An internal-facing data protection policy for use by a business setting out the principles and legal conditions under UK data protection law that organisations must satisfy when obtaining, handling, processing, transporting or storing personal data in the course of their operations and activities, including customer, supplier and employee data. It is tailored to comply with the UK GDPR and the Data Protection Act 2018 (DPA 2018).