Understand data protection principles

Welcome to the section on data protection principles. Below you will find materials and resources to help you navigate this aspect of the GDPR.

You may like to start with the videos, which set out what the GDPR is and how it changes data protection in your organisation. You can use the various templates, workflows and guidance documents to get to grips with the GDPR requirements. 

There are two types of templates.

  • Downloadable templates - these allow you to download the model policy or template, and to adapt it to your organisation

  • Generate template online - these allow you to use the online wizard to fill in your organisation's details, and download the adapted template as a pdf. 

You may have to adapt aspects of the templates further to ensure it is a good fit for your organisation. If you choose to use the wizard option, please read the policy thoroughly in advance to ensure it is fit for your organisation in its current form. 



Breach management plan - generate template online

This template, which you can generate online, focuses on containment and recovery, assessment of ongoing risk, breach notifications and evaluation and response

Data classification guidance - HR

Under a data classification policy, information is to be classified according to its business and personal sensitivity, i.e. the potential harm to the organisation or an individual if the information were to be compromised in any way. This guidance outlines recommendations for implementing a data classification policy.

Data controller or processor - guidance

This download sets out the differences between data controllers and data processors

Data protection governance framework - guidance for HR

This guidance outlines recommendations and best practices for creating a data protection governance framework within an organisation

Data transfers derogations guidance - HR

This guidance outlines pre-Brexit recommendations and best practices for data transfers.

Employee privacy policy template

Do you have an employee privacy notice in place?

Engaging with suppliers - guidance

This guidance explains the relationship between controller and processors, and how to crystallise it in contractual arrangements.

Expert Answers: GDPR and Brexit

Brexit and GDPR: do we still need to comply when we leave the EU?

Expert Answers: How does the GDPR affect international data transfers?

How do the rules around international data transfers change under GDPR?

GDPR Awareness: Secure data in healthcare settings

The Information Commissioner's Office states: ''Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.' So what does this mean for organisations that provide healthcare?

GDPR Awareness: Suppliers, controller and processors

Do you have questions about GDPR-compliant controller-processor partnerships?

GDPR Awareness: what is the GDPR and what does it change?

In this staff training video, Ivana Bartoletti, Head of Data Protection and Privacy at Gemserv, sets out what organisations can expect from the GDPR and how to best start preparing for this data evolution.

GDPR Awareness: where to start - record of processing activities

In this staff training video, Ivana Bartoletti, Head of Data Protection and Privacy at Gemserv, explains how to start preparing your organisation and staff for GDPR compliance.

GDPR data protection policy - downloadable template

This is a data protection model policy template created by our expert content partners.

GDPR data protection policy - generate template online

This is a data protection model policy template created by our expert content partners - you can use the online wizard to adapt the template online

Incident management policy - downloadable template

This is an incident management model policy template created by our expert content partners. It covers a variety of topics, including a policy statement, objective and general definitions. It also includes a number of documents which are available as separate downloads

Legitimate interest assessment - guidance for HR

This document provides key information about legitimate interest assessments, including the process to follow and what needs to be captured, and has practical advice to ensure that staff are prepared to meet the GDPR requirements.

Legitimate interest assessment - template for HR

This template looks at records processed, their legitimate interest, the necessity, and the balancing test and includes one example to help you get started.

Marketing under the GDPR - guidance

This is an overview of how the GDPR impacts on marketing activities. It includes practical advice on GDPR and PECR, and answers questions including 'what is required when collecting consent?'

Model data subject rights request form

Use and adapt our model data subject rights request form with your organisation's data subjects