How to write a GDPR data protection policy

A crucial part of your EU GDPR (General Data Protection Regulation) project is producing documentation to demonstrate your compliance. One of those necessary documents is a data protection policy.

To help you prepare one, we will outline what a data protection policy is, what you should include, what tools can help your organization produce this essential document, and offer a template that does most of the hard work for you.

What is a data protection policy?

Article 24(2) of the GDPR states that “Where proportionate in relation to processing activities, […] measures […] shall include the implementation of appropriate data protection policies by the controller.”

Policies differ from procedures, as they are high-level documents that set principles, rather than details of how, what and when things should be done. Policies must:

  • Be implementable and enforceable
  • Be concise and easy to understand
  • Balance security with productivity

In addition to the above, a data protection policy should include:

  • Topics covered by the policy
  • Reasons why the policy is needed
  • Contact details
  • Roles and responsibilities
  • Objectives of the policy
  • Information on how to handle violations

For example, your data protection policy may include instructions for staff involved in collecting client data, specifying to only collect the minimal amount required.

Data protection policy template

Knowing where to start when compiling your data protection policy can be difficult, especially in large organizations with many business objectives, contacts and responsibilities.

Below is an example of the customizable data protection policy template from IT Governance. This is available individually or as part of a suite of templates and tools from the market-leading EU GDPR Documentation Toolkit.

Extract of data protection policy template

Example of the data protection policy template available from IT Governance USA


The EU GDPR Documentation Toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organizations worldwide. The toolkit includes:

  • A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR
  • Helpful dashboards and project tools to ensure complete coverage of the GDPR
  • Direction and guidance from expert GDPR practitioners
  • Two licenses for the GDPR Staff Awareness E-learning Course

Get your data protection policy template here >>

Take a free trial to see how the EU GDPR Documentation Toolkit can help you with your compliance project >> 

GDPR toolkit demo