What to include in a GDPR policy

When the European Union adopted the General Data Protection Regulation (GDPR) on 25 May 2018, it represented a seismic shift in the way organisations must think about and handle personal data.

GDPR replaced the older 1995 Data Protection Directive and introduced a unified framework for data protection throughout the EU. In the UK, these rules were transposed into domestic law via the Data Protection Act 2018, creating what is commonly referred to as UK GDPR.

The legislation is designed to give people greater control over their personal information. It defines personal data expansively, recognising that data doesn’t just mean names and email addresses – it actually includes location data, online identifiers such as IP addresses and anything that could be used to profile or identify a living person. This broad definition reflects modern realities: companies now collect, store and analyse vast quantities of digital data about how we live, what we buy and how we behave online.

GDPR’s territorial scope is just as ambitious. It applies to any organisation that offers goods or services to, or monitors the behaviour of, individuals in the EU or UK – even if that organisation is based outside of those jurisdictions. The message is clear: if you handle EU/UK personal data, you must comply.

Here are some fictional companies that GDPR would apply to:

• Small UK-based e-commerce retailer selling handcrafted goods to customers in Paris
• US-headquartered social networking site with UK users
• Multinational bank processing loan applications from citizens across Europe

The Regulation lays down six foundational principles that guide every aspect of data processing:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

Underpinning all of these is an accountability obligation. Data controllers and processors must be able to demonstrate compliance through documentation, audits and impact assessments.

GDPR also establishes a set of robust rights for data subjects. Data subjects are the people to whom the data belongs. They have the right to:

• Access their data
• Rectify inaccuracies
• Erase their information under certain conditions (the so-called “right to be forgotten”)
• Restrict processing
• Receive their data in a portable format
• Object to types of processing (such as direct marketing or automated profiling)

For organisations, these provisions translate into concrete operational requirements: procedures for handling subject access requests, processes to enable erasure or restriction and mechanisms to allow data portability in a machine-readable form.

GDPR also introduces stringent breach notification rules. In the event of a personal data breach, data controllers must inform the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours. If the breach poses a high risk to individuals’ rights and freedoms, the organisation must also promptly notify affected data subjects and provide clear explanations of the nature of the breach and measures taken to mitigate its impact.

These features make GDPR one of the most comprehensive and far-reaching data protection regulations in the world. For businesses and public bodies alike, GDPR represents a shift towards accountability, transparency and respect for individual privacy in the digital age.

What is a GDPR policy?

A GDPR policy translates the Regulation’s requirements into clear, actionable guidance for every department and employee within an organisation, making them easy to follow.

Where GDPR itself provides broad principles and legal obligations, the policy delivers the how.

• How data can be collected
• How consent can be obtained
• How records can be retained, and when they must be deleted
• How breach notifications flow through the organisation
• How requests from data subjects are handled in practice

The policy sets out the organisation’s commitment to GDPR compliance, explaining its purpose in plain English: to protect personal data, uphold individual rights and minimise the risk of regulatory breaches. Beyond that, it delineates the scope – outlining which processing activities fall under GDPR, whether it be customer databases, employee records, marketing activities, CCTV surveillance or website analytics data. By explicitly mapping out every category of processing, the policy prevents gaps or ambiguities that could cause non-compliance.

Governance is a key pillar of any effective GDPR policy. The Regulation requires larger organisations or those engaged in high-risk processing to appoint a data protection officer (DPO). The policy will name the DPO (or, if one is not mandated, the senior manager responsible for data protection), describe their role and explain how employees can escalate questions or incidents. It also emphasises board-level oversight, ensuring that senior management remains engaged in data protection, sponsors regular reviews and allocates adequate resources to privacy and security initiatives.

Ultimately, the policy codifies roles and responsibilities, making it clear that everyone has a part to play.

GDPR principles in practice

Embedding GDPR’s six core principles into day-to-day operations requires a cultural transformation. Each principle influences organisational decisions from the earliest stages of product design to the final deletion of obsolete records months or years down the line.

