Free GDPR Policy Template and Instructions

A GDPR privacy policy sets out how you will handle your customer’s personal information. This policy is sometimes confused with a ‘GDPR policy’ but these documents are distinct.

A GDPR policy establishes your organisation’s aims and measures for complying with the UK’s General Data Protection Regulation (GDPR).

A GDPR privacy policy explains to your customers how and why you’re processing their personal information. It also informs them of their rights as data subjects (individuals who are having their personal information processed). The official name for this type of policy is a ‘privacy notice’.

This guide offers instructions on writing your privacy policy (aka privacy notice). The free GDPR policy template we’re providing is based on one offered by the Information Commissioner’s Office (ICO). The ICO enforces the UK GDPR and advises businesses how to comply. You can find their version, along with further guidance, here.

Yes. Every organisation that processes personal information needs to write a privacy notice. Privacy notices are required under Article 14 of the UK GDPR, which covers the principle of transparency.

Under Article 14, all organisations must provide individuals with privacy information before processing their personal information. Privacy information includes:

• Why you’re processing their personal information
• How long the personal information will be held
• Who the personal information will be shared with

This information is the foundation of your privacy notice.

You can write your organisation’s privacy policy yourself.

The ICO acknowledges that many smaller businesses must manage GDPR compliance without the resources of other larger firms. There’s no expectation to bring in a contractor or specialist to write your policy.

With that being said, privacy policies are a legal requirement. You must comply with the ICO’s guidance and include all necessary information written clearly and simply. Our template will help you do this.

Before you write, gather the following information. You must include it all in your privacy policy.

Provide your organisation’s complete contact information. This contact information must include your Data Protection Officer’s details if you have one.

First, it’s important to define the lawful basis (or bases – you can have more than one) for your data processing activities. There are six reasons you can legally process personal data. These are:

• Consent: The individual has given explicit consent for you to process their personal data for a specific purpose
• Contract: The processing is necessary for a contract you have with the individual
• Legal Obligation: The processing is necessary for you to comply with the law (not including contractual obligations)
• Vital Interests: The processing is necessary to protect someone’s life
• Public Task: The processing is necessary for you to perform a task in the public interest
• Legitimate Interests: The processing is necessary for your or a third party’s legitimate interests

If it’s unclear which applies to your organisation, you can see the ICO’s website. They offer an interactive tool to help define the lawful basis for your data processing.

Privacy information is what your customers need to know before consenting to their personal information being processed. You must tell them:

• What personal information will be processed
• Where personal information has come from, if not directly from the customer
• Why you’re processing the customer’s personal information
• What you do with the personal information
• Who the personal information is shared with
• How long you keep the personal information for

Data subject is the official term for the individual whose personal information is being processed. For most small businesses, data subjects are their customers.

Under the General Data Protection Regulation, data subjects have rights. These rights are written out in the policy, so we won’t list them here. Of course, it’s vital you understand and uphold them.

Now you have the necessary information to hand, you can download our GDPR policy template and start writing.

When writing, remember that readability is crucial. Use as simple language as possible and express yourself clearly. So, consider who needs to read and understand your policy. For example, if you process children’s personal information, your policy must be easy enough for them to follow.

We’ve broken down each section below with guidance on how to complete it.

This section is straightforward. Add your organisation’s contact details. Include the date your policy was written, too.

Explain the personal information you collect. Personal information refers to anything that can directly or indirectly identify someone. Refer to the ICO if you’re unclear on what needs to be listed in this section.

Explain where you collect personal information from and why.

Your reasons for data processing must refer to a lawful basis.

It’s also important to highlight if personal information is shared with any third party.

Finally, underline your customers’ right to withdraw consent to data processing.

Secure storage of personal information is critical for GDPR compliance. It’s also fundamental to consumer trust.

Reassure customers that their data will be stored securely. Then, explain how long it will be stored and what happens to it after this period expires.

These details are required for every type of personal information you process.

This section lists your data subjects’ rights under UK GDPR. Depending on your data processing activities, not every right will apply. You can delete any that are irrelevant.

The only thing you need to add to this section is contact details. Customers need to know how to get in touch if they want to exercise any of their rights.

Tell customers how they can make a complaint related to their personal information. Include the relevant contact details.

This section also includes contact details for the ICO. People have the option to complain directly to the regulatory body if they feel unfairly treated.

Make it available. Customers need to see your privacy policy before their information is processed. They should also be able to access it at a later date.

Putting your policy on your organisation’s website is probably the most straightforward solution.

As with any policy, regular reviews are necessary. Customers should also be made aware of any changes.

Download your free GDPR privacy policy template here.

Writing a privacy policy is just one GDPR duty. To ensure overall compliance, you must embed data protection principles into your business operations. This is where our GDPR Awareness Training comes into play.

Our online training course is designed to help your team understand and implement GDPR compliance effectively.

It covers the GDPR Fundamentals all employees handling personal data must know, including key terms, roles and responsibilities. It also offers practical strategies all organisations can adopt to maintain the integrity and security of personal data.

This training makes data protection relevant to all staff and supports their understanding of GDPR compliance.