Data Protection Policy Template: What To Include Under GDPR

If you’re running a small business, chances are you’re handling personal data every day - customer emails, delivery addresses, employee records, supplier contacts, website enquiries, and more.

That’s where a solid data protection policy template comes in. It’s not just a “nice-to-have” document you keep in a drawer. A well-drafted policy helps you comply with the UK GDPR and the Data Protection Act 2018, reduce the risk of data breaches, and show customers (and your team) that you take privacy seriously.

In this guide, we’ll break down what a data protection policy should include in the UK, how it differs from a privacy policy, and how you can tailor a template to your business without getting lost in legal jargon.

What Is A Data Protection Policy (And Why Does It Matter)?

A data protection policy is an internal document that explains how your business handles personal data and what your staff need to do to keep it secure and compliant.

It usually covers things like:

• what counts as “personal data”
• the rules your business follows when collecting and using data
• security measures and access controls
• how to deal with requests from individuals (like subject access requests)
• what happens if there’s a data breach

In other words, it’s your practical playbook for handling data safely and lawfully.

That’s different from your public-facing privacy policy, which tells customers and website users how you use their information. If you collect personal data from the public (for example via a website form, online store checkout, or mailing list sign-up), you’ll usually also need a Privacy Policy.

What Laws Apply In The UK?

In the UK, the main data protection rules are set out in:

• UK GDPR (the UK version of the General Data Protection Regulation)
• Data Protection Act 2018 (which sits alongside UK GDPR and adds extra rules in certain areas)
• PECR (Privacy and Electronic Communications Regulations - relevant for marketing emails, cookies, and electronic communications)

The key point: even if you’re a tiny business, these rules can still apply if you’re processing personal data.

Do Small Businesses Really Need A Data Protection Policy?

Most small businesses should have one - especially if you employ staff, store customer information, or use cloud tools to run your operations.

Technically, UK GDPR doesn’t say “every business must have a document titled ‘Data Protection Policy’”. But it does require you to:

• process personal data lawfully, fairly and transparently
• keep personal data secure
• only collect what you need
• keep it accurate and up to date
• not keep it longer than necessary
• be able to demonstrate compliance (this is the “accountability” principle)

A data protection policy is one of the simplest and most practical ways to demonstrate that you’ve thought about compliance and trained your team on what they should do.

When A Data Protection Policy Is Especially Important

You’ll want to prioritise this if:

• you have employees or contractors handling customer data
• you process “special category data” (like health information)
• you store data in multiple tools (CRM, email marketing, cloud storage)
• you handle complaints, refunds, bookings or membership accounts
• you use AI tools at work and you’re unsure what happens to the data you input (questions like “is this confidential?” come up a lot - and it’s worth thinking about internal rules such as an Acceptable Use Policy)

Even if you’re not legally required to have a detailed document, having a clear policy often saves you time and stress later - especially if something goes wrong and you need to respond quickly.

What Should A UK Data Protection Policy Include Under GDPR?

If you’ve been searching for a data protection policy template, you’ve probably noticed that many templates are either too vague to be useful or so technical they’re hard to implement.

A strong UK policy should be tailored to how your business actually operates, but most policies will include the sections below.

1) Purpose And Scope

Start by explaining what the policy is for and who it applies to. For example:

• employees, contractors, temps and interns
• anyone who processes personal data on your behalf
• all devices and systems used for business (including BYOD if you allow it)

This section matters because it sets expectations and makes the policy enforceable internally.

2) Definitions (Personal Data, Processing, Data Subject)

You don’t need pages of definitions, but you should clearly explain core terms in plain English, such as:

• Personal data: information that identifies a living individual (name, email, phone number, and in many cases online identifiers like IP addresses)
• Special category data: more sensitive data like health data, ethnicity, biometrics
• Processing: basically anything you do with data - collecting, storing, using, sharing, deleting

This avoids misunderstandings and helps your team spot personal data risks early.

