Policies & Documents

In order to comply with data protection law, we have a number of template policies and types of documentation that we can tailor to your organisation's requirements.

Legal Basis Flowcharts: These allow you to easily determine when you can lawfully process personal data. The flowcharts enable you to identify the legal basis for processing as required to do so by data protection laws.

Privacy Notice Checklists: These aid you in drafting your privacy notice in line with the detailed requirements of UK data protection law.

Privacy Notices: We can assist you in drafting internal privacy notices for employees, job candidates and contractors. We can also assist you in preparing external-facing privacy notices aimed at customers, website and app users.

Appropriate Policy Document: UK data protection law (the Data Protection Act 2018) requires organisations to have what is known as an "Appropriate Policy Document" when processing special category and criminal offence data under certain circumstances. We can help you tailor this to meet your requirements.

Template DPIA: If you intend to implement new procedures, engage a new supplier or undertake new projects which are likely to result in a high risk to the rights and freedoms of individuals, you must complete a Data Protection Impact Assessment. This template simplifies the process for your organisation.

Data Protection Policy and Privacy Standard: This will allow you to inform your staff of what is expected of them when processing personal data as part of their role. We can tailor this to your internal policies and procedures.

Data Subjects Rights procedures: A rights request can go to anyone inside your organisation. The request can be made verbally or in writing. The data subject does not need to expressly state that they are making a request to exercise a right under data protection legislation. To ensure your staff can recognise and act on these requests, it is essential to have this procedure in place. 

Personal Data Breach Policy and Procedure: If a notifiable personal data breach occurs within your organisation, you only have 72 hours from becoming aware of the breach to inform the ICO (or other relevant regulator outwith the UK). The time constraints surrounding breaches mean that your staff must be able to act quickly, and a procedure outlining how to handle a breach will assist them in doing this. 

Document Retention Policy: Under data protection law, your organisation should not hold on to personal data for any longer than necessary. A document retention policy will allow you to comply with this requirement by specifying retention periods for the different types of personal data held by your organisation.

Guidance Tool – Determining Roles of Parties: Before appropriate contractual agreements can be put in place, organisations must understand what role they play under data protection legislation (this can include a sole controller, joint controller, processor or sub-processor). This tool will aid you in determining this.

Data Processor Checklist: Before selecting a service provider, it is important that you are comfortable with the provider's IT security measures (which should align with your organisation), their data protection compliance status, their location and the sub-contractors they engage. You must also ensure that your contract with them meets certain minimum requirements. This checklist will help you manage the risks associated with appointing providers to process information on your behalf.

Cookie Policy: Your organisation must provide clear and comprehensive information about the cookies your website uses and the purposes for which you use them. In many cases, you also need obtain consent from users before setting cookies. This policy will allow you to inform visitors to your website about the cookies you use and why you use them.


Data Processing/Data Sharing arrangements: We can provide you with data processing and sharing arrangements tailored to your organisation. Whether this is a formal contract or an informal FAQ/protocol document, we can ensure it meets the needs of your organisation.

General Contractual Arrangements: We also offer to review and update your existing contracts to ensure they are in line with current data protection standards. We can provide you with contracts that comply with data protection laws and which outline the liabilities of parties in relation to any breaches of these laws.

Consent: Consent is now more difficult to obtain under data protection legislation. We can assist you in ensuring that your consent requests are valid and can inform you when consent is the most appropriate legal basis upon which to rely for processing. If consent is not appropriate, we can outline the other options available to you.

Latest updates from @MacRoberts