Home / ISO 27001 Templates / ISO 27001 Data Protection Policy Explained + Template

ISO 27001 Data Protection Policy Explained + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

An ISO 27001 data protection policy is a set of rules you use to keep your information safe. It’s like a rulebook for handling data. This policy helps you protect sensitive information from being lost or stolen. You can use it to make sure your business follows good security practices.

What Is It

An ISO 27001 data protection policy is a set of guidelines that tells you how to manage and protect your company’s information. It is part of the larger ISO 27001:2022 standard, which is all about information security. The policy helps you keep data private and safe from harm.

Applicability to Small Business, Tech Startups, and AI Companies

This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

  • Small Businesses: You can use this policy to build trust with customers and partners. It shows you care about their data.
  • Tech Startups: As a startup, you handle a lot of new data. The policy helps you set up strong security from the start, so you can grow safely.
  • AI Companies: You work with huge amounts of data. This policy is key for protecting the data you use to train your AI models and for keeping your intellectual property safe.

ISO 27001 Data Retention Policy Template

The ISO 27001:2022 Data Protection Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

You can find templates for an ISO 27001 data protection policy online. These templates give you a head start. You can then change them to fit your specific business needs. Using a template can save you time and help you make sure you don’t miss anything important.

ISO 27001 Data Protection Policy Template

Why You Need It

You need this policy because it helps you:

  • Protect your data: It keeps your company’s and your customers’ information safe from being lost or stolen.
  • Build trust: It shows customers and partners that you take security seriously.
  • Meet legal requirements: Many laws, like GDPR, require you to protect data. This policy helps you follow those laws.
  • Prevent problems: It helps you avoid data breaches and the high costs that come with them.

When You Need It

You should create a data protection policy when you first start your business or as soon as you begin handling sensitive information. It’s best to have it in place before you need it. This way, you’re prepared from day one. You also need to update it regularly as your business grows and as new threats appear.

Who Needs It

Everyone in your company who handles information needs to follow this policy. This includes:

  • Employees: They need to know how to handle data safely.
  • Managers: They need to make sure their teams follow the rules.
  • IT staff: They need to set up the right security tools.

Where You Need It

You need to apply this policy wherever your company handles information. This includes:

  • On your computers and servers: This is where your data is stored.
  • In your offices: This covers how people handle paper documents.
  • When you work from home: This ensures data is safe even when employees are not in the office.

How to Write It

Start by looking at what kind of data you have and how you use it. Then, write down the rules for keeping that data safe. Make sure the rules are clear and easy for everyone to understand. You can use a template to help you get started. After you write it, get feedback from a security expert to make sure it’s correct.

Time needed: 1 hour and 30 minutes

How to write an ISO 27001 Data Protection Policy

  1. Create your version control and document mark-up

    ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

  2. Write the ISO 27001 Data Protection Policy contents page

    1 Document Version Control
    2 Document Contents Page
    4 Data Protection Policy
    4.1 Purpose
    4.2 Scope
    4.3 Principle
    4.4 Data Protection Policy Statement
    5 Legal Basis for Processing
    6 Data protection principles
    6.1 Lawfulness, Fairness and Transparency
    6.2 Purpose Limitation
    6.3 Data Minimisation
    6.4 Accuracy
    6.5 Storage Period Limitation
    7 Personal Information Classification and Handling
    8 Personal Information Retention
    9 Personal Information Transfer / Transmit
    10 Personal Information Storage
    11 Breach
    12 The Rights of Data Subjects
    12.1 The right to be informed
    12.2 The right of access
    12.3 The right to rectification
    12.4 The right to erasure (the right to be forgotten)
    12.5 The right to restrict processing
    12.6 The right to data Portability
    12.7 The right to object
    12.8 Rights in relation to automated decision making and profiling
    13 Definitions
    13.1 Personal Data
    13.2 Sensitive Personal Data
    13.3 Data Controller
    13.4 Data Processor
    13.5 Processing
    13.6 Anonymization
    14 Policy Compliance
    14.1 Compliance Measurement
    14.2 Exceptions
    14.3 Non-Compliance
    14.4 Continual Improvement

  3. Write the ISO 27001 Data Protection Policy purpose

    The purpose of this policy is the company legal and regulatory requirements under the GDPR and the Data Protection Act 2018 and the rights of data subjects.

  4. Write the ISO 27001 Data Protection Policy principle

    Personal data is classified and treated as classification level Confidential, and all associated policies, controls and processes apply.

  5. Write the ISO 27001 Data Protection Policy scope

    All employees and third-party users.
    Personal Data as defined by GDPR.

