Your Obligations

Your organisation will be responsible for personal data, whether on a small or large scale. It is an increasingly valuable asset, and it is essential for you to ensure compliance with the regulatory framework that sits around all processing of that data. It is important because it is a legal requirement, but it is also important because it goes to the heart of your business success.
  • First, a caveat: you are not expected to do all of this overnight.
  • Data protection is never ‘done’;
    - it is not a once-a-year box ticking exercise,
    - it is a continuous process, determined by human behaviour, choices and attitudes.
  • Here are some suggested steps, in no particular order, which you can take to start on the journey:
  • Read up on and increase your own understanding of the Law, this is the single most useful step you can take.

    The data protection principles sit at the core of the compliance requirements of the Law. They set out how personal data must be handled, ensuring that individuals rights are respected. The start of your data privacy journey should include learning more about these data protection principles and how they are applied.

    We have prepared a number of useful templates to help you assess your current compliance with the Law.

  • Got a board of directors/management team? Make sure understanding of and compliance with data protection law is firmly on their agenda and that they know they are responsible for it. 

    Data Protection by Design and Default should be at the heart of all decisions made.

    Consider if your organisation is legally obliged to appoint a Data Protection Officer.

  • Add data protection to your risk register.

  • Treat the data you process as you would any other item of value.

    Consider how you are handling data by getting to know the personal data you process. Consider carrying out a data audit to understand: 

    • What do you have?
    • Where is it?
    • Who has access to it?
    • What are the policies and procedures around it?
    A comprehensive data audit is fundamental.

  • Understand the purpose of and then determine, and document in your data processing or privacy notice which lawful processing conditions you rely on for each area of processing (note: you are likely to be using different conditions for different purposes).

  • Document your processing. This fulfils your legal duty to keep records.

  • Look at each data collection point you have and ensure you are fulfilling your legal obligation to provide detailed information about the processing to people (aka: publish your Data Processing Notice or Privacy Notice).

    If you are relying on consent as your lawful processing condition, check that the method you’re using meets the higher standard required under the law. And remember there are lots of other lawful processing conditions you could potentially rely on, as long as you document this in your Privacy Policy and tell people about it. 

  • Ensure data protection is covered in your staff contracts and handbook, and hold regular training and awareness-raising activities with all your staff.

    You may wish to do the latter by exploring Project Bijou

  • Ensure all your staff understand their responsibilities and understand what individuals’ 10 rights are.

  • Ensure you have appropriate security and safeguards around all your data, both electronic and hard copy and that these are documented in your data inventory as part of your data audit.

  • Understand how to handle data breaches and be aware of your legal requirement to report data breaches.

  • Review all relationships you have with third parties where data is involved to ensure that you understand and are happy with their controls and processes.

    Review and update the contracts you have with them.

  • Maintain your annual registration with us. This must be done during January and February each year.

  • Focus on the accountability principle – how will you demonstrate that you are taking responsibility for what you’re doing with people’s data. This is important for your internal governance purposes but also in case we ask you questions about what you're doing. It's helpful to think of accountability as the bedrock principle of the seven data protection principles in our local Law, as the other six principles sit atop it.

    (Note: in some cases the accountability principle may require you to appoint a Data Protection Officer, or perform Data Protection Impact Assessments, or other measures.) 

  • We recognise that data protection can seem challenging at times, and whilst we cannot do your compliance for you, we are very keen to support you in your efforts.

    If you need some help or guidance you can: