3 Documents Your Company Needs to Demonstrate GDPR Compliance

The UK General Data Protection Regulation (UK GDPR) is the law governing the use of personal data. Depending on your business activities and how you use personal data, there are various documents you will need to comply with the UK GDPR. This article will explore three key documents most businesses should implement to demonstrate GDPR compliance.

Why Does Documentation Matter for UK GDPR Compliance?

Compliance with UK GDPR is mandatory for any business using personal data. The law applies to virtually all businesses, as most businesses collect and use some form of personal data. For example, most businesses collect personal information relating to customers, suppliers and staff.

There are various UK GDPR compliance documents and procedures which businesses must implement. You should regularly review and update these documents to reflect how your business uses personal data. 

Failing to comply with the UK GDPR can result in consequences such as:

• severe brand damage; 
• complaints from individuals and 
• fines from data protection regulators.  

Having documentation in place can help businesses comply with the UK GDPR rules and avoid negative implications. In the event of an investigation from data protection regulators, showing you have appropriate documents in place could also help limit damage.

The following section explores three key documents your company needs to demonstrate GDPR compliance.

1. A Data Protection Policy 

A data protection policy is a key internal policy document for compliance. This policy sets out rules around collecting, using, managing, and storing personal data. 

A data protection policy is extremely useful, as it will help you understand the roles and responsibilities of protecting personal data. It can also serve as a fundamental resource for your staff. Staff should refer to the data protection policy to understand what rules apply when using personal data in their day-to-day roles.

Your data protection policy should cover various issues, including:

• what constitutes personal data; 
• who is responsible for UK GDPR compliance; 
• rules around the use of personal data; and
• how to respond to data breaches. 

2. A Privacy Policy 

As a data controller, it is mandatory to give clear privacy information to all individuals whom you collect personal data from. A data controller is an organisation that decides how and why to use personal data. 

A privacy policy will tell individuals various facts about your use of their personal data, for example:

• what personal data you collect from them; 
• how you will use their personal data; 
• how long you keep their personal data; 
• who you share their personal data with; 
• how you will keep their personal data safe; and
• what their data protection rights are. 

Businesses often publish a privacy policy on their public-facing websites. Often, a privacy policy is directed at the customers of the business. For example, a business needs to tell customers how they will use their information (e.g. their contact details and bank details) and why. This is essential when collecting personal data via a website (e.g. through a ‘Contact Us’ form). 

If your business employs staff (including freelancers), you will need to tell them how you use their data. Businesses should issue separate ‘staff privacy notices’ to inform staff about how their personal data is used. Where you are hiring and collecting data from candidates, you will also need a ‘candidate privacy notice’ to explain how you will use candidate personal data. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

3. Record of Processing Activities

A record of processing activities is a document that sets out various information about your use of personal data. For example, a record of processing activities will lay out:

• what personal data your business processes; 
• the purpose for using personal data; 
• your lawful basis is for processing that data; 
• who personal data is transferred to; 
• whether personal is transferred outside of the UK; and 
• how personal data is secured.

Most businesses need a record of processing activities. There is a limited exemption for businesses that employ less than 250 employees. Businesses with less than 250 employees will only need to document processing activities that:

• are not occasional; 
• are likely to result in risk to the rights and freedoms of individuals; and
• involve special categories of personal data including criminal convictions and offence data (which is highly sensitive under UK GDPR). 

Despite this exemption, it is highly recommended that you document your data processing activities in a record of processing. The ICO (the UK data protection regulator) recommends this as good practice. 

Keeping records of your data processing is fundamental. It can help you clearly understand the personal data you use and why and how it flows through your business. You should ensure that this document is regularly updated.  

Key Takeaways

The UK GDPR applies to most businesses in the UK. Accountability is at the heart of data protection compliance. Having documentation in place can help you demonstrate your accountability and commitment to compliance. Three key documents that can help your business demonstrate compliance include a data protection policy, a privacy policy and a record of processing activities. Still, you should carefully consider the UK GDPR rules and any other documents you may need.

If you need legal advice on compliance with the UK GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions