Custodia Continuity

Policy Writing and Maintenance

Policies that reflect how your organisation actually operates, maintained as the law changes.

Most organisations have data protection policies. Very few have policies that accurately describe how they handle personal data, and fewer still have read them recently.

Template policies are a starting point, not a solution. A policy that describes a generic organisation is not useful when a client asks how you handle their data, when a member of staff faces an unfamiliar situation, or when a regulator asks for evidence of compliance.

We create data protection policies from scratch, based on what your organisation actually does: how you collect data, where it sits, how long you keep it, who sees it, and what you do when something goes wrong.

What We Write

We produce a complete set of documentation covering your data protection obligations, not a selection of the easier bits:

  • Core UK GDPR Policy: lawful basis for processing, individual rights, retention schedules, security obligations and breach procedures
  • Privacy notices: website, staff, clients and suppliers, each drafted for its specific audience
  • I.T. Security policies: acceptable use, bring your own device, remote working, data retention and breach notification
  • Record of processing activities: the Article 30 documentation that regulators ask for first
  • Cookie policy and consent review: covering your website's actual cookies, not a generic list

It is all written in plain English and cross-referenced, so the policies work together instead of being a stack of unrelated documents.

Keeping Them Current

Legislation does not stand still. The Data Use and Access Act introduced material changes to legal basis, added recognised legitimate interests, strengthened requirements around automated decision-making, and adjusted internal complaints requirements. Information Commissioner’s Office guidance on biometric data, children’s privacy and A.I. has changed substantially in recent years and continues to develop.

We monitor the Information Commissioner’s Office guidance updates, case decisions and enforcement notices, and we rewrite your policies when they need updating. Not every guidance change requires a full rewrite, but every change gets assessed. If your policies need amending, we amend them and let you know what changed and why.

This is included in our standard compliance service. You do not receive a revised policy with an invoice attached.

A policy untouched since 2018 doesn’t show compliance. It shows nobody has been paying attention.

Plain-English Guidance Notes

A thirty-page policy document is not useful to the person at the front desk deciding whether to share a client’s address over the phone. They need a one-page summary that covers the decisions they actually face, written for the role they actually do.

For every policy we write, we produce a plain-English guidance note: what the policy means in practice, what to do in the situations that come up regularly, and who to ask when something is unclear. These go into your staff handbook and sit alongside the full policy for easy reference.

When a prospective client or partner asks for evidence of your data handling, you hand over a clear, well-structured compliance pack that gives them confidence, rather than a folder of templates with your name pasted in.

A.I. and Automated Decision-Making

If your organisation uses A.I. tools, profiling, automated scoring or algorithmic decision-making in any form, your data protection policies need to reflect that. This is not optional: the UK GDPR places specific transparency and fairness obligations on any processing that involves automated decisions with legal or similarly significant effects on individuals, and regulators are actively examining how organisations are handling this.

We review how you use these tools, ensure your privacy notices include the required transparency information, and establish governance to demonstrate that automated decisions involving people are appropriately overseen and challengeable where the law requires it.

Policy Writing and Maintenance with Custodia

  • Policies written for your organisation, not copied from a template
  • Core data protection policy, privacy notices, I.T. policies and records of processing
  • Plain-English guidance notes for staff, suitable for your staff handbook
  • Website privacy and cookie compliance reviewed
  • Information Commissioner’s Office guidance and legislation monitoring included
  • Policies rewritten when the law changes, without a separate invoice

Find out how we can help your organisation

Get in touch with us today.

Book a Call

Or call us on

01629 369 250

Email us at

[email protected]