Data Protection Policy

Our Data Protection Policy template is suitable for any type of business with employees. It sets out how staff and management should deal with data protection in the workplace. As such, it also includes a data security policy. It also includes a “Fair Processing Notice” regarding employee data, to notify staff of how you will hold and handle their personal data.

Under the General Data Protection Regulation (the GDPR), there are certain rules that every employer must observe regarding the security, protection, handling (or processing), storage of personal data about their staff. This policy (and of course ensuring it is enforced in practice) is a good step in the direction of ensuring the employer’s legal responsibilities on data protection are complied with.

More guidance on the GDPR

This page is not intended to be a summary of the principles of data protection. So for in-depth information, please have a look at the website of the Office of the Information Commissioner at www.ico.org.uk. In handling personal data, you must comply with the GDPR and the “Principles of Data Protection” that it imposes. See the ICO website for more information on what this means in practice.

Using our Data Protection Policy template

Our templates are all carefully put together, to make your life easy. So completing your policy will only take a few minutes, using our straight-forward guide, which leads you through each section, explaining what each section’s purpose is. In case of any queries when you use it, simply contact us by email or telephone: see our Contact Us section.

Clauses in this Data Protection Policy

The following gives you a good idea of what this template covers, as it is an excerpt from the guide that accompanies the template:

Data Protection Policy outline

This section sets out the business’s commitment to compliance with the Data Protection Act 1998 regarding handling its employees’ personal data.

Principles of data protection

This section starts by listing the principles of data protection that are mandatory under the GDPR. (For an explanation on what they mean in practice see the ICO’s website.) It also includes definitions of “personal data”, “processing” and “sensitive personal data”, as per the definitions in the GDPR.

Fair processing notice

This section of the data protection policy sets out the circumstances under which you will process employees’ personal data.

The use of your personal data

This section sets out the purposes for which the employer will process personal data (and sensitive personal data).

Limits on data processing

This section explains you will only process personal data as necessary and permitted.

Accurate data and recording

In this section, the employee is asked to assist in keeping their personal data, that the employer holds, up-to-date.

Personal data recording and retention

This section explains that you will delete personal data when no longer needed.

Your rights and data processing

This section of the data protection policy explains the employee’s rights regarding their personal data.

Keeping personal data secure

This section explains the obligation on the employer to keep the personal data confidential and secure, e.g. against theft by hackers.

Third party provision

This section explains the circumstances under which you might share the personal data with a third party. For example, a government agency with the right to know.

Requesting a copy of your personal data

This section of the data protection policy explains that an employee can ask for a copy of all personal data held on them. So note that you now have to give this at no cost.

Concerns

This final section advises that if the employee thinks their data has been mishandled (or other’s has been) then they should report it to the employer’s appointed Data Protection Officer. It also states breaching this policy or the GDPR may lead to disciplinary action.