3) Your GDPR Principles And Lawful Bases

Your policy should reflect the UK GDPR principles, including transparency, data minimisation, accuracy, and storage limitation.

It should also cover lawful bases (the legal reasons you can use personal data). Most small businesses commonly rely on:

• Contract (e.g. fulfilling an order or service agreement)
• Legitimate interests (e.g. running your business, preventing fraud - where balanced with the individual’s rights)
• Legal obligation (e.g. payroll records, tax requirements)
• Consent (often used for certain types of marketing or optional processing)

Your policy doesn’t need to list every processing activity, but it should guide staff on the idea that we only use data when we have a proper reason.

4) Roles And Responsibilities

Small businesses often get caught out here because everyone assumes “someone else” is dealing with GDPR.

Your policy should set out:

• who is responsible for data protection day-to-day (even if you’re not required to appoint a Data Protection Officer)
• who approves new tools/vendors that process personal data
• who handles data subject requests and complaints
• what staff must do if they suspect a breach

5) Data Security Rules (Technical And Organisational Measures)

This is usually the most useful part of a data protection policy - because it turns GDPR into practical steps.

Your policy should cover security controls that make sense for your business, such as:

• password management and multi-factor authentication (MFA)
• access controls (who can access what, and why)
• secure storage and encryption where appropriate
• secure disposal (shredding paper files, safe deletion of devices)
• remote working rules and device security
• how you assess cloud tools (including where data is stored, who can access it, and what contractual safeguards are in place)

Tip: this is one place where generic templates often fall short. If your team doesn’t understand the rules, they won’t follow them - so keep it simple and specific.

6) Data Breach Management

Your policy should explain what a “data breach” is and what to do if one happens.

That includes:

• how staff should report suspected breaches internally (and how quickly)
• how your business investigates and contains the breach
• how you assess the risk to individuals
• when you may need to report to the ICO and/or notify affected individuals (including that you generally must notify the ICO within 72 hours of becoming aware of a breach that’s likely to result in a risk to people’s rights and freedoms)
• what records you keep about the incident

Many businesses also use a separate incident response document to guide the step-by-step process, such as a Data Breach Response Plan.

7) Data Subject Rights (And How You Handle Requests)

Individuals have rights under UK GDPR, including the right to access their personal data (often called a “subject access request”), to correct inaccurate data, and in some cases to have it deleted.

Your policy should cover:

• who receives and logs requests
• how you verify identity (to avoid sending data to the wrong person)
• internal deadlines and escalation paths (including that you usually must respond within one month, although this can be extended by up to two further months for complex requests)
• how you search for data across systems

Even if you only get one request a year, having a process makes it much easier to respond within the required timeframe.

8) Data Retention And Deletion

Under UK GDPR, you shouldn’t keep personal data longer than you need it.

Your policy should explain:

• how long you keep different categories of data (e.g. customer records, marketing lists, job applicant CVs)
• how you securely delete data when it’s no longer required
• who approves exceptions (for example, where a legal dispute is ongoing)

Retention is one of those “small admin” tasks that can cause big problems if you ignore it - so it’s worth setting clear rules from day one.

9) Staff Training And Compliance

A data protection policy is only effective if your team knows it exists and understands it.

Make sure your policy states:

• when staff receive training (onboarding, annual refreshers, role-specific training)
• where the policy is stored and how updates are communicated
• what happens if the policy is breached (disciplinary processes, reporting, etc.)

A Practical Data Protection Policy Template Structure You Can Use

If you’re looking for a data protection policy template you can adapt quickly, here’s a practical structure that works for many UK small businesses. You’ll still need to tailor the details (especially security measures, data types, and your workflows), but this will help you get the framework right.

