Free UK GDPR-compliant data protection policy template. Covers lawful basis, data subject rights, retention, security and breach reporting. Download in minutes.
It is a strong, structured starting point built around UK GDPR, the Data Protection Act 2018 and ICO guidance, but it is not legal advice and it is not a guarantee of compliance. A policy is only compliant if it reflects what your organisation actually does. Have it reviewed by someone accountable for data protection before you adopt it.
The UK GDPR is the main regulation. The Data Protection Act 2018 sits alongside it and tailors it for the UK. The Data (Use and Access) Act 2025 amends both, with most data protection changes in force from 5 February 2026. None of them replaces the others. This template reflects all three.
Among other things, it added a new recognised legitimate interests lawful basis that removes the balancing test for specified purposes such as crime prevention and safeguarding, and put the stop the clock provision for subject access requests on a statutory footing. Both of these came into force on 5 February 2026. It also created a duty for organisations to handle data protection complaints, which comes into force on 19 June 2026. This generator reflects these changes.
You must appoint a DPO if you are a public authority or body, or if your core activities involve large-scale regular and systematic monitoring of individuals, or large-scale processing of special category or criminal offence data. Many organisations are not required to appoint a statutory DPO but still benefit from a named data protection lead. The generator adapts to your answer.
UK GDPR gives you six original bases (consent, contract, legal obligation, vital interests, public task, legitimate interests), plus the new recognised legitimate interests basis from the DUAA. No basis is better than another; the right one depends on your purpose and your relationship with the individual. You should pick and document a basis before you start processing.
Only as long as you actually need it for the purpose you collected it for. That is the storage limitation principle. There is no single legal retention period; it depends on the type of record and any legal requirement (for example, HMRC rules for financial records). The generator lets you set your own retention schedule.
Eight: to be informed, of access, to rectification, to erasure, to restrict processing, to data portability, to object, and rights around automated decision-making. You normally have one calendar month to respond to a request.
Most organisations that process personal data must pay an annual data protection fee to the ICO. There are three tiers (currently £52, £78 and £3,763), based on size and turnover, and most charities pay the tier 1 fee regardless of size. Check your position on the ICO website. The policy notes your registration status.
UK mid-market organisations, charities and non-profits, and public bodies that need a clear, current data protection policy without paying for a bespoke one to start with. It is written in plain business language for boards, trustees and leaders, not just specialists.
No. Starkhorn is an independent technology consultancy. We do not provide legal advice, certification, insurance or outsourced DPO services, and we take no commission. We help boards and leaders govern data and technology. This tool is free and exists to give you a credible starting artefact and show where a proper review would pay back.