Writing a data protection policy and procedures

Use this to help you write your data protection policy and procedures and other related documents. It should not be used as legal advice. We link to more detailed advice from the Information Commissioner’s Office (ICO) throughout.

There are lots of links between this guide and other information on data protection. We recommend you use the pages together. There’s a lot of information, but once you start working through it, it should all become clear.

Your data protection policy is the commitment you’re making to protect data in accordance with the law. Your procedures show how you’re going to achieve your aims and comply with the law.

Some organisations have a specific data protection policy. Others cover data protection in their other policies and procedures.

Use these key principles that apply to all policy writing.

Make sure it’s:

• appropriate to your organisation's size, culture and activities
• easy for staff and volunteers to understand and follow
• workable for your organisation
• reviewed on a regular basis (at least annually).

Don’t confuse your data protection policy with your privacy policy, notice or statement. The latter is a document you write to share with people whose data you are going to collect, so they know what you’re doing with it. Read our guidance on writing a privacy notice.

It’s often easier to provide your policy and procedures as a set of shorter documents rather than one long one. Or have one document with sections.

Here’s a suggestion to follow. There are links throughout taking you directly to sections in our other data protection pages with more information to help you complete each part of your policy documents.

Your data protection policy needs to cover the following.

• Your commitment to the legal principles.
• Your commitment to the people's rights relating to your data.
• Your intention to ensure that lawful processing is carried out.
• Your intention to minimise data collection.
• A commitment to, and a process for, ensuring staff are trained and up to date.
• A statement about how often you’ll review this document and all the related policies and procedures.
• A list of all the related policies and procedures.

Your data retention and deletion policy needs to cover:

• how long you’ll keep data and how you’ll delete it
• any factors that’ll influence your decisions on this for different projects.

Your policy on how to keep systems secure needs to include:

• where data can be stored (what countries)
• where data can be stored (whose computers, how should they be looked after)
• what people can and can’t do with the data or with computers the data is processed on.

If you have any of these policies already it may cover this.

• An IT policy
• An acceptable use of IT policy
• Bringing your own device policy (working from home)
• Social media policy
• Cybersecurity risk planning
• CCTV policy

Use our five steps to cybersecurity guide for some basic advice.

Your data processing procedure needs to include the actions staff should take when working with data to make sure they’re using it safely and legally.

The best way to create these is to start from your record of the data you keep.

• If you have a register of data or a privacy impact assessment, use that.
• If you’re starting from scratch use our information on how to audit the data you hold.

From those records, do the following.

• For each type of data pick out your lawful basis for holding the data.
• Check whether there are any additional rules because the data is in a special category.
• Pick out the best practice you have that complies with the requirements and use that to create procedures to follow.
• Add information about what you do when you decide to work with any third parties to process data for you.

When you write these up you may have one procedure, with sections for different types of data, or different procedure documents for different types of data.

Procedure for when someone wants their data (known as subject access request procedure)

We cover why you need this and the types of information it should cover in our guide to preparing for when someone wants to see their data.

Procedure for when you have a data breach

This is always a stressful situation. Don’t wait until your first crisis to create a procedure. Act now by having simple guidelines to follow using the information in our guide to preparing for a data breach.

Training plan for staff and volunteers

Every organisation needs a training plan that’s right for the type of data people are able to access, and what they’re able to do with it.

You need to make sure they know the following.

• What personal data is - help them with examples, it isn’t always intuitive.
• What sensitive data is.
• How to keep data safe.
• How to report a data breach or other security issues.
• That you'll support them to fix problems, not blame them, in the case of accidents.

If you’re working a lot with data that is classed as sensitive or special category don’t rely on this guidance. You’ll have additional formal obligations.

Check the ICO guidance on processing special category data.

If you’re running projects from multiple countries you'll be working with varied data protection laws. You need to stay up to date with news and changes across the globe.

• Privacy International is an NGO focused on global data rights. Browse the latest news from Privacy International.

You’ll need to have a privacy policy or notice that you can share with anyone whose data you’re holding. You can use it to help them make an informed decision when you ask for consent.

You can use a template to do this. Make sure you read it carefully and complete and delete the parts that need amending.

Use the ICO privacy notice template.