Skip to content

3 Documents Your Company Needs to Demonstrate GDPR Compliance

Table of Contents

The UK General Data Protection Regulation (UK GDPR) is the law governing the use of personal data. Depending on your business activities and how you use personal data, there are various documents you will need to comply with the UK GDPR. This article will explore three key documents most businesses should implement to demonstrate GDPR compliance.

Why Does Documentation Matter for UK GDPR Compliance?

Compliance with UK GDPR is mandatory for any business using personal data. The law applies to virtually all businesses, as most businesses collect and use some form of personal data. For example, most businesses collect personal information relating to customers, suppliers and staff.

There are various UK GDPR compliance documents and procedures which businesses must implement. You should regularly review and update these documents to reflect how your business uses personal data. 

Data protection documentation is extremely important. The UK GDPR has a key concept of ‘accountability’. This means you need to be able to demonstrate compliance with data protection laws. Having comprehensive data protection documents can help demonstrate accountability.

Failing to comply with the UK GDPR can result in consequences such as:

  • severe brand damage; 
  • complaints from individuals and 
  • fines from data protection regulators.  

Having documentation in place can help businesses comply with the UK GDPR rules and avoid negative implications. In the event of an investigation from data protection regulators, showing you have appropriate documents in place could also help limit damage.

The following section explores three key documents your company needs to demonstrate GDPR compliance.

1. A Data Protection Policy 

A data protection policy is a key internal policy document for compliance. This policy sets out rules around collecting, using, managing, and storing personal data. 

A data protection policy is extremely useful, as it will help you understand the roles and responsibilities of protecting personal data. It can also serve as a fundamental resource for your staff. Staff should refer to the data protection policy to understand what rules apply when using personal data in their day-to-day roles.

Your data protection policy should cover various issues, including:

  • what constitutes personal data; 
  • who is responsible for UK GDPR compliance; 
  • rules around the use of personal data; and
  • how to respond to data breaches. 
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. A Privacy Policy 

As a data controller, it is mandatory to give clear privacy information to all individuals whom you collect personal data from. A data controller is an organisation that decides how and why to use personal data. 

A privacy policy will tell individuals various facts about your use of their personal data, for example:

  • what personal data you collect from them; 
  • how you will use their personal data; 
  • how long you keep their personal data; 
  • who you share their personal data with; 
  • how you will keep their personal data safe; and
  • what their data protection rights are. 

Businesses often publish a privacy policy on their public-facing websites. Often, a privacy policy is directed at the customers of the business. For example, a business needs to tell customers how they will use their information (e.g. their contact details and bank details) and why. This is essential when collecting personal data via a website (e.g. through a ‘Contact Us’ form). 

If your business employs staff (including freelancers), you will need to tell them how you use their data. Businesses should issue separate ‘staff privacy notices’ to inform staff about how their personal data is used. Where you are hiring and collecting data from candidates, you will also need a ‘candidate privacy notice’ to explain how you will use candidate personal data. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

3. Record of Processing Activities

A record of processing activities is a document that sets out various information about your use of personal data. For example, a record of processing activities will lay out:

  • what personal data your business processes; 
  • the purpose for using personal data; 
  • your lawful basis is for processing that data; 
  • who personal data is transferred to; 
  • whether personal is transferred outside of the UK; and 
  • how personal data is secured.

Most businesses need a record of processing activities. There is a limited exemption for businesses that employ less than 250 employees. Businesses with less than 250 employees will only need to document processing activities that:

  • are not occasional; 
  • are likely to result in risk to the rights and freedoms of individuals; and
  • involve special categories of personal data including criminal convictions and offence data (which is highly sensitive under UK GDPR). 

Despite this exemption, it is highly recommended that you document your data processing activities in a record of processing. The ICO (the UK data protection regulator) recommends this as good practice. 

Keeping records of your data processing is fundamental. It can help you clearly understand the personal data you use and why and how it flows through your business. You should ensure that this document is regularly updated.  

Key Takeaways

The UK GDPR applies to most businesses in the UK. Accountability is at the heart of data protection compliance. Having documentation in place can help you demonstrate your accountability and commitment to compliance. Three key documents that can help your business demonstrate compliance include a data protection policy, a privacy policy and a record of processing activities. Still, you should carefully consider the UK GDPR rules and any other documents you may need.

If you need legal advice on compliance with the UK GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Do I need to tell people how I will use their personal data?

Yes. If you collect personal data from individuals as a data controller, you must give them various privacy information. A privacy policy is a document commonly used to provide this information.

What is a data protection policy?

A data protection policy is an internal business document. It sets out rules on how a business should process personal data. Likewise, it serves as a guide for staff who process personal data in their day-to-day roles.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards