GDPR: Updating and Drafting New GDPR-Compliant Data Protection Policies

GDPR: Updating and Drafting New GDPR-Compliant Data Protection Policies

19 February 2018

The General Data Protection Regulation 2016/679 (GDPR) replaces the existing data protection regimes in place throughout the European Union (EU), including the UK. It introduces a number of new obligations and requirements on controllers 1 and processors 2. Compliance with the new regulations will be of even greater importance following the enforcement date of 25 May 2018, because the GDPR substantially increases the fines that can be imposed by the relevant regulatory bodies in the event of a breach – now up to a maximum of € 20 million or 4% of annual global turnover, whichever is the higher.

Our first article in this series covered step 1 in your journey towards GDPR compliance. This involved carrying out a thorough and exhaustive data and information audit to identify the personal data of EU subjects processed by your company, whether as a data controller or processor, and why. Your second step is to review, in light of the results of the audit and the requirements of the GDPR, your existing data protection policies and practices to ensure their compliance.

Possibly the biggest change with the introduction of the GDPR is the introduction of the Accountability Principle. This states that the data controller is responsible for, and must be able to demonstrate compliance with, all of the requirements of the GDPR. It is crucial, therefore, that you document your data protection policy and practices review process so that you can demonstrate how your updated or new policies comply with the GDPR.

This exercise will be different for every company and exactly which policies and procedures you will need to produce and implement will depend on the results of your audit and the nature of your business. As a helpful reference a list of the most commonly required policies and a short summary of their content is set out below.

  • Data Protection Policy – an overarching policy document that sets out your company-wide approach to data protection. This document can also act as a centralised index which refers to other specialised policy documents such as those included in this list.
  • Privacy Notice 3 – this important document communicates directly with your data subjects. The GDPR requires that all information provided to people about how you process their personal data must be “concise, transparent, intelligible and easily accessible”. It must be written in clear and plain language, especially if directed to a child. It must be free of charge. There are specific details that must be included in your GDPR-compliant privacy notice which are set out in a useful table prepared by the Information Commissioner.
  • Data Protection Impact Assessment (DPIA) Procedure – details your procedure for carrying out a DPIA4 under the GDPR.
  • Records Retention Policy – sets out how long you will keep different types of personal data and why. In addition, this policy will include details on your secure destruction procedures for personal data that is no longer needed.
  • Data Subject Rights Policies – sets out how you handle the exercise by data subjects of their rights under the GDPR. These rights include: access, data portability, rectification, erasure, restricted processing and objection to processing.
  • International Transfer Policy – if you make international transfers of personal data outside of the European Economic Area, this policy will set out how and to whom these transfers are made, and the security measures and transfer agreements in place.
  • Data Protection Officer (DPO) Policy – this document will set out a clear assessment as to whether you consider that you must appoint a DPO and your justifications if you concluded that your company does not require a DPO.
  • Staff Training Policy – sets out your approach to achieving a company-wide staff awareness of data protection as well as high level knowledge for specialist staff.
  • Information Security Policy – sets out how you ensure the protection of personal data. It is likely to require collaboration with your information technology team.

You can find more information about data protection policies and practices from our GDPR webpage and the following helpful Information Commissioner’s Office (ICO) webpages:

The ICO’s privacy notice checklist

The ICO’s table of required information for privacy notices

The ICO’s guide to Data Protection Impact Assessments

The text of the GDPR

The ICO’s guide to the GDPR

The ICO’s self-assessment resources

If you have any questions, or need any assistance with your data audit, please do get in touch.

In our next update we will discuss carrying out staff training to ensure that appropriate staff have the necessary knowledge of the data protection obligations, as well as raising the general education level of all employees.


1 A ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2 A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.