Back to Insights Back to Insights

GDPR policies and procedures

Our GDPR experts have put together a list of GDPR documents and policies you need to be thinking about to be on your way to GDPR compliance before 25th May 2018. Get ahead of the game and find out below which may apply to you and your business. Below we explore what these documents and policies are and what, when and where you need to use them.

This documents guidance note is also listed as part of the LawBite GDPR Documents Package, to help you on your way to data compliance.       


1. Terms and Conditions of Website Use

The website terms of use are drafted for publication on a website. They contain provisions dealing with access to, and use of, the website including information about the website owner, rights to modify or withdraw the website, disclaimers for material published on it or linked to from it and rules about how such materials may be used. 

2. Privacy Policy and Cookie Policy 

This privacy policy is for use by a business in relation to the collection, storage and use of non-sensitive personal data, for use on a website which collects such data for the purpose of supplying goods or services to users of the site, or for contacting users with direct marketing information. This privacy policy also incorporates a cookie policy which provides internet users with the necessary information about an online provider's use of cookies as required by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208).        

3. Data Processing Agreement 

You should also have a GDPR compliant data processing agreement. It covers the obligations that parties need to comply with when using third parties to process personal data. 

4. Data Processing Clauses 

This document contains clauses to be inserted into a third party supply agreement where the third party is processing personal data. The clauses contain the relevant obligations to comply with GDPR. 

5. Data Retention Policy 

A data retention policy establishes and describes how a company expects its employees to manage personal data. GDPR states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This policy will help businesses identify and establish its own rules for how long data should be retained for. 

6. Data Protection Policy 

This is a standard policy for use by a business setting out the principles and legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data used in the course of the operation and administration of the business, including customer, supplier and employee data. 

7. IT Security Policy 

This is a standard policy for use by a business setting out the IT and data security principles that a business must comply with under GDPR. Businesses are required to put in place appropriate technical and organisational measures in place to prevent personal data being damaged, lost or stolen. 

8. Consent to Data Processing 

GDPR contains rules on how a business should obtain consent. This document contains a range of consents and guidance notes on how to use each consent form.  

9. Clauses for Staff Agreements 

These clauses for staff agreements have been updated to reflect GDPR, given the new rules on consent in an employment relationship. If you are issuing agreements to new members of staff or amending contracts for some other reason from 25th May 2018, these clauses can be used. 

10. Employee Consent Form 

GDPR rules on consent in an employment relationship mean that it would not normally be appropriate to request that an employee give their consent to their employer for their data to be processed. However, there may be limited and specific circumstances when this is required. 

11. Privacy Notice to Staff 

This privacy notice is for use by employers to advise employees, workers, contractors and other individuals who are employed or engaged by the business about the collection, storage and use of personal data by the employer. A privacy notice should be given to everyone whose data is collected and processed, including job applicants. 

12. Memorandum to Board of Directors 

The board of directors of a company needs to understand GDPR and have overall responsibility for a company’s compliance with GDPR. 
This memorandum highlights the key areas that the company needs to understand with regard to GDPR so that the board understands the implications of failing to comply with GDPR. 

How to document GDPR compliance?

Documentation can help you comply with other aspects of the UK GDPR and improve your data governance. You can follow ICO's checklist:

You must document the following information:

  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.


- LawBite GDPR Team: To speak to one of our GDPR lawyers for free today, simply enter an enquiry for a free 15-minute consultation. LawBite GDPR Documents Package offer

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Free legal support for businesses

The LawBite Free Essentials Plan acts as your very own legal assistant, ready to provide expertise and guidance on the common legal issues that SMEs and businesses face.

Free Templates
  • X 3 legal document templates
  • Drafted by our expert lawyers
  • New documents added every month
Legal Healthcheck Tools
  • Business-specific surveys
  • Understand how compliant you are
  • Checks in, GDPR, IP, Brexit and more
Resources, Webinars and Articles
  • Access to the latest LawBite events
  • Legal guides for businesses
  • Smarter business law videos