��������Ƶ

Note: Links to our free templates are at the bottom of this long guide.
Also note: This is not legal advice

Introduction

Data protection policies are becoming increasingly important for organizations of all sizes in the UK, as they must now comply with the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018. These regulations provide a framework to ensure that data is collected, processed, stored, and used lawfully and securely. However, while it is essential to comply with these laws, creating a strong data protection policy should be viewed not just as a legal requirement but also as an important part of an organizations strategy.

Tailoring policies to meet the needs of your specific business is essential; taking into consideration factors such as size and complexity of the organization; volume and type of data being processed; and access control measures such as encryption and secure storage to protect from unauthorized access or misuse. It should also include clear statements on purposes for processing; rights of the data subject; responsibilities for controller/processor; how to respond to data breaches & report them – all steps that are necessary for compliance but also have wider implications for protecting privacy at an organizational level.

Keeping your policy up-to-date is equally important due to ongoing developments in the field - such as preparation for introduction of new ePrivacy regulations in 2021 - so it pays off to keep track with these changes constantly. Organizations should also recognize their obligations towards responsible use of personal data – something which can be achieved by taking account into consideration individuals’ rights – while ensuring this information reaches everyone involved including employees & customers.

The ��������Ƶ team understand that creating high quality legal documents doesn’t always come easy or cheaply - but there’s no need to pay lawyer fees when you have access to our template library today: it’s home to millions of datapoints which help teach our AI what a market-standard Data Protection Policy looks like! Our step-by-step guidance makes drafting documents straightforward even without a ��������Ƶ account so why not put our expertise into practice today? Read on below for more info!

Definitions

Data Protection Act 2018: Law governing the collection, storage, and processing of personal data in the UK.
Personal Data: Information relating to an identified or identifiable natural person.
Sensitive Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or related data protection rights.
Data Protection Principles: Eight standards that must be met in order to comply with the Data Protection Act 2018.
Data Retention Policy: Outlines how long data should be kept for, how it will be stored, and when it should be deleted.
Data Subject Rights: Rights of individuals whose data is being collected, stored, and processed, such as the right to access their personal data or the right to object to the processing of their data.
Data Subject Requests: Requests from data subjects, such as a request for access to their personal data or a request for rectification of inaccurate data.
Data Protection Impact Assessments: Assessments that evaluate how data is being collected, stored, and processed, and identify any potential risks or vulnerabilities.
Data Subject Access Requests: Requests from customers for access to their personal data.
International Data Transfers: Transferring data between countries.
Data Transfer Agreements: Agreements between parties involved in international data transfers, specifying how the data should be transferred.
Appropriate Security Measures: Measures to protect data during transfer, such as encryption algorithms and secure communication protocols.
Data Breaches: Unauthorized access to, or misuse of, personal data.
Data Rectification: Process to correct any errors or omissions in data.
Data Erasure: Process to securely delete data.

Contents

1. Understanding the legal requirements for data protection in the UK
2. Clarifying the purpose of collecting data and the types of data you will collect
3. Introducing security measures for data storage and processing
4. Establishing proper access controls
5. Establishing an audit log
6. Establishing a secure data backup and recovery system
7. Establishing encryption and secure communication protocols
8. Establishing a data retention policy
9. Outlining processes for data access, use, and disclosure
10. Establishing roles and responsibilities for data handling
11. Establishing secure data transfer protocols
12. Establishing a data sharing agreement
13. Establishing processes for data rectification and erasure
14. Establishing a process for rectifying inaccurate data
15. Establishing a process for erasing data
16. Establishing data subject rights
17. Establishing procedures for informing data subjects of their rights
18. Establishing a procedure for handling data subject requests
19. Establishing procedures for data breaches
20. Establishing a system for recording and monitoring data breaches
21. Establishing a system for notifying data subjects of breaches
22. Establishing a system for identifying and addressing the cause of a breach
23. Establishing a procedure for data protection impact assessments
24. Establishing a procedure for handling customer data subject access requests
25. Establishing procedures for international data transfers
26. Establishing data transfer agreements
27. Establishing appropriate security measures
28. Establishing a procedure for monitoring data protection compliance
29. Establishing regular compliance audits
30. Establishing a system for recording and monitoring compliance issues

