Data protection policy (GDPR-friendly for use after 25 May 2018)


20 minutes to complete

Short-form data protection policy (note, this is not a privacy policy) for organisations that wish to develop a simple policy setting out its internal rules to comply with the upcoming General Data Protection Regulation.

Is this right for me?

This document is right for your organisation if:

  • You hold personal data about individuals as part of your activities. This could be information about employees, donors, supporters or any other individuals.
  • You are not doing anything complex with the personal data that you hold and require only a basic policy setting out the principles which your organisation follows to comply with data protection law.
  • You have an existing data protection policy but require a new policy which is compliant with the General Data Protection Regulation.

This document is not right for your organisation if:

  • You do not hold or process any personal data about individuals.
  • The information that you hold about individuals is sensitive (includes details about a person’s race, political opinions, religion, physical or mental health, sexuality, criminal record or trade union membership). If your organisation is processing sensitive personal data, bespoke advice about how you process that information is necessary.
  • You need a detailed policy on a particular aspect of data protection compliance - e.g. data retention.
  • Your organisation is engaged in complex data processing operations or processes a large volume of personal data
  • You need advice on consent statements or using data for marketing or fundraising purpose.

Please note: After our step-by-step customisation process, the document will be sent to you in an uneditable PDF format. If you would like more specific advice on data protection and particularly data collection statements (including opt-ins or opt-outs), please contact Bates Wells at and a member of our legal team will be able to give an estimate for providing bespoke advice. 

This is an updated version of our previous policy and is appropriate for use now that the General Data Protection Regulation has become law in the UK. Please note that law and regulatory guidance in this area continues to evolve. The ICO has published additional guidance on the interpretation of the GDPR. In addition, the Data Protection Act 2018, has impacted on the interpretation of the GDPR and the data protection legislative landscape in the U.K. The policy may need to be updated to reflect changes to law and guidance.

If the policy is updated before 31 Dec 2018, we'll provide updated versions to everyone who purchased the document before that date.

What you'll need…

What do I need before I start?

You will need to know:

  • Your organisation’s full name.
  • Who does your organisation hold personal data about, for instance volunteers, employees, donors, supporters?
  • The name of the role or the individual at your organisation who is or will be responsible for the organisation’s data protection compliance, e.g. data protection officer. You will also need the contact details of the person who will be performing that role.
  • Whether your organisation is legally required under the GDPR to appoint a Data Protection Officer
  • What security measures your organisation currently has in place or will have in place by the time this policy is implemented to protect the information that you are holding. You will need to liaise with those members of your organisation who assist with computers/ IT to find out whether you have access to the technology needed for certain security measures, for instance encryption of laptops and memory sticks.
  • The name of the person at your organisation who is responsible for computers/IT.
  • Whether there are any situations in which your organisation transfers personal data outside the European Economic Area.
  • How regularly your organisation reviews its ICO notification (if it has one)
  • How often your organisation plans to update your data protection policy
  • How your organisation refers to board members, i.e. as trustees or directors.
  • Whether your organisation has fewer than 250 employees

Remember: If you don’t have everything you need you can make a start, save the information and return to complete the form another time.





Q: What is the process?

A: Once you have logged in and paid for the form you will be asked a series of questions. These questions help us to create exactly the right document for you. There is lots of information to help you. Once you have finished the document it will be emailed to you with more instructions about what to do next.

Q: What if I don’t have time to complete the form?

A: If you don’t have all the information you need or if you get interrupted you can save the information you have inputted and return to the document later.

Q: What if I want more information about other policies?

A: You may find some of the other resources on Bates Wells Get Legal helpful, there are a range of different policies available that may be useful to your organisation. If you would like more specific advice about your organisation’s circumstances, please contact Bates Wells at or 020 7551 7777 and a member of our legal team will be able to give an estimate for providing bespoke advice.

Q: Can I use this as a public facing privacy policy?

A: No. A privacy policy is an external facing document which is intended to inform data subjects about the nature of the processing that you are carrying out. A data protection policy is an internal document setting out a framework for handling data correctly. It is not intended to be a public facing document (though some organisations choose to make their data protection policies public).


How it Works

  • icon

    Select a legal document you need from our library.

  • icon

    Answer some simple questions on your organisation.

  • icon

    Your customised PDF document is emailed to you.