  6. Write your data protection policy statement

    The company is classed as a Data Controller/Data Processor based on the context of the processes under the current UK Data Protection Act 2018. This policy confirms our commitment to protect the privacy of the personal information of our customers, clients, employees, and other interested parties. We have engaged in a programme of Information Security Management which is aligned to the international standard ISO27001 to ensure that the processes of personal information is conducted using best practice processes.

  7. Explain your legal basis for processing

    Article 6 of the GDPR provides the legal basis under which Personal Data can be processed. Our legal basis for processing is documented in our Record of Processing Activities.

  8. Set out the data protection principles

    The company is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
    Article 5 of the GDPR requires that personal data shall be:

    Lawfulness, Fairness and Transparency
    processed lawfully, fairly and in a transparent manner in relation to individuals
     
    We have reviewed and documented the data that we control and or process and determined the legal basis for processing. We provide privacy notices and inform data subjects of their rights as well as what processing takes place, by whom, for how long and why.

    Purpose Limitation
    collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes
    We ensure we only process data for the purposes it has been collected and communicated and not for other reasons without the agreement and knowledge of the Data Subject(s).

    Data Minimisation
    adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
    We ensure that data collected is not excessive and is appropriate to the purpose for which it was collected. We conduct Data Privacy Impact Assessments as part of our project lifecycle.

    Accuracy
    accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay
     
    We ensure that data is reviewed and assessed for accuracy on a periodic basis and have implemented processes for the rectification and erasure of data without undue delay.

    Storage Period Limitation
    kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
    We have implemented a data retention policy and data retention schedule in line with legal, regulatory and company needs.
    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
    We have implemented an information security management system in line with ISO 27001 the International Standard for Information Security. We have a culture of information security and assess security controls and requirements throughout the project life cycle.

  9. Explain personal information classification and handling

    Personal data classification and handling is in line with theInformation Classification and Handling Policy.

  10. Set out personal information retention

    Personal data is retained and destroyed in line with the Information Classification and Handling Policy, Asset Management Policy, and the Data Retention Schedule.

  11. Set out personal information transfer

    Personal data is transferred in line with the Information Transfer Policy and employees ensure the appropriate level of security in line with the policy and company processes.

  12. Set out personal information storage

    Personal Information storage is in line with the Information Classification and Handling Policy, Physical and Environmental Security Policy, Cryptographic Control and Encryption Policy, Backup Policy,and the Data Retention Schedule.

  13. Explain what happens if a breach happens

    In the event of a breach of the principles of the Data Protection Act 2018 employees inform their line manager, and /or a member of the Management Review Team and/or Senior Management and invoke the Incident Management Process. 
    Breaches are assessed and where appropriate and required the Data Subjects and / or the Information Commissioners Office are informed without undue delay.

  14. Explain the rights of data subjects

    The right to be informed
    Individuals have the right to be informed about how we use their Personal Data.
    This includes:
    The name and contact details of our organisation.
    The name and contact details of our representative (if applicable).
    The contact details of our data protection officer (if applicable).
    The purposes of the processing.
    The lawful basis for the processing.

    The right of access
    Individuals have the right to access their personal data.
    This is commonly referred to as subject access.
    Individuals can make a subject access request verbally or in writing.
    We have one month to respond to a request.
    We cannot charge a fee to deal with a request in most circumstances.

    The right to rectification
    The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
    An individual can make a request for rectification verbally or in writing.
    We have one calendar month to respond to a request.
    In certain circumstances we can refuse a request for rectification.

    The right to erasure (the right to be forgotten)
    The GDPR introduces a right for individuals to have personal data erased.
    The right to erasure is also known as ‘the right to be forgotten’.
    Individuals can make a request for erasure verbally or in writing.
    We have one month to respond to a request.
    The right is not absolute and only applies in certain circumstances.
    This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.

    The right to restrict processing
    Individuals have the right to request the restriction or suppression of their personal data.
    This is not an absolute right and only applies in certain circumstances.
    When processing is restricted, we are permitted to store the personal data, but not use it.
    An individual can make a request for restriction verbally or in writing.
    We have one calendar month to respond to a request.

    The right to data Portability
    The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
    It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
    Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
    The right only applies to information an individual has provided to a controller.

    The right to object
    The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
    Individuals have an absolute right to stop their data being used for direct marketing.
    In other cases where the right to object applies, we may be able to continue processing if we can show that we have a compelling reason for doing so.
    We must tell individuals about their right to object.
    An individual can make an objection verbally or in writing.

    Rights in relation to automated decision making and profiling
    Individuals have the right not to be subject to a decision when:
    •           It is based on automated processing, and
    •           It produces a legal effect or a similarly significant effect on them.

  15. Define key terms

    To ensure the company understands its obligations to the protection of Personal Information, the following definitions apply and are based on current understanding of these terms within UK and European law, and specifically in Article 4 of GDPR.