Get started

Understanding the legal requirements for data protection in the UK

• Read and understand the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to understand the legal requirements for data protection in the UK
• Learn the 8 data protection principles, including the need for data to be processed lawfully and securely
• Research the rights of individuals (data subjects) in the UK and how they relate to data protection
• Become familiar with the GDPR terminology, such as ‘Controller’, ‘Data Processor’, and ‘Data Subject’
• Understand the implications of data protection laws, such as the potential for fines for non-compliance
• Check off this step when you feel confident that you understand the legal requirements for data protection in the UK.

Clarifying the purpose of collecting data and the types of data you will collect

• Identify the purpose for which you are collecting data and identify the type of data you will be collecting
• List the potential sources of the data you are collecting
• Determine the categories and types of data you will need to collect
• Decide who you will share the data with and how it will be used
• Establish a system to document and manage data collection, storage and processing
• Set up a system to monitor and review the data you are collecting

You’ll know when you can check this off your list and move on to the next step when you have identified the purpose and type of data you will be collecting, listed the potential sources, determined the categories and types of data you will need to collect, decided who you will share the data with and how it will be used, established a system to document and manage data collection, storage and processing, and set up a system to monitor and review the data you are collecting.

Introducing security measures for data storage and processing

• Assess the risks to the data you are collecting and storing.
• Implement technical and organizational measures to protect the data from unauthorized access, accidental loss, destruction, or damage.
• Ensure that any third-party used for data storage and processing meets Data Protection Act compliance standards.
• Consider the use of encryption for data in transit and at rest.
• Ensure that any data stored electronically is backed up regularly.
• Ensure that logs of all data processing activities are maintained.

You can check off this step and move on to the next step when you have completed the assessment of risks and implemented the necessary measures to protect data from unauthorized access, accidental loss, destruction, or damage. You should also have ensured that any third-party used for data storage and processing meets Data Protection Act compliance standards, considered the use of encryption for data in transit and at rest, ensured that any data stored electronically is backed up regularly, and ensured that logs of all data processing activities are maintained.

Establishing proper access controls

• Establish a set of access controls for all users accessing data, including authentication and authorization.
• Ensure that all access is documented, and that user access is regularly reviewed.
• Set up a process for granting access to data, and for revoking access when necessary.
• Ensure that all users understand their responsibilities in terms of data protection, and that they are aware of any restrictions on the use of data.
• Document any access control measures in a data protection policy.

You’ll know when you can check this off your list and move on to the next step when you have established a set of access controls for all users accessing data, including authentication and authorization, and have documented any access control measures in a data protection policy.

Establishing an audit log

• Set up an audit log to track who has accessed or attempted to access the data
• Include in the log the date and time of any access, the user’s name, and the type of access (read, write, update, delete, etc.)
• Set up the log to record unsuccessful attempts as well as successful ones
• Monitor the log for any suspicious activity
• Ensure that the audit log is kept secure and only accessible by authorized personnel
• When the audit log is set up and monitored, this step is complete and you can move on to the next step.

Establishing a secure data backup and recovery system

• Identify and document the data that needs to be backed up.
• Set up a backup schedule for the data that needs to be backed up and ensure that it is adhered to.
• Ensure that the data is stored in a secure environment and is regularly tested.
• Establish procedures for recovering the data in the event of a system failure.
• Test the backup and recovery system regularly to ensure that it is working efficiently and effectively.
• When the backup and recovery system is established and tested, it is ready for use and can be checked off your list.

