Compliance policy templates
Every template below is a professionally structured starting point that PolicyKit tailors to your specific business, industry, and jurisdiction — generated by AI in minutes, ready to export as PDF or Word.
Cybersecurity & Information Security
Protect your systems, networks, and data from cyber threats. Aligned with NIST Cybersecurity Framework and Cyber Essentials.
Data Protection & Privacy
Manage personal data lawfully and transparently. Covers GDPR, UK GDPR, and US privacy law (CCPA/CPRA) requirements.
Acceptable Use & Access Control
Define how employees and contractors may use company systems, devices, and data — and who can access what.
Incident Response
Prepare for, detect, contain, and recover from security incidents and personal data breaches. Includes breach notification obligations.
Vendor & Third-Party Risk
Assess and manage the compliance and security risks posed by suppliers, partners, and third-party service providers.
Operational Risk Management
Identify, assess, and control risks arising from internal processes, people, systems, and external events.
Privacy Policy
Customer-facing privacy notice explaining what personal data you collect, why, how long you keep it, and how people can exercise their rights. Required under GDPR Article 13/14 and CCPA.
Cookie Policy & Consent Notice
Cookie disclosure and consent notice for your website or app. Covers cookie categories, purposes, third-party cookies, and opt-out mechanisms under ePrivacy/PECR and GDPR.
Data Processing Agreement (DPA)
Binding contract between a data controller and data processor (e.g. a supplier, SaaS vendor, or cloud provider). Required under GDPR Article 28. Especially powerful when sent to suppliers via the acknowledgment flow.
Terms of Service / Terms & Conditions
Legally-structured agreement between your business and its customers or users covering service scope, payment, liability, acceptable use, and governing law.
Anti-Bribery & Corruption Policy
Mandatory policy under the UK Bribery Act 2010 (Section 7 — failure to prevent bribery). Covers gifts, hospitality, third-party due diligence, and the Adequate Procedures defence. Required for all UK companies.
Whistleblowing Policy
Protected disclosure procedure under the UK Public Interest Disclosure Act 1998 (PIDA). Establishes confidential reporting channels, protected categories of disclosure, and non-retaliation protections. FCA-regulated firms have additional SYSC 18 obligations.
Employment Contract / Statement of Particulars
Legally required written statement of employment particulars (Employment Rights Act 1996, s.1). Covers duties, pay, hours, holiday, notice, restrictive covenants, and disciplinary/grievance procedures. Must be provided from day one of employment.
Remote Working Policy
Governs hybrid and fully remote working arrangements including equipment, security, expenses, working hours, and health & safety obligations under the Health and Safety at Work Act 1974 for home offices.
BYOD Policy (Bring Your Own Device)
Regulates personal device use for work purposes. Covers data segregation, MDM enrollment, remote wipe rights, acceptable use, and separation of personal and corporate data under GDPR.
Disciplinary & Grievance Procedure
Formal procedure aligned to the ACAS Code of Practice on Disciplinary and Grievance Procedures (statutory minimum). Covers warnings, investigation, hearings, appeals, and gross misconduct. Reduces employment tribunal exposure.
Equal Opportunities & Diversity Policy
Policy covering all nine protected characteristics under the Equality Act 2010. Covers recruitment, promotion, reasonable adjustments, harassment, and victimisation. Mandatory framework for employers.
Code of Conduct / Employee Code of Ethics
Sets out expected standards of professional behaviour including conflicts of interest, confidentiality, social media use, gifts, and reporting obligations. Foundation document for disciplinary procedures.
Business Continuity Plan (BCP)
Documents how your organisation maintains critical operations during disruptions (cyber attack, outage, pandemic, natural disaster). Sets RTO/RPO targets, key personnel, escalation paths, and recovery procedures. Essential for FCA-regulated firms and increasingly required by enterprise customers.
Disaster Recovery Policy
Technical recovery procedures for IT systems and data after a major incident. Covers backup strategy, failover, RTO/RPO targets, runbook, and quarterly testing requirements. Complements the BCP with the technical detail.
Document Retention & Disposal Policy
Governs how long different types of records are kept and how they are securely destroyed. Aligned to UK GDPR storage limitation principle, Companies Act 2006, and sector-specific obligations. Reduces litigation exposure and ensures regulatory compliance.
Password & Access Management Policy
Sets requirements for password strength, MFA, SSO, privileged access management, and access reviews. Aligned to NCSC guidance and Cyber Essentials. Critical for ISO 27001 and Cyber Essentials certification.
Social Media Policy
Governs employee use of social media — both on company accounts and personal accounts when referencing work. Covers brand voice, prohibited content, regulatory marketing constraints, and monitoring rights.
AI Usage Policy
Governs employee and organisational use of AI tools including generative AI (ChatGPT, GitHub Copilot, Google Gemini). Covers approved tools, prohibited inputs (PII, confidential data), IP and copyright considerations, output review requirements, and accountability. No established standard yet — strong differentiator.
