Data Protection Documentation Support

Under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data Use and Access Act 2025 (DUAA 2025), organisations are required to maintain key documentation that demonstrates legal compliance, ensures accountability, and promotes transparency in the handling of personal data.

At Whitestar Services, we produce these essential documents as part of ourretained Data Protection Officer (DPO) support and through bespoke project-based services. The following outlines the core documents every organisation should have in place:

✔ Privacy Notice

Required under UK GDPR Article 13 & 14, this external-facing document satisfies the “right to be informed”. It must clearly explain why personal data is collected, how it is processed, any third-party sharing, and the rights of individuals. Privacy notices must be concise, intelligible, and easily accessible. This is often supported by a Cookie Notice and known more broadly as a Privacy Policy or GDPR Statement.

✔ Privacy (or Data Protection) Policy

An internal policy required to demonstrate organisational accountability underUK GDPR Article 24 and DUAA Section 3. It defines data protection principles, internal roles and responsibilities, risk management, and data security standards. It also serves as a reference point for staff training and ongoing awareness.

✔ Data Processing Agreement (DPA)

A legally binding contract required by UK GDPR Article 28 where a controller engages a processor. It sets out instructions for processing, confidentiality, security measures, and audit rights. A compliant DPA ensures third-party processing arrangements uphold both parties’ legal obligations.

✔ Record of Processing Activities (ROPA)

Required under UK GDPR Article 30, this is a living document detailing the nature of all personal data processing operations, data categories, legal basis, recipients, retention schedules, and international transfers. It is vital for regulatory reporting and internal audits.

✔ Subject Access Request (SAR) Policy

Under UK GDPR Articles 12–15 and DUAA Section 5, organisations must respond lawfully to data subject access requests within statutory timeframes. This policy ensures procedures are in place to verify identities, apply exemptions where appropriate, and issue responses within one calendar month.

✔ Data Breach & Security Incident Response Policy

A legal requirement under UK GDPR Articles 33–34 and DUAA Section 6, this policy guides how an organisation identifies, contains, assesses, reports, and mitigates personal data breaches or cyber incidents. It includes internal notification protocols and communication with regulators such as the ICO where applicable.

✔ Cookie Notice

In compliance with UK GDPR, the Privacy and Electronic Communications Regulations (PECR) 2003, and supported by DUAA 2025 requirements for user transparency, this notice outlines the types of cookies used, their purpose, and how users can manage consent. It must work in conjunction with a cookie consent tool (CMP).

✔ Data Retention Policy & Schedule

Required to meet the storage limitation principle (UK GDPR Article 5(1)(e)), this policy outlines how long different categories of personal data are retained, and how they are securely erased once no longer necessary. The accompanying schedule sets out specific timelines and disposal protocols, in line with DUAA’s accountability provisions.

✔ Supporting Your Compliance Journey

Our experts at Whitestar Services can help your organisation develop, review, and maintain these documents as part of a robust, proportionate, and scalable data protection framework. Whether through outsourced DPO services or targeted project delivery, we ensure your documentation meets both legal obligations and operational needs.

Contact us below to discuss how we can support your compliance.