Establishing encryption and secure communication protocols

• Identify which encryption protocols will best protect data from unauthorized access
• Implement secure communication protocols to protect data during transmission
• Ensure all software and hardware used to store and transmit data has up-to-date security patches
• Develop a process to regularly evaluate and update the encryption and communication protocols
• Test the encryption and communication protocols to ensure they are secure and reliable
• Once all encryption and communication protocols have been implemented and tested, check this off your list and move on to the next step.

Establishing a data retention policy

• Determine what data you need to retain and for how long
• Consider industry regulations and best practices for data retention
• Document which data you need to retain and for how long
• Set up a system for data retention, such as automated deletion processes
• Make sure that all stakeholders, especially those responsible for data management, are aware of the data retention policy
• Monitor and review the data retention policy regularly to make sure it is up to date with relevant laws and regulations
• When all steps have been completed and the policy is in place, check it off your list and move on to the next step.

Outlining processes for data access, use, and disclosure

• Define the criteria for granting access to personal data, including what types of access are allowed and who is permitted to access it
• Specify the purpose for which each type of access is allowed
• Create guidelines and procedures for data use, including the security measures that must be taken to ensure that personal data is not misused
• Define the circumstances in which personal data may be disclosed to third parties, and the measures to be taken to ensure that the data is not misused or shared beyond what is permissible
• Establish a clear process for requesting and granting consent from individuals for the use or disclosure of their personal data
• Create a detailed record-keeping system for tracking access, use, and disclosure of personal data

You’ll know you can check this step off your list and move on to the next step when you have a clear and comprehensive policy outlining processes for data access, use, and disclosure.

Establishing roles and responsibilities for data handling

• Identify key personnel and assign roles and responsibilities related to data handling
• Create job descriptions outlining each role’s data-handling responsibilities
• Develop a system to monitor data handling processes
• Create a training program to ensure all personnel are properly trained and understand their data-handling responsibilities
• Establish a system to review roles and responsibilities on a regular basis

Once you have identified key personnel, assigned roles and responsibilities related to data handling, created job descriptions outlining each role’s data-handling responsibilities, developed a system to monitor data handling processes, created a training program to ensure all personnel are properly trained and understand their data-handling responsibilities, and established a system to review roles and responsibilities on a regular basis, you can check this off your list and move on to the next step.

Establishing secure data transfer protocols

• Establish which data transfer protocols are allowed on the network, such as FTP, SFTP and HTTPS.
• Consider which protocols you should use to transfer data to external parties.
• Ensure your data transfer protocols are secure, and cannot be accessed by unauthorized parties.
• Establish secure passwords and authentication methods to protect your data transfer protocols.
• Make sure your data transfer protocols are regularly updated to ensure they remain secure.
• Once you have established secure data transfer protocols, document them in your data protection policy.

How you’ll know when you can check this off your list and move on to the next step:

• You will know you can move on to the next step when you have established secure data transfer protocols and documented them in your data protection policy.

Establishing a data sharing agreement

• Identify the data sharing parties
• Assess and document the purpose, scope and duration of the data sharing
• Assess and document the necessary data protection measures
• Create a data sharing agreement, including an obligation to adhere to data protection principles, security measures, confidentiality and data subject rights
• Ensure that the data sharing agreement is reviewed and updated regularly
• When all parties have agreed to the data sharing agreement, you can move onto the next step of establishing processes for data rectification and erasure.

Establishing processes for data rectification and erasure

• Create a process for your organization that outlines how you will respond to customer requests for rectification and erasure of personal data
• Ensure that any requests for rectification or erasure of personal data are responded to in a timely manner
• Document the process for rectification and erasure of personal data, including the timeframe for responding to customer requests
• Train staff on the process for rectification and erasure of personal data
• Monitor the process for rectification and erasure of customer data to ensure compliance
• Once you have created a process for data rectification and erasure, you can move on to the next step of establishing a process for rectifying inaccurate data.

