Thank you for your question and for using the forum. This is an excellent question and actually quite difficult.
There are lots of links to templates on Google however depending on which one you go to some expect you to pay (i.e IT Governance produce a full toolkit but comes at a cost), it also depends on what their existing Policy document contains and whether it is an update or a rewrite and indeed the expertise of who is leading it.
Our advice is that we would expect some of the following to be included within a policy addressing GDPR.
Data Protection by Design
The assignment of responsibilities.
Training of Employees.
Data Subject Rights.
Personal Data Transfers.
Personal Data Incident Management.
Personal Data Complaints Handling.
Data Protection Principles
Principle 1: Lawfulness, Fairness and Transparency
Principle 2: Purpose Limitation
Principle 3: Data Minimisation
Principle 4: Accuracy
Principle 5: Storage Limitation
Principle 6: Integrity & Confidentiality
Principle 7: Accountability A.5(2) The Data Controller shall be responsible for, and be able to demonstrate compliance.
Data Subject Consent
Data Subject Notification
Special Categories of Data
Profiling & Automated Decision-Making
Data Protection – Security of Processing
Data Subject Requests
The right of the Data subject to:
Object to Processing of their Personal Data.
Lodge a complaint with the Data Protection Authority.
Request rectification or erasure of their Personal Data.
Request restriction of Processing of their Personal Data.