Let’s look at these principles in more detail.

Note that beyond these six, GDPR’s Accountability Principle requires that organisations maintain detailed records of their processing activities, conduct data protection impact assessments (DPIAs) for high-risk projects, and be prepared to demonstrate compliance to the ICO when requested.

Lawfulness, fairness and transparency

A business must articulate a valid lawful basis each time it collects personal data. For an online retailer, lawful bases might include fulfilling a contract (processing delivery details, for example) or legitimate interests (such as sending one-off marketing communications about related products).

Crucially, transparency demands that organisations provide clear privacy notices at the point of data collection. In practice, this means crafting concise, accessible statements – avoiding legalese and confusing messaging – that explain what data is gathered, why it’s needed, how it will be used, who it might be shared with, how long it will be retained and what rights individuals can exercise.

In the UK, the ICO recommends layering information. For example, an organisation can provide a short summary on a website banner or leaflet with links to a longer policy for those who want to read more detail.

Purpose limitation

Organisations must define specific, legitimate purposes for each data processing activity and resist the temptation to repurpose data without proper re-notification or additional consent.

A common pitfall occurs when marketing teams try to reuse customer data originally collected for billing. They cannot do this unless the new use is compatible with the original purpose or they have asked customers for renewed consent.

Maintaining a data processing register helps document each purpose, supporting both internal clarity and external accountability.

Data minimisation

Startups and SMEs often struggle with “data hoarding”, a practice at odds with GDPR’s minimalist ethos.

You should only collect the data that is strictly necessary for your stated purpose. If your recruitment portal requires a candidate’s academic history and professional qualifications, it doesn’t also need their marital status or favourite hobbies. Regular reviews of data collection forms, customer relationship management (CRM) fields and legacy databases enable organisations to prune unnecessary data points.

Besides reducing exposure in the event of a breach, it has the added benefit of cutting data storage costs. 

Accuracy

Inaccurate records can result in poor customer service and regulatory sanctions. Organisations must implement processes for verifying and updating personal data.

For financial services firms subject to anti-money-laundering checks, this might include re-validating identification documents on a yearly cycle. For healthcare providers, it could mean immediately correcting errors in patient records when flagged by clinicians.

Staff training on how to handle correction requests equips them to resolve errors swiftly and document changes appropriately.

Storage limitation

Holding onto data “just in case” often backfires. A well-defined retention schedule ties each category of data to a business justification – for example, seven years for payroll records to satisfy HMRC, two years for direct marketing consents under UK best practice, or statutory minimums for clinical trial data under the Medicines for Human Use (Clinical Trials) Regulations 2004.

Your organisation should employ secure deletion or anonymisation methods to mitigate risks once data reaches the end of its lifecycle.

Integrity and confidentiality

Security underpins all these GDPR principles.

Technical measures such as encryption (both at rest and in transit), network segmentation, multi-factor authentication and regular vulnerability scanning create robust defences against external threats.

Organisational measures – role-based access controls, clean-desk policies, background checks for employees with privileged system access and mandatory security-awareness training – further strengthen defences.

For highly sensitive sectors such as legal services or medical research, additional layers like hardware security modules (HSMs) or on-premises air-gapped storage may be warranted.

Things to include in a GDPR policy

A GDPR policy must be comprehensive and practical. Below are the essential components your policy should cover, illustrated by theoretical examples.

Introduction and legal framework

Begin by setting the context: explain that this policy implements the UK GDPR and Data Protection Act 2018, summarise the organisation’s commitment to data protection and define key terms. For instance, “personal data” should be defined in line with Article 4 of the GDPR, accompanied by examples such as names, addresses, IP addresses, cookies, CCTV footage, health information and financial records.

Clarify the distinction between a data “controller” (who decides why and how data is processed) and a “processor” (who processes data on behalf of the controller).

Data protection principles and lawful bases

In the policy, describe how each GDPR principle underpins your organisation’s ethos. Use everyday examples to bring the lawful bases to life.