Establishing a process for rectifying inaccurate data

• Establish a process for rectifying inaccurate data, including identifying the types of data that need to be rectified, identifying the process for rectifying data, and defining roles and responsibilities for rectifying data.
• Develop a process for reviewing, approving, and updating rectification requests.
• Ensure that the rectification process is documented and communicated to the relevant staff members.
• Test the process to ensure it works properly.
• When the process is established and tested, check this step off your list and move on to the next step: Establishing a process for erasing data.

Establishing a process for erasing data

• Decide which kind of data you will delete (e.g. all data, certain kinds of data, or specific records)
• Put in place processes and procedures to ensure data can be securely and efficiently erased when necessary
• Make sure that you have the appropriate technical systems in place to ensure data can be deleted
• Establish a system to periodically review and audit data deletion practices
• Ensure that all staff are aware of the data erasure process and how to execute it
• Once all these steps are implemented, you can check off this step and move on to the next step of establishing data subject rights.

Establishing data subject rights

• Understand the rights of data subjects as outlined in the General Data Protection Regulation (GDPR)
• Ensure that data subjects can access, rectify, and erase their personal data
• Create a process for data subjects to exercise their rights
• Implement a procedure for informing data subjects of their rights
• Document how you are fulfilling the data subject rights
• When these procedures are in place and documented, you can move on to the next step of establishing procedures for informing data subjects of their rights.

Establishing procedures for informing data subjects of their rights

• Create a procedure for informing data subjects of their rights under the GDPR and UK Data Protection Act 2018.
• Ensure that the procedure is clear, concise, and easily understandable for all data subjects.
• Develop a process for providing data subjects with the information they need to understand their rights.
• Make sure that data subjects are aware of their right to access, rectify, delete, or limit the use of their personal data.
• Outline the steps that data subjects need to take to exercise their rights.
• Publish the procedure on your website or in a printed form.

When you can check this off your list and move on to the next step:

• When you have created a procedure for informing data subjects of their rights and have made sure that it is clear, concise, and easily understandable.

Establishing a procedure for handling data subject requests

• Set up a procedure for responding to data subject requests, such as requests to access their data, change their data, or delete their data.
• Create a process for dealing with data subject requests within a timeframe set out in data protection law.
• Set out the process for verifying the identity of data subjects.
• Make sure the process for handling data subject requests is clear and easily accessible to data subjects.
• Communicate the process for dealing with data subject requests to staff and ensure they understand how to process them.

You can check this off your list and move on to the next step when you have written out the procedure for responding to data subject requests, set out the process for verifying the identity of data subjects, created a process for dealing with data subject requests within the timeframe set out in data protection law, made sure the process is clear and easily accessible to data subjects, and communicated the process to staff.

Establishing procedures for data breaches

• Create a protocol for when to divulge information about a data breach to the Information Commissioner’s Office (ICO), relevant data subjects and other third parties.
• Create a protocol for when to conduct a data breach risk assessment.
• Establish a process for regularly assessing the effectiveness of data breach protocols.
• Establish a system for recording and monitoring data breaches.
• Create a protocol for how data breaches should be investigated.
• Create a protocol for how to respond to data breaches.

Once all the protocols are created and documented, this step can be checked off the list and the next step can be begun.

Establishing a system for recording and monitoring data breaches

• Create a system that captures and stores data about any potential data breaches
• This system should contain information about the breach (date, time, type, affected data, etc.)
• Establish a process for monitoring the system, ensuring that all potential breaches are recorded and analyzed
• Set up a timeline for regularly reviewing the system and records
• Make sure you have a system in place to identify any trends or patterns in the data that may indicate a need for additional security measures
• When the system is in place and operational, you can mark this step as complete and move on to the next one.