Subject Access Request (SAR) Procedure
Documented procedure for handling UK GDPR Article 15 Subject Access Requests. Covers identity verification, 1-month response deadline, data gathering, redaction of third-party information, exemptions, and ICO escalation. Reduces risk of ICO enforcement action.
Anti-Money Laundering (AML) Policy
Policies and procedures for preventing money laundering and terrorist financing. Required for regulated sectors under the Money Laundering Regulations 2017. Covers CDD/KYC, enhanced due diligence, SARs, MLRO appointment, and staff training.
Supplier Code of Conduct
Sets minimum ethical, environmental, security, and data protection standards for all suppliers and third parties. Covers Modern Slavery Act obligations, GDPR DPA requirements, anti-bribery, and audit rights. Directly supports vendor risk management.
HIPAA Privacy Policy
US HIPAA-compliant privacy policy for covered entities and business associates handling Protected Health Information (PHI). Covers Notice of Privacy Practices, minimum necessary standard, BAA requirements, patient rights, and breach notification. Required for US healthcare organisations.
PCI DSS Security Policy
Security policy aligned to PCI DSS v4.0 for organisations storing, processing, or transmitting payment card data. Covers cardholder data environment scope, security controls, vulnerability management, access control, and annual compliance requirements.
FCA Compliance Policy
Compliance framework for FCA-regulated firms (banks, insurers, payment firms, investment advisers). Covers FCA Principles for Businesses, Consumer Duty (2023), SM&CR prescribed responsibilities, financial promotions, complaints handling, and annual compliance programme.
ISO 27001 — Information Security Management
Build and document your Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022. Covers scope definition, risk treatment, Annex A controls, Statement of Applicability, and continual improvement. Essential for enterprise procurement and regulated sector vendor qualification.
SOC 2 Readiness — Trust Services Criteria
Prepare for a SOC 2 Type II audit against the AICPA Trust Services Criteria. Covers all five trust service categories (Security, Availability, Confidentiality, Processing Integrity, Privacy) and the Common Criteria (CC1–CC9). Critical for SaaS and tech companies selling to enterprise customers.
AI Governance & Ethics Policy
Govern the responsible development, procurement, and deployment of AI and machine learning systems. Covers EU AI Act risk classification, NIST AI RMF alignment, bias and fairness controls, human oversight requirements, and transparency obligations. Essential for any organisation building or using AI tools in 2024–2025.
DORA — Digital Operational Resilience Act
Meet the EU Digital Operational Resilience Act (DORA) requirements that became mandatory for financial entities from 17 January 2025. Covers ICT risk management, incident classification and reporting, digital operational resilience testing, and third-party ICT provider oversight. Applies to banks, insurers, investment firms, fintechs, and their critical ICT providers.
HIPAA Compliance Policy
Protect Protected Health Information (PHI) and meet the requirements of the Health Insurance Portability and Accountability Act. Covers the Privacy Rule, Security Rule, Breach Notification Rule, administrative safeguards, physical safeguards, and technical safeguards. Essential for US healthcare providers, health plans, and business associates.
Modern Slavery & Human Trafficking Statement
Meet transparency obligations under the UK Modern Slavery Act 2015 and prepare for EU Corporate Sustainability Due Diligence (CSDD) requirements. Covers supply-chain risk assessment, due diligence processes, staff training, whistleblower procedures, and annual statement publication. Expected by enterprise procurement teams regardless of legal threshold.
Cookie & Consent Management Policy
Manage website cookies, trackers, and user consent in compliance with GDPR, UK GDPR, PECR, and CCPA. Covers cookie categorisation (strictly necessary, functional, analytics, marketing), consent mechanisms, consent withdrawal, cookie banner requirements, and third-party tracker governance. Required for every website serving EU, UK, or California residents.
Remote Work & BYOD Policy
Govern secure remote working practices and personal device use for business purposes. Covers device enrolment, minimum security standards, acceptable use, data classification handling, VPN requirements, incident reporting, and off-boarding. Aligned to NIST CSF and ISO 27001 Annex A controls for access and asset management.
Records Retention & Data Deletion Policy
Define how long different types of records must be kept and ensure secure, documented deletion when retention periods expire. Covers legal retention obligations (GDPR Article 5(1)(e) storage limitation, Companies Act, HMRC requirements), data minimisation, secure disposal, and the right to erasure. Essential for GDPR compliance and audit readiness.
NIS2 — Network & Information Systems Security
Meet the EU NIS2 Directive requirements that became enforceable from October 2024. Covers risk management measures, supply-chain security, incident reporting to national authorities within 24/72-hour windows, business continuity, and senior management accountability. Applies to essential and important entities across 18 critical sectors including cloud, SaaS, and digital infrastructure.
ESG & Sustainability Reporting
Environmental, Social and Governance (ESG) reporting policies and frameworks. Covers GRI Standards, ISSB/IFRS S1-S2, TCFD, CSRD, and regional mandatory disclosure requirements.
Anti-Money Laundering (AML/CFT)
Anti-Money Laundering and Counter-Terrorism Financing compliance programs. Covers FATF 40 Recommendations, regional AML legislation, KYC/CDD, and suspicious activity reporting.