For instance, if you operate a loyalty programme, you may rely on contractual necessity to process purchase data. For customer satisfaction surveys, you might seek consent using a clear opt-in such as, “I agree to be contacted for feedback purposes.”

Make it clear that consent must be specific, informed, freely given and easy to withdraw – such as by contacting the data protection team directly.

Roles and responsibilities

Narrate the governance structure. Here’s an example:

“Our data protection officer, Jane Smith, reports directly to the board and is responsible for advising on compliance, conducting training sessions and liaising with the ICO. Data process owners in each department must maintain up-to-date records of their processing activities. All staff are mandated to complete annual data protection e-learning modules and report any suspected breach to their line manager and the information-governance helpline immediately.”

Data subject rights

Rather than bulleting each right, tell the story of how a typical subject access request (SAR) flows through your organisation.

Imagine a customer emails your company to ask for a copy of all the personal data you hold about them. The SAR is logged in the data protection register and assigned to a case officer who gathers records from CRM, finance and support systems, reviews them for third-party data, redacts where necessary, and issues the complete dossier within 30 days.

Similarly, describe a scenario in which an ex-employee exercises their right to erasure, prompting an audit of email archives, shared drives and mailing lists, ensuring that their personal data is removed from every system subject to legal retention obligations.

Consent management

Expand on consent workflows in your GDPR policy.

For example, when a website visitor opts in to marketing communications, the “consent” flag is stored alongside a timestamp, IP address and the specific checkbox label they agreed to. If the individual later withdraws consent via an unsubscribe link, a script automatically updates the database, triggers confirmation emails and logs the withdrawal for audit purposes. For children under 13, parental consent is verified through a double opt-in email sent to a guardian, in line with ICO guidance.

Data retention and disposal

Narrate your company’s retention schedule. Describe how different categories of data are each assigned a retention period based on legal, regulatory and business requirements. When the retention period expires, automated deletion scripts and physical shredding services ensure that data is irrecoverably destroyed. Keep certificates of destruction to present in an audit.

Data security and breach response

Explain how your incident-response process works in practice.

For example, an IT team member detects unusual activity on the network and raises an incident. The dedicated breach response team meets within two hours, conducts a risk assessment to determine the likelihood and severity of harm to individuals, notifies the ICO within 72 hours and drafts notification letters to affected data subjects.

Remediation steps include forced password resets, additional staff training and infrastructure upgrades. These are logged in a post-incident review, which is shared with senior management and used to update the policy.

Data protection impact assessments (DPIAs)

Rather than listing when DPIAs are required, walk through an example.

For instance, before launching a new mobile app that uses geolocation to deliver personalised offers, the project team maps data flows, identifies risks such as tracking individuals without explicit opt-in, and proposes mitigating controls (such as granular consent screens, data encryption modules and automatic deletion of location logs after 48 hours). The DPO signs off on the DPIA, which is then added to the DPIA register. The company revisits it after three months of operation to assess real-world impacts.

Third-party processors and international transfers

Describe your due diligence process.

For example, imagine the company is selecting a cloud hosting provider based in the US. The legal team conducts a processor questionnaire to ensure ISO 27001 certification, negotiates standard contractual clauses into the agreement and implements additional technical controls (such as restrictions on data export locations). Before transferring data to any country without an adequacy decision, a data transfer impact assessment evaluates local law enforcement access and human-rights safeguards. Findings are documented in an internal report.

Training, awareness and monitoring

Paint a picture of your training programmes and initiatives.

For example, every new starter completes a mandatory two-hour workshop covering basic data protection principles, phishing awareness and breach-reporting procedures.

Quarterly newsletters highlight recent ICO guidance, high-profile breach cases and best practices for secure remote working.

A dedicated intranet portal contains video tutorials, FAQs and a simulated phishing-email tool to measure staff susceptibility.

Key risk indicators – such as the number of open SARs, average breach-response times and training-completion rates – are reviewed by senior management at monthly governance meetings.

Policy review and version control

Explain how the policy stays current.