Suggested Headings For Your Policy

1. Introduction (why the policy exists)
2. Scope (who and what it applies to)
3. Key Definitions (personal data, special category data, processing)
4. Our Data Protection Principles (summary of UK GDPR principles)
5. Lawful Bases For Processing (high-level approach)
6. Roles And Responsibilities (who does what)
7. Data Collection And Use Rules (how staff should collect, share and handle data)
8. Data Security (access controls, passwords, devices, storage, remote work)
9. Third Parties And Data Processors (vendor approvals, contracts, due diligence)
10. International Transfers (what happens if tools store data outside the UK, and the safeguards you’ll use such as adequacy regulations or the UK International Data Transfer Agreement/addendum where needed)
11. Data Retention And Secure Disposal
12. Data Subject Rights And Requests
13. Data Breaches (reporting and response)
14. Training And Monitoring
15. Review And Updates (version control, review dates)

Don’t Forget Your Other “Supporting” Documents

In practice, a data protection policy works best when it lines up with the other documents and systems in your business.

Depending on how you operate, you might also need:

• a public Privacy Policy for customers and website users
• data protection clauses in your supplier/customer contracts (especially where a supplier processes personal data for you)
• internal IT and device rules (often captured in an Acceptable Use Policy)
• a clear breach workflow, such as a Data Breach Response Plan

This is also where many businesses decide to put a proper GDPR compliance pack in place, such as a GDPR package, so the documents actually work together (rather than existing as disconnected templates).

How Do You Implement Your Data Protection Policy Day-To-Day?

Having a policy is one thing. Making it part of your daily operations is what actually reduces risk.

Here are practical steps you can take to make your policy real (and not just paperwork).

1) Map Where Personal Data Lives

Make a simple list of:

• what personal data you collect (customers, employees, suppliers)
• where it comes from (website forms, emails, calls, in-person)
• where it’s stored (cloud drive, accounting software, CRM, laptops)
• who has access

This gives you the information you need to tailor a template to your actual systems.

2) Restrict Access Early

One of the easiest compliance wins is limiting access to personal data. If someone doesn’t need access to a spreadsheet of customer details, they shouldn’t have it.

This also helps if a staff member leaves or a device is lost - fewer people with access means fewer ways for data to be exposed.

3) Train Your Team In Plain English

Most data issues happen because someone clicked the wrong link, forwarded an email to the wrong person, or used a personal device without proper security.

Your training doesn’t need to be complicated. Focus on the situations your team actually faces, like:

• how to spot phishing emails
• when it’s okay (and not okay) to share customer details
• how to handle customer requests for their information
• what to do immediately if they think data has been exposed

4) Review Your Tools And Vendors

If you use cloud tools, booking platforms, payment providers, email marketing tools, or outsourced support, you’re often sharing personal data with third parties.

Your policy should set expectations for vendor onboarding, including whether a data processing agreement is required, what security checks you do, and who approves it.

5) Keep The Policy Updated

Your business will change - new staff, new tools, new services, new ways of collecting customer data. A policy written two years ago might not match your current operations.

Set a review cycle (e.g. every 12 months, and also whenever you onboard a major new system).

If you’re using new tech (like AI tools), it’s worth setting internal ground rules early - especially around what can be pasted into external systems and what must stay confidential.

Key Takeaways

• A data protection policy template is a starting point, but your policy should be tailored to how your business actually collects, uses, stores and shares personal data.
• In the UK, data protection compliance is primarily governed by the UK GDPR and the Data Protection Act 2018, and small businesses are often covered.
• Your data protection policy should clearly cover scope, GDPR principles, lawful bases, security measures, breach management (including the 72-hour ICO notification window where applicable), data subject rights (including the usual one-month response timeframe), retention rules, and staff responsibilities.
• The most useful policies include practical rules your team can follow day-to-day - not just legal definitions.
• It’s smart to align your internal policy with your public Privacy Policy and supporting documents like an Acceptable Use Policy and Data Breach Response Plan.
• If you’re unsure what applies to your business (especially around vendors, cloud tools, international transfers, or sensitive data), getting legal advice early can save you a lot of time - and reduce risk as you grow.

If you’d like help putting a data protection policy in place (or tailoring a template properly to your business), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.