How many policies do you need for GDPR compliance?

GDPR does not specify a fixed list of policies, but compliant organisations typically need 8 core policy documents: a Privacy Notice, Data Protection Policy, Data Subject Rights Policy, Data Retention and Deletion Policy, Data Breach Response Policy, DPIA Procedure, Vendor and Processor Management Policy, and Cookie Policy. Regulated sectors (healthcare, finance) and organisations with higher-risk processing activities may need additional policies covering automated decision-making, special category data, and international data transfers.

What is the difference between a Privacy Policy and a Privacy Notice under GDPR?

Under GDPR, these terms are often used interchangeably but describe different documents. A Privacy Notice (sometimes called a Privacy Policy) is the external-facing document provided to data subjects explaining how their personal data is collected, used, stored, and shared. A Data Protection Policy is an internal document setting out how your organisation handles personal data, the roles responsible for data protection, and your compliance procedures. GDPR Articles 13 and 14 require specific information in privacy notices; there is no prescribed format for internal data protection policies.

What must be included in a GDPR-compliant privacy notice?

A GDPR-compliant privacy notice must include (per Articles 13-14): the data controller's identity and contact details, the Data Protection Officer's contact details (if applicable), the purposes and legal basis for each processing activity, legitimate interests (if used as a lawful basis), categories of personal data collected, recipients or categories of recipients, international transfer details (if applicable), retention periods for each data category, all data subject rights (access, rectification, erasure, portability, objection), right to withdraw consent (if used as lawful basis), right to complain to the supervisory authority (ICO for UK, relevant DPA for EU), and whether providing data is a statutory or contractual requirement.

What are the differences between UK GDPR and EU GDPR for essential policies?

UK GDPR and EU GDPR are substantively similar but differ in key administrative details your templates must reflect. UK GDPR: the supervisory authority is the Information Commissioner's Office (ICO), not a national DPA; the data transfer mechanism to the EU is the EU's adequacy decision for the UK; the accountability framework is maintained by the ICO. EU GDPR: the supervisory authority is the relevant national DPA (CNIL in France, BfDI in Germany, etc.). Organisations operating in both jurisdictions need templates that can be adapted for each, particularly in the supervisory authority section of the privacy notice and breach notification procedure.

What are the fines for GDPR non-compliance?

UK GDPR fines can reach £17.5 million or 4% of global annual turnover (whichever is higher) for serious violations. EU GDPR fines reach €20 million or 4% of global annual turnover. Lower-tier fines (up to £8.7 million / €10 million or 2% of turnover) apply to less severe violations such as failing to maintain proper records. The ICO has increasingly issued fines for policy failures — not just breaches — including failure to provide adequate privacy notices and failure to respond to Subject Access Requests within the one-month deadline.

Compliance 14 March 2026 • 10 min read

PolicySuite team Compliance editorial

Checklist of 8 essential GDPR policies including privacy notice and data breach response

Essential GDPR Policies: What You Need and What to Include

Essential GDPR policies are the starting point for data protection compliance — but knowing which policies you need and what each one must contain is half the battle. GDPR doesn't give you a checklist of required documents; it sets out accountability principles that translate into specific documentation obligations. This guide maps those obligations to 8 concrete policies, with a breakdown of what each must include to satisfy ICO GDPR guidance scrutiny.

How Many Policies Does GDPR Require?

GDPR itself doesn't specify a list of policies. What it requires is that you can demonstrate compliance — the accountability principle (Article 5(2)). In practice, this translates to 8 core policy documents for most organisations:

Privacy Notice
Data Protection Policy (internal)
Data Subject Rights Policy
Data Retention and Deletion Policy
Data Breach Response Policy
DPIA Procedure
Vendor and Processor Management Policy
Cookie Policy

Organisations with higher-risk processing (children's data, health data, large-scale profiling) or those subject to sector regulation (FCA, CQC, NHS) will need additional policies. But these 8 form the baseline that every UK and EU organisation processing personal data should have. For a deeper look at control mappings and documentation obligations, see our GDPR framework guide.

The 8 Essential GDPR Policies

Quick answer. The 8 Essential GDPR Policies — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

1. Privacy Notice

Who it's for: External — your customers, website visitors, job applicants, or any individual whose data you collect.

Legal basis: Articles 13 and 14 require specific information to be provided at the point of data collection.

Must include:

Controller's identity, address, and contact details
DPO contact details (if you have a DPO)
Specific purposes for each processing activity (not "to provide our services" — be specific)
Legal basis for each processing activity (contract, consent, legitimate interest, legal obligation, vital interests, public task)
Legitimate interests pursued (if using legitimate interests as your lawful basis)
Recipients or categories of recipients
International transfer details and safeguards
Specific retention periods per data category (not "as long as necessary")
All eight data subject rights
Right to withdraw consent (if consent is a lawful basis)
Right to complain to the ICO (UK) or relevant supervisory authority (EU)
Information on automated decision-making (if applicable)

2. Data Protection Policy (Internal)

Who it's for: Internal — all employees, contractors, and anyone who processes personal data on behalf of your organisation.

Must include: The six data protection principles and how your organisation upholds them; roles and responsibilities (DPO, data owners, all staff); employee training requirements; data handling rules (storage, transfer, disposal); records of processing activities (ROPA) maintenance; third-party processor management requirements; and breach notification procedures. This is the policy employees acknowledge — it must be written in plain English.