For example, at least once a year, the DPO convenes a policy review committee comprising representatives from legal, IT, HR and operations. This committee responds to legislative updates, ICO guidance changes or significant incidents by revising relevant sections, recording version changes in a policy history log and publishing updates on the intranet with a “Last Updated” banner. This ensures everyone is working to the latest standards.

Why is GDPR important?

GDPR compliance delivers wide-ranging benefits.

Risk management

Having robust data protection processes dramatically reduces the likelihood of costly breaches, enforcement notices or fines – which, under UK GDPR, can reach up to £17.5 million or 4% of global turnover.

In 2020, the ICO issued a £18.4 million fine to Marriott for a historic breach affecting millions of customers, underscoring how data security lapses can result in eye-watering penalties and serious reputational harm. While organisations can appeal or present mitigating factors to reduce the final amount, the resulting fines are often still substantial and damaging. For example, Marriott’s original fine was £99 million, but their mitigating factors included making substantial improvements to cybersecurity and the impacts of COVID-19. 

Building and maintaining trust

Organisations that prioritise data protection build trust with customers and partners. A clear privacy policy, transparent practices and swift responses to data requests signal respect for individual rights, strengthening brand loyalty.

Research by PwC in 2024 shows that 79% of consumers say that protecting their data is very important to earning their trust – a statistic that places GDPR compliance firmly within any organisation’s competitive strategy.

Operational efficiency

Organisations can eliminate obsolete or redundant records, reduce storage costs and simplify IT infrastructure by enforcing data minimisation principles.

Manual retention and deletion can take up valuable staff time, so automated processes are useful. Meanwhile, centralised consent-management platforms ensure marketing teams never accidentally contact unsubscribed individuals. These efficiencies yield both cost savings and a lower risk profile.

Culture of privacy-by-design

GDPR fosters a culture of privacy-by-design. Organisations learn to think critically about collection practices, asking deeper questions: Do we need that extra data field? Can we obtain sufficient insights through aggregated, anonymised datasets? Asking these questions early helps reduce risk and encourages smarter solutions – like using privacy-conscious analytics or designing services that don’t rely on personal data at all.

What is a GDPR policy for?

A strong GDPR policy sets out how your organisation approaches data protection. It links strategic goals with day-to-day practices, providing a clear framework for handling personal data responsibly and consistently across the business.

It acts as a:

• Blueprint for compliance – by translating statutory requirements into clear guidance, a GDPR policy ensures every employee understands their role in protecting personal data, from customer service representatives to board directors.
• Risk management tool – through DPIAs, breach response protocols and retention schedules, it identifies, mitigates and monitors data protection risks, reducing the likelihood of regulatory action or reputational damage.
• Customer trust builder – publicly sharing a concise privacy summary and an up-to-date policy reinforces an organisation’s commitment to ethical data use, making it easier to attract and retain privacy-conscious consumers and business partners.
• Operational reference point – it documents processes, assigns responsibilities and establishes review cycles to promote consistency and efficiency across different departments and geographic regions.
• Audit and governance framework – detailed version control, mandatory training records and periodic audits demonstrate accountability, providing evidence of compliance in the event of ICO inquiries or third-party assessments.

In short, a GDPR policy underpins an organisation’s reputation, operational resilience and strategic agility in an increasingly data-driven world.

Conclusion

Crafting a GDPR policy touches every corner of an organisation – legal, IT, HR, marketing, operations and beyond. By embedding the six data protection principles into daily practice, establishing clear governance structures and documenting every process end to end, you create a resilient framework that satisfies regulatory demands and builds customer trust, operational efficiency and long-term innovation.

From detailed privacy notices and DPIAs to breach-response protocols and retention schedules, each component of the policy plays a vital role in safeguarding personal data and upholding individual rights. For UK organisations navigating the evolving data protection landscape, a living, breathing GDPR policy – one that’s regularly reviewed, updated and communicated – is the single most effective tool for demonstrating accountability, managing risk and seizing the competitive advantage that comes from being a trusted custodian of personal information.