Sample data protection policy template

Sample data protection policy template

Our sample data protection policy template will help your business create a clear data protection policy and meet its obligations under UK data protection law. It is free to download and you can customise specified sections to suit your own business needs

Download sample data protection policy >>
(Microsoft Word, 62KB)

If you would like to include this on your own website, you must credit the IT Donut and link back to this original page.

Why you need a data protection policy

UK data protection law is not to be messed with. The Data Protection Act 1998 applies to every business that collects, stores and uses personal data relating to customers, staff or other individuals.

Failing to follow the rules could mean a fine of up to £500,000.

A clear data protection policy makes sure everyone in your company understands why data protection is important. It also describes procedures for collecting, working with and storing data.

Our sample data protection policy template

Our sample data protection policy template is designed to help you create a data protection policy that works for your business.

As every company is different, it’s important to consider how you work with data and write a policy to suit your circumstances.

You can use our sample data protection policy template as a starting point and add, remove or change information as required.

Data protection is an important issue for every business, so it’s a good idea to seek professional advice before putting your policy into action. Using a sample data protection policy template may allow you to reduce your costs, because you won’t need to ask your lawyer to create a policy from scratch.

You can download our sample data protection policy template now. It’s a Word file, so most computers should be able to open it automatically.

Download sample data protection policy >>
(Microsoft Word, 58KB)

Data protection policy template structure

The Data Protection Act is founded on eight principles of data protection. These say that data must:

  1. Be processed fairly and lawfully
  2. Be obtained only for specific, lawful purposes
  3. Be adequate, relevant and not excessive
  4. Be accurate and kept up to date
  5. Not be held for any longer than necessary
  6. Processed in accordance with the rights of data subjects
  7. Be protected in appropriate ways
  8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

Our sample data protection policy template is organised along similar lines, addressing each of these principles to explain:

  • To what types of data the policy applies.
  • Who in the business is responsible for data protection.
  • The main data risks faced by the company.
  • Key precautions to keep data protected.
  • How data should be stored and backed up.
  • How the company ensures data is kept accurate.
  • What to do if an individual asks to see their data.
  • Under what circumstances the business discloses data, and to whom.
  • How the company keeps individuals informed about data it holds. 

Implementing your data protection policy

Your data protection policy should be a practical document. Your staff should be able to understand it and refer to it when they need data protection advice.

It’s important to review your data protection policy regularly. Most companies do this about every two years. You should also review if your business changes how it operates or plans to start storing data in a new way.

It’s a good idea to require staff to read your data protection policy (and sign a document to that end) when you introduce it. It should also be part of your induction programme for new employees.

However, always remember that a policy alone is not enough to ensure your business keeps its data safe and operates within the law. Training, expert advice and clear lines of responsibility are other important considerations.

Written with expert input from Craig Sharp of Abussi Ltd.