Skip to main content

Policy and Procedure Drafting

If your organisation processes personal data it is essential that it has policies and procedures in place which provide clear direction and practical guidance about how personal data may be used.

Having robust data protection policies and procedures:

  • Raises awareness and educates your employees about the importance of data protection
  • Reduces the risk of errors and non-compliance when handling personal data
  • Helps promote a data protection culture throughout your organisation
  • Makes good data governance and best practice the default position
  • Demonstrates to customers, employees and partners that you look after their personal data properly

Our Data Protection team can draft concise and transparent data protection privacy documentation for you to ensure that your organisation complies with data protection law. We work with you to first understand how you use personal data in order to accurately reflect this in your suite of data protection policies and procedures, privacy notices and data processing and data-sharing agreements. We can also help you with the ongoing management, review and update of your data protection documentation.  


Your data protection procedures and policies

Your policies and procedures should be tailored to your organisation’s personal data processing activities, and generic templates are unlikely to represent a true picture of how you use personal data. Data protection policies and procedures in the workplace must be accessible and your employees must be aware of them. It is also important to review and update your privacy documentation over time to reflect changes in the way your organisation uses personal data and changes to the law.

If your organisation processes personal data it is likely that you should have some, or all, of the following internal and external-facing documents in place:

  • Data Protection Policy
  • Sales and Marketing Policy
  • CCTV Policy
  • Appropriate Policy Document (Special Category and Criminal Convictions Data)
  • Retention Policy
  • Record of Processing Activities
  • Data Protection Impact Assessments
  • Legitimate Interest Assessments
  • Privacy Notice
  • Employee Privacy Notices

Our experienced, specialist team draft policies and procedures for clients across a wide range of sectors. We focus on making sure that privacy documentation is transparent, accurate, practical and  meets the current data protection legislation requirements.


Policies and practices update

We can review and where appropriate redraft any policies you use concerning the collection or processing of data within your organisation such as:

  • Privacy notices â€“ These are designed to give individuals a full, clear picture of how and why their information will be processed. The GDPR is prescriptive in what must be included in such statements.
  • Terms and conditions – Where you provide goods or services to customers you may use terms and conditions to govern your relationship. It could be a good idea to update your standard terms to ensure they are GDPR compliant.
  • Internal privacy polices for staff – It is useful to update these in light of GDPR to ensure they adequately cover any new requirements and/or information security steps adopted by your organisation.

Contract review

We can conduct reviews and provide redrafts of any contracts you have in place such as:

  • Data sharing agreements – These apply if you contract to share data with another organisation either regularly or on an ad hoc basis.
  • Processor and supplier agreements – These are used where you engage another organisation to process any data on your behalf, for example payroll services and IT providers.

For more on GDPR requirements please see our What is GDPR? page.

How can Thorntons help?

The team at Thorntons has extensive knowledge and experience of crafting effective policies, procedures, notices and data sharing and processing agreements to help organisations manage data protection risk.

We can support you with the drafting of new privacy and data protection policies and procedures and remedying gaps in existing documentation, as well as monitoring your data protection compliance. You can rely on our people to work collaboratively with you to create a policy and procedure framework tailored to your organisation’s needs.

Please call our specialist Data Protection team on 03330 430350 for more information on how we help with your data protection policies and procedures. Or complete our online enquiry form and an expert in our Data Protection team will call you back.