3. Data Subject Rights Policy

Who it's for: Internal procedure document, with a summary for external communication.

Must include: All eight rights under UK/EU GDPR (access, rectification, erasure, restriction, portability, object, automated decision-making, withdraw consent); the procedure for receiving and logging rights requests; the one-month response deadline; who is responsible for handling each right; circumstances in which requests can be refused or extended; template responses for common requests; verification of identity procedure; and records of requests and responses.

2025 ICO update: The ICO's updated 2025 guidance clarifies that organisations can only extend the one-month DSAR response deadline for requests that are genuinely complex or numerous — not as a matter of routine. Requests that are straightforward must be responded to within one calendar month. Your policy should reflect this: extensions are the exception, not the default.

4. Data Retention and Deletion Policy

Must include: A retention schedule listing each data category, the specific retention period, the legal basis for retaining it, the trigger event (e.g., end of contract, last active date), and the deletion method. GDPR prohibits vague statements like "as long as necessary" — you must document specific timeframes. The policy must also cover how data is securely deleted and how deletion is evidenced.

Common retention periods to include:

Employee records: 6 years post-employment (Limitation Act)
Customer contracts: 6 years post-contract end
Financial records: 7 years (HMRC requirement)
Job applicant data (unsuccessful): 6 months
CCTV footage: 30 days (unless incident-related)

5. Data Breach Response Policy

Must include: Definition of a personal data breach; breach severity classification; reporting chain within the organisation; 72-hour notification requirement to the ICO (UK) for breaches likely to result in risk to individuals; circumstances requiring notification to affected data subjects; the information that must be included in breach notifications; post-breach review requirements; and a breach log. Every organisation must maintain a record of all breaches, even those that don't require ICO notification.

6. DPIA Procedure

When required: Article 35 requires a Data Protection Impact Assessment before high-risk processing — large-scale special category data, systematic profiling, large-scale monitoring of public areas, and 9 other specific categories listed in ICO guidance.

Must include: Criteria for when a DPIA is required; who conducts DPIAs; the DPIA process (describe processing, assess necessity, identify risks, identify mitigations); DPO consultation requirement; ICO consultation requirement (for residual high risk); DPIA review triggers; and DPIA template and records storage.

7. Vendor and Data Processor Management Policy

Must include: Definition of data processors vs controllers; requirements for data processing agreements (Article 28 mandates specific clauses in all processor contracts); vendor risk classification; due diligence requirements before appointing processors; list of approved sub-processors; audit rights; and processor off-boarding procedure. Every supplier who processes personal data on your behalf must have a compliant DPA in place.

8. Cookie Policy

Must include: Categories of cookies used (strictly necessary, functional, analytics, marketing); specific cookies set, their purpose, and duration; third parties setting cookies; how users can manage or refuse non-essential cookies; and a cookie consent mechanism that meets the PECR standard (opt-in consent for non-essential cookies, not opt-out). This is separate from your Privacy Notice — it must be accessible from every page footer.

Common Gaps in GDPR Policies

Quick answer. Common Gaps in GDPR Policies — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Vague retention periods — "We keep your data for as long as necessary" fails the storage limitation principle
Generic processing activities — "To provide our services" is not a specific purpose; list each processing activity separately
Missing automated decision-making disclosures — If you use algorithms, AI, or scoring systems that affect individuals, you must disclose this
Untested DSAR process — Policies that haven't been tested rarely work under real conditions; run a test request annually
Processors without DPAs — Every SaaS tool or supplier processing personal data needs a signed DPA before you use it

UK GDPR vs EU GDPR: Policy Differences

Quick answer. UK GDPR vs EU GDPR: Policy Differences — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

If your organisation operates in both the UK and EU (or transfers data between them), your policies need to reflect both regimes:

Supervisory authority: UK = ICO; EU = relevant national DPA
Data transfer mechanism (UK→EU): EU adequacy decision covers the UK
Data transfer mechanism (EU→UK): UK adequacy regulations cover the EU
Breach notification: Both require 72-hour notification, but to different authorities
Fine levels: UK GDPR maximum = £17.5m / 4% global turnover; EU GDPR = €20m / 4% global turnover

GDPR-Ready Policy Pack

PolicySuite's EU Data Protection & Privacy Essentials pack includes all 8 bespoke policies above plus 4 supplementary documents, pre-mapped to UK and EU GDPR requirements. Every policy comes with guidance notes and is reviewed against ICO 2025 guidance.

Get Started

Essential GDPR Policies: What You Need and What to Include

How Many Policies Does GDPR Require?

The 8 Essential GDPR Policies

1. Privacy Notice

2. Data Protection Policy (Internal)

3. Data Subject Rights Policy

4. Data Retention and Deletion Policy

5. Data Breach Response Policy

6. DPIA Procedure

7. Vendor and Data Processor Management Policy

8. Cookie Policy

Common Gaps in GDPR Policies

UK GDPR vs EU GDPR: Policy Differences

GDPR-Ready Policy Pack

Further Reading

Keep reading

UK GDPR 2025 — what changed

ISO 27001:2022 — Updated Policy Requirements

5 ways to boost policy acknowledgement

How to choose a GDPR policy template

References and primary sources