HR policies

Transform your hiring with Charlie Recruit!

Say hello to better, faster, fairer hiring with our new recruitment software add-on. Find out more.

Why you need a data protection policy (with free template)

Why you need a data protection policy (with free template)

When it comes to writing a data protection policy, it feels like there’s a lot you should know, and even more you can get wrong.

If you’re finding the world of data protection confusing and intimidating, you’re definitely not alone — especially if you run a startup or small business. 

Getting to grips with any of your HR policies is vital, but finding clear and comprehensive answers in the complex regulatory language can be really difficult. 

And if you don’t understand the data protection rules, how do you ensure that your own small business complies with them?

Well, that’s where I come in. Together, we’ll cut through the jargon and get to the nuts and bolts of data protection.

Start a 7-day free trial of CharlieHR

Safeguarding personal, important or sensitive information from loss, corruption or harm is known as data protection.

We live in a world built on data, with more information being created, processed and stored than ever before. Protecting that information has now become paramount — especially if you’re a business. 

What is a Data Protection Policy?

A data protection policy will set out how a business handles and protects all the information collected and processed about its people – whether that’s employees, customers, suppliers or someone else.

Your data protection policy will act as a set of rules and protections and should be aligned with the Data Protection Act.

Data protection policies ensure that organisations:

  • Comply with data protection law and follow good practice
  • Protect the rights of their teams, customers and partners
  • Are transparent about storing and processing data
  • Are protected from the risks of a data breach.

A data protection policy is a document that communicates your commitment to protecting personal data and complying with GDPR. It also sets out how you will ensure ongoing compliance with the regulations through your internal processes, your company values, and the use of technology.

Why is a data protection policy important?

Your data protection policy must be put in place smoothly and effectively so that you can:

  • Ensure legal compliance for your business
  • Have rules to process, share and delete data when necessary
  • Get your customers to understand what their legal rights are with their data
  • Protect yourself against any legal prejudice
  • Understand how long you can keep your customers and employee's data for
  • Balance employee privacy by keeping their data safe

Do you need a data protection policy for small businesses?

Data laws apply to all businesses, regardless of whether they’re big or small.

As a small business, a data protection policy will:

  • Give you a framework for ensuring GDPR compliance
  • Help to explain GDPR to your team
  • Show your commitment to preventing data breaches

GDPR is extremely complex, which is why it remains so daunting, even as a concept. A data protection policy breaks down the regulation so it’s more easily understood and implemented  — making it applicable to your business and what you do

Some challenges may, however, arise when you're writing a data protection policy for small businesses such as:

  • Ensuring legal compliance can be challenging with fewer resources
  • Process data classification can require a lot of work
  • Developing procedures for obtaining and managing consent for data can take a lot of time
  • Developing solid procedures to respond to data breaches and security can be challenging in a small business
  • Hiring external support can be very costly

What should a data protection policy include?

We’ve broken down our own data protection policy at Charlie into the following sections:

Data protection policy definition

Outlining the policy, and who it applies to.

Scope of the policy

This applies to all personal data processed, regardless of where it’s stored and whether it’s about past or present employees, workers, customers, suppliers, or any other data subject.

Data protection principles

Adhering to the GDPR principles, which state that all personal data is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up-to-date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Fair, lawful and transparent processing

Processing personal data lawfully, fairly and transparently. 

Processing personal data with the consent of the data subject.

Note: Consent can be difficult to obtain under the GDPR. It must be “freely given, specific, informed and unambiguous”.


Responsibility for implementing appropriate technical and organisational measures to ensure compliance with the data protection principles.

Purpose limitation

Collecting personal data for explicit and legitimate purposes that are clear up front. Data that’s incompatible with these purposes will not be processed.

Data minimisation

Processing data that’s strictly necessary and relevant, and deleting or anonymising it when it’s no longer needed. 


Checking the accuracy of any personal data when it’s collected and at regular intervals, and deleting or correcting inaccurate or out-of-date personal data.

Storage limitation

Keeping personal data in an identifiable form for no longer than necessary, and only for the stated purposes for which it was collected and processed.

Integrity and confidentiality

Securing personal data through technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage. 

Personal data breaches

Notifying the appropriate regulator, and in some cases the data subject, of a data breach, unless it’s unlikely to risk the rights and freedoms of individuals. Recording all personal data breaches.

Data subjects’ rights

Regarding rights in regards to the processing of personal data. For example:

  • Withdrawing consent to the processing of their personal data
  • Requesting access to their personal data 
  • Preventing the use of their data for direct marketing

Record keeping

Keeping full and accurate records of all data processing activities as required by law. Including:

  • Data subjects’ consent to the processing of their personal data
  • The purposes of the data processing
  • Recipients of the personal data

Direct marketing

Abiding by marketing rules and privacy laws. (Customers need to give their consent to be sent electronic direct marketing like emails or texts.) 

Sharing personal data

Sharing personal data with third parties under specific circumstances. For example:

  • The third-party needs the data to provide the contracted services
  • The privacy notice has made it clear that the data will be given to third parties for express purposes.

Data protection policy template for UK small business (free!)

As a fellow small business, at Charlie we understand that talking about data protection is one thing, but putting it into action is quite another. 

That’s why I’m including a data protection policy template for UK small businesses for free with this article.

Click below to download our data protection policy template, and then edit it so it applies to your own business:

This template will make it much easier for you to implement a data protection policy at your small business. 

If you have any questions about the template, or how to adapt it so it better fits with what you do, then please get in touch with me or another one of our HR Advisors. It’s our job to help you out. 

3 Tips to write your data protection policy

Writing a data protection policy can be stressful, especially with the wording. Here are our 3 tips to ensure your data protection policy makes sense:

  • Fits your company size and your culture
  • Is easy to read through with simple language and clear structure
  • Is reviewed every year or when necessary to make sure it still aligns with the law requirements

How an HR professional can help with your data protection policy

As I said at the beginning of this article, when it comes to writing a data protection policy, it feels like there’s a lot you should know, and even more you can get wrong. 

But just because you run your own business, it doesn’t mean you have to always be on your own. Even though legal support and cybersecurity experts can be very expensive for small businesses, there are alternatives.

That's where we come in. As small business HR experts, we support owners and their teams with policy creation and the management of employee issues. 

Hundreds of UK small businesses already look to Charlie for support with data protection and policy making. Why not join them?

Click here to book a call about our HR Advice service

Read Next

Try Charlie for free

Take a week-long trial