    Personal Data
    Any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

    Sensitive Personal Data
    Personal Data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Sensitive Personal Data includes Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

    Data Controller
    The natural or legal person, public authority, agency, or any other body, which alone or jointly with others, determines the purposes and means of the processing of Personal Data.

    Data Processor
    A natural or legal person, public authority, agency, or any other body which processes Personal Data on behalf of a Data Controller.

    Processing
    An operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of the data.

    Anonymisation
    Irreversibly de-identifying Personal Data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The Personal Data processing principles do not apply to anonymized data as it is no longer Personal Data.

How to Implement It

To put the policy into action, you need to tell everyone in the company about it. Train your employees on the rules and how to follow them. Make sure you have the right tools and technology to support the policy, like password managers or antivirus software. Check regularly to see if the policy is being followed and if it is still working.

Examples of Using It for Small Business

  • Customer data: You might have a rule that says you must delete customer data after two years.
  • Credit card information: The policy would tell you to never write down credit card numbers.
  • Employee files: It would state that only HR can look at employee personal files.

Examples of Using It for Tech Startups

  • Code security: Your policy could require all new code to be checked for security problems before it is used.
  • Developer access: You might have a rule that developers can only access the data they need for their job, and nothing more.
  • User data: The policy would require you to use special tools to keep user data private and anonymous.

Examples of Using It for AI Companies

  • Training data: The policy would require you to clean and anonymise the data you use to train your AI models.
  • AI model access: You might have a rule that only certain people can access your most important AI models.
  • Security of intellectual property: The policy would outline how to protect your unique AI algorithms from being stolen.

How the ISO 27001 Toolkit Can Help

An ISO 27001 toolkit is a collection of documents, guides, and templates. It can help you put your data protection policy into practice. The toolkit helps you organise your security efforts and make sure you follow all the rules of the ISO 27001 standard.

ISO 27001 Toolkit

Information Security Standards That Need It

This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • DORA (Digital Operational Resilience Act)
  • NIS2 (Network and Information Security (NIS) Directive) 
  • SOC 2 (Service Organisation Control 2)
  • NIST (National Institute of Standards and Technology) 
  • HIPAA (Health Insurance Portability and Accountability Act)

List of Relevant ISO 27001:2022 Controls

The ISO/IEC 27001:2022 standard has many controls, which are like specific rules. Here are a few that are important for data protection:

ISO 27001 Data Protection Policy Example

An example ISO 27001:2022 Data Protection Policy:

ISO 27001 Data Protection Policy FAQ

What is an ISO 27001 data protection policy?

It’s a formal set of rules that helps your company manage and protect sensitive data. The policy helps ensure that data is handled correctly and securely.

Why do we need an ISO 27001 data policy?

It helps you protect your business from cyber threats and data leaks. Having a policy shows customers and partners that you take data security seriously.

Does the ISO 27001 data protection policy help with GDPR?

Yes, it does! ISO 27001 gives you a strong framework to manage data security. This makes it much easier to meet the strict rules of the GDPR and other privacy laws.

Who needs to follow this policy?

Everyone in the company must follow the policy. This includes all employees, contractors, and even vendors who handle your business’s data.

What is a data breach?

A data breach is when a person’s private information is accidentally shared or stolen. An example is when a hacker steals customer emails and passwords from a company website.

How do we handle a data breach?

The data protection policy has a clear plan for what to do. You must report the issue right away. You will then follow our steps to contain the breach and notify anyone who may be affected.

What is personal data?

Personal data is any information that can identify a living person. Things like a name, address, email, or a photo are all types of personal data.

What are the key goals of the data protection policy?

The main goals are to keep information confidential, to make sure data is not changed incorrectly (integrity), and to ensure data is always available to those who need it.

Do we have to train employees on this policy?

Yes, all employees must get trained. Training helps everyone understand the rules and their role in keeping our company data safe.

How often should we review the policy?

You review the policy at least once a year. This makes sure it stays current with new laws and new security threats.

What is an ISMS?

An ISMS is an Information Security Management System. It’s a set of processes, policies, and systems that help a company manage its data risks. ISO 27001 is the standard for building a good ISMS.

Can we share customer data?

You can only share customer data when you have a good reason to do so. This reason must be clear and based on law or a valid business need.

How do we destroy old data?

You destroy old data in a safe way so it can’t be recovered. This includes shredding paper documents and wiping digital files clean.

What is a risk assessment?

A risk assessment is a review of our systems and processes to find any weak spots. You then plan how to fix those problems to protect our data better.

What happens if someone doesn’t follow the policy?

Breaking the policy can lead to disciplinary action. It is very important that everyone follows the rules to keep our data secure.

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.