UK data privacy legislation and regulations, including the Data Protection Act (2018) and UK GDPR, require organisations to maintain several documents to demonstrate compliance. 

These documents serve to ensure transparency, accountability, and the compliant processing of personal data. 

Whitestar will create these documents for a number of clients as part of our retained Data Protection Officer (DPO) service plans, in addition to one-off project work. Here we explain in further detail the key policies and procedures your organisation requires:

• Privacy Notice: This important privacy documentation meets the ‘right to be informed’ under UK GDPR and informs individuals why their personal data is collected, processed, shared, and their data subject rights under UK GDPR. It should be clear, concise, drafted in plain and easy to understand English, and easily accessible to all. This document is also known as a GDPR statement or privacy policy and is supplemented by a cookie notice.
• Privacy Policy: This internal policy outlines the organisation's commitment to data protection, roles and responsibilities, data processing procedures, and security measures. It is also a useful handbook and training aid for internal stakeholders.
  This document is also known as a GDPR policy, or a data protection policy.
• Data Processing Agreement (DPA): A DPA is a legally binding contract under UK GDPR between a data controller (the organisation determining the purposes and means of processing personal data, often the ‘client’) and a data processor (the organisation processing data on behalf of the controller, often the ‘supplier’).
  The DPA ensures any personal data that is exchanged and processed is done so in compliance with the UK GDPR.
• Record of Processing Activities: This document details the organisation's data processing activities, including the purposes of processing, categories of data subjects and personal data, recipients of data, and any international data transfers.
• Subject Access Request Policy: It is vitally important as an organisation to identify any potential subject access requests, verify the identity of the individuals, instigate an appropriate response within the legal timeframes, return the relevant personal data to the data subject/third party acting on behalf of the data subject, and understand when a legal exemption applies that may mean you cannot legally respond to the request. This is a legal requirement of the UK GDPR.
• Data Breach and Security Incident Policy: It is vitally important as an organisation to identify any potential personal data breaches or security incidents, instigate an appropriate response, inform the relevant parties, put in place the appropriate safeguards and controls, and implement any learning outcomes. This is a legal requirement of the UK GDPR.
• Cookie Notice: This is a document, read in conjunction with a cookie consent tool, that explains to website visitors how a website uses cookies, which are small text files stored on a user's device. It details what cookies are used, how they are used, what data they collect, and how users can manage or delete cookies. While a privacy policy covers all the ways a website collects, processes, and stores data, a cookie policy focuses specifically on the cookies and tracking technologies used.
• Data Retention Policy and Schedule: This policy establishes guidelines for how long different types of personal data will be kept and how the data will be securely disposed of when no longer required. The schedule provides specific retention periods for various data categories.