How can we help?

Privacy and Data Protection

Privacy documentation


The right privacy documentation demonstrates a commitment to information protection, building trust and confidence in your organisation and earning the loyalty of those you work with – whether customers, clients or staff.  

Our team can provide a full suite of data protection documentation including privacy statements, cookie use policies, internal policies and procedures, data sharing and processing agreements. 

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Privacy Documents

This is any document containing data privacy information. It can range from privacy statements and cookie use policies, to internal policies and procedures that your employees will have to comply with to meet their data protection obligations.

There are various documents, however we have listed the main documents below:

  1. Data Protection Policy
  2. Privacy Notice
  3. Employee Privacy Notice
  4. Data Retention Policy
  5. Data Retention Schedule
  6. Data Subject Consent Form
  7. DPIA Register
  8. Supplier Data Processing Agreement
  9. Data Breach Response and Notification Procedure/Policy

There are certain steps and documentation needed to demonstrate compliance. These include, but are not limited to:

  • Testing and auditing data protection measures
  • Implementing technical measures to ensure compliance
  • Documenting and recording compliance measures
  • Determining and documenting a lawful basis for each instance of personal data processing
  1. Lawfulness, fairness and transparency in processing of personal data
  2. Collecting personal data for specified, explicit and legitimate purposes
  3. Accuracy in holding personal data and keeping it up to date
  4. Processing in a manner that ensures appropriate security of the personal data

Article 30 of the UK GDPR imposes documentation requirements on controllers and processors, which includes the purposes of processing personal data; the categories of individuals whose personal data is being processed; the name of any third countries or international organisations that you transfer personal data to; and a general description of your organisation’s technical and organisational security measures to protect the personal data.

Key contacts

Read, listen and watch our latest insights

  • 20 September 2022
  • Privacy and Data Protection

The Data Protection and Digital Information Bill  

In September 2021, the government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws following Brexit, the responses to which were published in June this year.

  • 12 September 2022
  • Privacy and Data Protection

Regulating AI to protect personal data

In this podcast Melanie Pimenta and Jacob Montague solicitors in the Data Protection team discuss the Government’s proposals to regulate the use of AI.

  • 30 August 2022
  • Privacy and Data Protection

UK Data Protection – Where are we now?

There have been many developments relating to how data flows are governed, ranging from the standard contractual clauses (SCCs) to the notable Schrems II decision; following this, the UK was deemed an ‘adequate’ country by the EU in respect of personal data transfers.

  • 08 August 2022
  • Privacy and Data Protection

New guidance on the UK Binding Corporate Rules 

On 25 July 2022, the Information Commissioner’s Office (ICO) published guidance and revised application forms and tables to simplify the UK Binding Corporate Rules (UK BCRs) approval process for controllers and processors.  

  • 06 July 2022
  • Privacy and Data Protection

Data protection: moving in a ‘new direction’ for the UK?  

There have been many developments in data protection over the last few years, ranging from the implementation of the GDPR, the result of the decision in the case of Schrems II and new agreements and processes for international data transfers.

  • 28 June 2022
  • Privacy and Data Protection

DSAR: Do I need to provide names if requested?

Under GDPR employees have the right to request access to their personal data from their employer called a DSAR. Many employers refer to groups rather than names. A recent case could have some impact on the way this is interpreted in UK GDPR.