Understanding Conflict of Interest (COI)

One thing our lawyers consistently emphasise to our clients is the importance of having well-considered and expertly drafted documentation, for exa...


LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan

Join for Free