ESGComplete

Compliance guide

Data Security Policy Template

A data security policy sets out how your business protects the information it holds, by classifying data and applying the right handling rules to each level. Use the free template, classification model and sample wording below, or have a tailored version prepared for you.

Get it done for you->See the template

Last updated

What a data security policy does

A data security policy sets out how your business protects the information it holds, across its whole life: how data is classified, stored, shared, retained and disposed of. At its heart is a simple idea: not all data is equally sensitive, so it shouldn't all be treated the same way. That's what data classification is for.

It's one of the most commonly requested supporting documents under a cyber security policy, because customers want to know their data will be handled appropriately once it's in your hands.

This is general guidance, not legal advice. If you hold regulated data (health, payment card, or personal data under laws like GDPR), check the specific requirements that apply.

A simple data classification model

Most small and medium businesses do well with three or four levels. Adapt the labels and handling rules to your business:

LevelExamplesHandling
PublicMarketing, published contentNo restrictions
InternalInternal docs, plansStaff only; don't share externally
ConfidentialCustomer data, contractsAccess on need-to-know; encrypt in transit
RestrictedPayment, health, credentialsStrict access, encryption, logging

What to include: data security policy template structure

Adapt this outline to your business:

  1. Purpose and scope, why the policy exists and what data and systems it covers.
  2. Data classification, your levels (e.g. Public, Internal, Confidential, Restricted) and what falls into each.
  3. Handling rules, how each level must be stored, shared, transmitted and disposed of.
  4. Access, who can access which data, on a need-to-know basis (links to your access control policy).
  5. Encryption, when data must be encrypted in transit and at rest.
  6. Storage and backups, where data lives and how it's backed up.
  7. Retention and disposal, how long data is kept and how it's securely destroyed.
  8. Third parties, expectations for vendors who store or process your data.
  9. Breach handling, links to your incident response process.
  10. Responsibilities and review, who owns the policy and how often it's reviewed.
Classification is only useful if handling rules follow it. For each level, say plainly what people can and can't do.

Download the editable data security policy template

Enter your email and the data security & classification policy template (Word and PDF) is yours, with the classification model ready to adapt.

How to put it into practice

A classification scheme only helps if people can actually apply it.

  1. 1

    Agree your levels

    Pick three or four classification levels and define them in plain language.

  2. 2

    Map your data

    Identify the main types of data you hold and assign each a level.

  3. 3

    Set handling rules

    For each level, set clear rules for storage, sharing, encryption and disposal.

  4. 4

    Label and train

    Show people how to label documents and handle each level day to day.

  5. 5

    Review

    Revisit the policy and your data map at least annually.

Prefer your data security policy done for you?

Tell us what kind of data you hold and we'll prepare a tailored data security and classification policy with handling rules matched to your business.

Requests for the data security policy are reviewed and prepared manually, we'll follow up by email.

Frequently asked questions

Is this data security policy template free?+
Yes. The structure, the classification model and the handling rules are free to use. A tailored, done-for-you version is the only paid option.
What's the difference between data security and data classification?+
Data classification is one part of data security. Classification sorts information by sensitivity; the wider policy then sets the security rules for each level, covering storage, sharing, encryption, retention and disposal.
How many classification levels should I use?+
Three or four is plenty for most businesses, for example Public, Internal, Confidential and Restricted. Too many levels are hard to apply consistently.
Is this the same as a data protection / privacy policy?+
Not quite. A data security policy is about protecting information from a security standpoint. A privacy or data protection policy focuses on how you collect and use personal data under privacy law. They're complementary.

Related guides

Cyber Security Policy Template->The overarching policy this sits under.Access Control Policy Template->Need-to-know access to data.Incident Response Policy Template->What to do after a data breach.Password Policy Template->Credentials that protect your data.