Data Protection & Privacy template

About this document

A data protection and privacy policy explains how an organisation collects, uses, stores, and safeguards personal data in line with its legal obligations. It documents the principles, lawful bases, and controls that govern processing. A strong policy builds trust and demonstrates accountability to regulators and individuals.

Who needs one: Any organisation that handles personal data about customers, employees, or other individuals.

What a strong data protection & privacy covers

• Data protection principles and lawful bases for processing
• Roles such as data controller, processor, and protection lead
• Individual rights and how requests are handled
• Data minimisation, accuracy, and retention practices
• Security measures and personal data breach procedures
• International data transfers and third-party safeguards

Regulations and frameworks this aligns to

PolicyKit references the standards relevant to your jurisdiction when it generates your data protection & privacy.

GDPR

The EU General Data Protection Regulation, governing how organisations collect, use, and protect personal data of people in the EU.

UK GDPR

The retained UK version of the General Data Protection Regulation, governing how organisations process the personal data of people in the UK.

CCPA

The California Consumer Privacy Act, granting California residents rights over how businesses collect, share, and use their personal information.

CPRA

The California Privacy Rights Act, which amends and expands the CCPA and established the California Privacy Protection Agency.

Data Protection Act 2018

The UK statute that supplements and implements data protection law alongside the UK GDPR, including law-enforcement and intelligence-service processing.

Frequently asked questions