Establishing a system for notifying data subjects of breaches

• Determine who is responsible for notification of data subjects in the event of a breach.
• Establish procedures for notifying data subjects of a breach, including how and when notification should be done.
• Establish communication channels for notifying data subjects, such as email, text message, or letter.
• Determine the information that needs to be included in the notification, such as what data was breached and what steps the data subject can take in response to the breach.
• Put in place processes and procedures for verifying data subject contact details.
• Establish a timeline for notifications, and ensure that notifications are made within the required timeframe.
• Review the data subject notification system periodically to ensure it is still effective.

You will know you have completed this step when you have established a system for notifying data subjects of breaches and have verified that it meets the requirements of the law.

Establishing a system for identifying and addressing the cause of a breach

• Identify the potential causes of data breaches, such as security vulnerabilities, inadequate access control, malicious or accidental human behaviour
• Develop procedures for identifying and addressing the causes of data breaches, including assessing the level of risk and the potential impact on individuals
• Make sure that appropriate technical and organisational measures are taken to address and mitigate the causes of data breaches
• Monitor the effectiveness of the measures taken to address and mitigate the causes of data breaches
• Ensure that appropriate corrective and preventative action is taken to address and mitigate the causes of data breaches
• When you have established a system for identifying and addressing the causes of data breaches, you can move on to the next step of establishing a procedure for data protection impact assessments.

Establishing a procedure for data protection impact assessments

• Create a process to identify when a Data Protection Impact Assessment (DPIA) is necessary
• Assign a lead individual to oversee the DPIA process and make sure they have adequate support and resources available
• Establish a process to review the potential impact of each project on individual rights
• Identify internal and external resources to assist with the DPIA process
• Develop a template for completing DPIAs and make it available to relevant personnel
• Set a timeline for completing DPIAs
• Establish a process for assessing the effectiveness of DPIAs
• Review the DPIA process regularly and make changes where necessary

You’ll know that you can check this off your list and move on to the next step when you have developed a DPIA process that you are confident follows the GDPR regulations.

Establishing a procedure for handling customer data subject access requests

• Establish a procedure for handling customer data subject access requests.
• Establish a system for identifying the personal data of customers which needs to be disclosed.
• Identify who is responsible for responding to subject access requests.
• Establish a system to ensure that customer data subject access requests are handled within a reasonable timeframe.
• Make sure that appropriate records are kept of customer data subject access requests and the responses.
• Educate staff on the subject access request procedure.

You can check this step off your list and move on to the next step when you have established a procedure for handling customer data subject access requests, put a system in place for identifying the personal data of customers which needs to be disclosed, identified who is responsible for responding to subject access requests, established a system to ensure that customer data subject access requests are handled within a reasonable timeframe, ensured that appropriate records are kept of customer data subject access requests and the responses, and educated staff on the subject access request procedure.

Establishing procedures for international data transfers

• Check whether any international data transfers are necessary
• Identify what data will be transferred, where it will be transferred to, and how it will be transferred
• Consider whether additional safeguards are necessary for the transfer
• Put the necessary procedures and safeguards in place
• Document the procedures and safeguards

Once the necessary procedures and safeguards are in place and documented, you can check this step off your list and move on to the next step.

Establishing data transfer agreements

• Research and review the data protection laws and regulations in any country you plan to transfer data to
• Draft and sign a data transfer agreement with each country that complies with their laws
• Make sure that each agreement includes the necessary provisions to protect data
• Obtain any necessary approvals or notifications from authorities, data protection authorities or other regulatory bodies
• Monitor any changes in the laws or regulations of the countries you transfer data to
• When all necessary data transfer agreements have been signed and any necessary approvals or notifications have been obtained, this step can be marked as complete and you can move on to the next step of establishing appropriate security measures.

Establishing appropriate security measures

• Identify the appropriate security measures to be implemented, such as encryption, authentication, access control, secure storage and backup, etc.
• Develop procedures for securing data and set up the necessary systems.
• Train staff in how to protect data, such as physical and digital security measures.
• Implement measures to prevent, detect and respond to security incidents, such as regular system checks and data backups.
• Test the effectiveness of security measures in place.

