Use this to help you write your data protection policy and procedures and other related documents. It should not be used as legal advice. We link to more detailed advice from the Information Commissioner’s Office (ICO) throughout.
There are lots of links between this guide and other information on data protection. We recommend you use the pages together. There’s a lot of information, but once you start working through it, it should all become clear.
Your data protection policy is the commitment you’re making to protect data in accordance with the law. Your procedures show how you’re going to achieve your aims and comply with the law.
Some organisations have a specific data protection policy. Others cover data protection in their other policies and procedures.
Use these key principles that apply to all policy writing.
Make sure it’s:
Don’t confuse your data protection policy with your privacy policy, notice or statement. The latter is a document you write to share with people whose data you are going to collect, so they know what you’re doing with it. Read our guidance on writing a privacy notice.
It’s often easier to provide your policy and procedures as a set of shorter documents rather than one long one. Or have one document with sections.
Here’s a suggestion to follow. There are links throughout taking you directly to sections in our other data protection pages with more information to help you complete each part of your policy documents.
Your data protection policy needs to cover the following.
Your data retention and deletion policy needs to cover:
Your policy on how to keep systems secure needs to include:
If you have any of these policies already it may cover this.
Use our five steps to cybersecurity guide for some basic advice.
Your data processing procedure needs to include the actions staff should take when working with data to make sure they’re using it safely and legally.
The best way to create these is to start from your record of the data you keep.
From those records, do the following.
When you write these up you may have one procedure, with sections for different types of data, or different procedure documents for different types of data.
Procedure for when someone wants their data (known as subject access request procedure)
We cover why you need this and the types of information it should cover in our guide to preparing for when someone wants to see their data.
Procedure for when you have a data breach
This is always a stressful situation. Don’t wait until your first crisis to create a procedure. Act now by having simple guidelines to follow using the information in our guide to preparing for a data breach.
Training plan for staff and volunteers
Every organisation needs a training plan that’s right for the type of data people are able to access, and what they’re able to do with it.
You need to make sure they know the following.
If you’re working a lot with data that is classed as sensitive or special category don’t rely on this guidance. You’ll have additional formal obligations.
If you’re running projects from multiple countries you'll be working with varied data protection laws. You need to stay up to date with news and changes across the globe.
You’ll need to have a privacy policy or notice that you can share with anyone whose data you’re holding. You can use it to help them make an informed decision when you ask for consent.
You can use a template to do this. Make sure you read it carefully and complete and delete the parts that need amending.
Use the ICO privacy notice template.
Last reviewed: 02 March 2021
Help us improve this contentGet regular updates on NCVO's help, support and services