You’ll know that you have completed this step when you have identified the appropriate security measures, developed and implemented the necessary procedures, trained staff, and tested the effectiveness of these measures.

Establishing a procedure for monitoring data protection compliance

• Create clear, written processes and procedures that outline the steps to be taken to ensure data protection compliance.
• Define roles and responsibilities for data protection compliance, and communicate these to those affected.
• Make sure that all staff understand the process and procedure for monitoring data protection compliance.
• Develop a data protection compliance checklist that can be used to ensure compliance.
• Establish a timetable for assessing, reviewing and updating the data protection policy on a regular basis.
• Set up regular monitoring and reporting of data protection compliance.

When you can check this off your list:

• When the process and procedure for monitoring data protection compliance is clearly defined, communicated to those affected and understood by all staff.
• When a data protection compliance checklist is created.
• When a timetable for assessing, reviewing and updating the data protection policy is established.
• When regular monitoring and reporting of data protection compliance is set up.

Establishing regular compliance audits

• Identify key areas of compliance for which regular audits are required
• Assign responsibility for conducting the audits to someone in the organisation
• Set a schedule for performing compliance audits and ensure that this is communicated to all relevant personnel
• Ensure that the audits are conducted by qualified personnel and that the audit results are documented
• Ensure that any areas of non-compliance are addressed in a timely manner
• Monitor audit results to identify any trends or issues that need to be addressed
• Ensure that any areas of non-compliance are addressed in a timely manner

Once the regular compliance audits are established, the next step of establishing a system for recording and monitoring compliance issues can be completed.

Establishing a system for recording and monitoring compliance issues

• Set up a system for logging and monitoring any compliance issues
• This should include a process for recording any reported issues, tracking resolutions and corrections, and establishing any measures for preventing future issues
• Establish who will be responsible for monitoring and reporting any compliance issues
• Assign clear roles and responsibilities for the management of the system
• Make sure the system is regularly reviewed, updated and maintained
• When you are satisfied that a system is in place for recording and monitoring compliance issues, you can check this off your list and move on to the next step.

FAQ

Q: What are the differences between a Data Protection Policy in the UK and the US?

Asked by Jeffrey on 7th June 2022.
A: The UK has a comprehensive data protection regime under the GDPR and the Data Protection Act 2018, while the US has a sectoral approach to data protection. In the US, data protection is regulated by various federal and state laws, including HIPAA (healthcare), FCRA (credit reporting), COPPA (children’s online privacy) and GLBA (financial services). There are also sector-specific laws that provide different levels of data protection. In addition, each state has its own set of data protection laws and regulations. For example, California has some of the most stringent state data privacy laws in the country.

Q: What are some best practices for creating a Data Protection Policy in the UK?

Asked by David on 15th August 2022.
A: When creating a data protection policy in the UK, it is important to ensure that you comply with all applicable laws, including the GDPR and Data Protection Act 2018. It is also important to ensure that you comply with any industry-specific regulations or codes of practice. Best practice would include an introduction to data protection, an explanation of how personal data is collected and used, details of how personal data is stored and secured, details of access rights for individuals, and an outline of how complaints are handled. Additionally, it is important to ensure that any third parties you use for processing or storing personal data have appropriate security measures in place. Finally, it is important to ensure that you have adequate policies and procedures in place for responding to requests for access or rectification of personal data.

Q: How do I make sure my Data Protection Policy complies with EU law?

Asked by Jessica on 13th July 2022
A: To ensure your data protection policy complies with EU law, it must adhere to the principles set out in the GDPR and Data Protection Act 2018. These include principles such as transparency, purpose limitation, storage limitation, accuracy and accountability. Additionally, it is important to ensure that any processing activities you undertake comply with the GDPR’s ‘lawfulness’ principle – i.e., that processing is necessary for a lawful purpose. Furthermore, if you are transferring personal data outside of the EU, you must take steps to ensure that it is adequately protected in accordance with EU law (e.g., through standard contractual clauses approved by the European Commission).

Q: Do I need a Data Protection Policy if my business does not process personal data?

Asked by Matthew on 14th October 2022.
A: While it is not strictly necessary to have a data protection policy if your business does not process personal data, it may still be advisable to have one in place as a way of demonstrating your commitment to protecting personal information should you ever start processing it in future. Additionally, having a policy will help ensure that any processing activities are compliant with applicable laws such as GDPR or Data Protection Act 2018 should your business ever start to process personal information in future.

Q: How can I make sure my Data Protection Policy applies across all jurisdictions?

Asked by William on 3rd April 2022.
A: As different countries have different laws and regulations when it comes to protecting personal information, it can be difficult to make sure your policy applies across all jurisdictions. One way to do this is by ensuring that your policy complies with all applicable international laws on data protection – such as GDPR and/or relevant sector-specific laws – as well as any local requirements where applicable (e.g., California’s Consumer Privacy Act). Additionally, you should take steps to ensure that any third parties you use for processing or storing personal information are compliant with applicable laws wherever they are based. Finally, it is also important to ensure that you provide adequate rights for individuals whose information you process – such as access rights and rectification rights – regardless of jurisdiction.

Q: What do I need to include in my Data Protection Policy if my business sells products online?

Asked by John on 5th December 2022.
A: If your business sells products online then there are certain things you need to include in your Data Protection Policy which relate specifically to this type of activity – such as how you collect and store payment details; how refunds are processed; how customer queries are handled; what measures are taken when collecting customer information; how customer information is used for marketing purposes; and how customers can opt out from receiving marketing communications from your business. Additionally, it’s important to ensure that any third parties you use for collecting or storing customer information have adequate security measures in place and comply with relevant laws such as GDPR or relevant sector-specific laws where applicable (e.g., PCI DSS).

Q: What should I do if I receive a request from an individual asking me to delete their personal information?

Asked by Joseph on 19th November 2022.
A: If you receive a request from an individual asking you to delete their personal information then you must take steps to comply with their request within one month (unless there are exceptional circumstances). This includes deleting their personal information from any databases where it is stored (or anonymising it so that it cannot be linked back to them) and informing any third parties who may also hold their personal information about the request so they can take steps to delete or anonymise it as well. Additionally, if you have shared the individual’s personal information with anyone else then you must inform them too so they can take steps to delete or anonymise it too where necessary. Finally, once your response has been completed then it’s good practice to inform the individual concerned about what action has been taken so they know their request has been dealt with appropriately.

Q: What should I do if I discover my business has suffered a breach of its Data Protection Policy?

Asked by Christopher on 22nd February 2022.
A: If your business discovers that its data protection policy has been breached then it must take immediate steps to investigate what happened and contain any potential risk posed by the breach (e.g., through implementing security measures such as password resets). It must also notify both individuals whose information may have been compromised (where required) as well as relevant authorities such as the Information Commissioner’s Office (ICO). Finally, your business should review its policies and procedures related to data protection so that similar breaches can be prevented in future.

Example dispute

Suing a Company for Not Following Data Protection Policies

• The plaintiff must be able to demonstrate that the company failed to abide by the data protection policy that the company had in place.
• The plaintiff must show that the company’s actions or negligence led to a breach of data or other harm to the plaintiff.
• The plaintiff must also show that the company was responsible for the breach of data or other harm, and that it was not the result of an external malicious attack.
• If successful, the plaintiff may be entitled to damages such as compensation for any losses incurred as a result of the breach.
• The plaintiff may also be able to seek an injunction to prevent the company from continuing to breach the data protection policy.
• The court may also order the company to set up additional measures to ensure the safety of data in the future.

Templates available (free to use)

Data Protection Policy
Data Protection Policy Uk Gdpr Dpa 2018

‍