Data protection impact assessment policy

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment. This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments. It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT

Data protection policy

A data protection policy is an internal document providing a framework for how your organisation will comply with its data protection obligations when handling personal data. This includes what expectations you have of your staff when they are processing personal data on your behalf and how different legal obligations should be complied with. It might also be referred to as a data security policy, a data protection statement or a staff data protection policy. Whenever your business processes personal data, you are under strict legal requirements to put in place appropriate measures to ensure that your processing is compliant with data protection law at all times. This template will help you to set out what obligations your staff are under when they are processing any personal data for your business. This policy could form part of your staff handbook or it could be provided as a standalone policy. If you’re looking to produce an entire staff handbook, use our template staff handbook instead. Alternatively you can purchase this policy as part of the Data protection policy toolkit or the Remote working and cybersecurity toolkit .
£25 + VAT
See all solutions
Storing personal data securely
The rules about storing data
Q1:Can I store personal data?

Yes, although you can only store people's in a way that is compatible with your original purpose for collecting the data. This means that you must:

  1. conduct a if appropriate, eg before introducing new technology as your storage solution or if you are required by law to do one (see Q&A 3);

  2. only collect and keep that is actually necessary for the purpose for which you are storing it (see Q&A 7);

  3. make sure that any you store is accurate and kept up-to-date where necessary (see Q&A 11);

  4. not keep for any longer than necessary (see Q&A 12); and

  5. make sure that is stored securely (see Q&A 18 and following).

You will need to have measures in place to comply with the above, including appropriate internal policies and training for your . You may be under a legal obligation to appoint a (DPO), although most will not need to. In any event, it is good practice to appoint someone to be in charge of , not in a formal capacity as DPO, but rather as someone who has a reasonable knowledge about matters and can help you comply with the law. See Data protection officers and staff training for more information and how to check whether you need a formal DPO or not. It is particularly important that someone has oversight of setting appropriate measures and ensuring that these are updated on an ongoing basis.

Q2:Does the personal data I store have to be easy to access?

Yes, it is important that you store information in such a way that you will be able to respond promptly to any (eg requests for erasure or correction of or requests for copies of from the individual concerned). Usually, you only have one month to respond to any such request. You should put in place appropriate organisational and technological systems to allow you to quickly isolate data that you hold on specific individuals (eg appropriate IT search functions). See Policies and procedures for dealing with data subject requests for full guidance on dealing with these requests and Data subject request policy for a template policy that your can use when dealing with them.

Q3:Do I need to carry out a data protection impact assessment before storing personal data?

If you store for the purposes of your own business (ie you are a , not a ), you should consider whether you need to carry out a (). It is recommended that you carry out a before you first start storing or if you are introducing new technologies to store data. It is a legal requirement to do a in some circumstances, for example if your storing is likely to result in a high risk to individuals, or if you intend to start storing on a large scale, eg health data.

The purpose of the is to help ensure that you are storing data securely. You cannot treat it as a box-ticking exercise, and you must give proper consideration to making any or safeguarding changes to your data storage systems that are suggested as a result of it. Failure to carry out a proper when required to do so can result in a significant fine of up to £8.7 million or 2% of your global (whichever is higher). If in doubt, it is better to carry out a than not.

See Data protection impact assessments for how to carry out a . See Data Protection impact assessment policy for an internal policy that you can adapt for your own use, including the 's suggested template form for carrying out a .

See also Q&A 4 for guidance on reviewing impact assessments.

Q4:Do I need to review my data protection impact assessment once it is done?

As best practice, your should be reviewed and updated on a regular basis, and in particular when you introduce new IT systems for storing your data. See Q&A 18 and following for more information about steps you can take when storing .

See Q&A 5 for information on DPIAs when using a to store the , and Q&A 6 on what to do if your indicates that storage poses a significant risk.

Q5:Do I need to carry out a data protection impact assessment when using a third party to store personal data?

Yes. If you are planning on using a to store the held by your business (eg a cloud service provider), you should seek their assistance when carrying out your . At the very least you will need information about their measures and what will happen to the data at the end of the storage period.

See Data Protection impact assessment policy for an internal policy that you can adapt for your own use, including the 's suggested template form for carrying out a .

See Q&A 24 for more information on using a to store the held by your business.

Q6:What if my data protection impact assessment indicates that storage poses a significant risk?

If your indicates that your storage of would pose a significant risk to the rights and freedoms of individuals concerned and you do not think that you will be able to reduce that risk by reasonable means (eg the cost of using available technology is too high), then you must consult the before you begin storing the data.

For example, storing large quantities of bank account and identification details is likely to pose a significant risk, because the consequences to the individuals concerned of a data could be very serious. You must reduce the risk, for example by storing the data electronically with encryption, having controls on who can access it, and creating secure back ups. If you cannot take these sorts of steps, you must consult with the .

Q7:How do I make sure that I am only storing necessary personal data?

You must only store that is necessary for the purpose you collected it, and then only for as long as you need it for that purpose (see Q&A 12 for more information about how long you can store ).

You cannot just simply change the purpose for which you are storing . You can only keep it for a new purpose if it is compatible with your original purpose. For example, you receive provided as part of a sales contract. You could not store this data to later use for a marketing campaign unless the customer has consented to their data being used in that way. You are, however, permitted to use the information for purely statistical purposes without having to get further consent, in which case you should consider anonymising the data once the original purpose for you storing it has expired.

To ensure that you are only holding necessary :

  1. do not hold irrelevant details. See Q&A 8 for further information;

  2. keep the data you are storing under review. See Q&A 9 for further information; and

  3. consider whether you can store the data in a way that means you cannot identify the person to whom it relates. See Q&A 10 for further information.

Once the data you are holding about an individual is no longer needed for the purpose for which it is being stored, the individual concerned has the right to have that data erased without delay. See Requests to delete data for more information about how to respond to requests to erase and Checklist for responding to a request to delete data for a checklist to help you comply with your legal obligations when doing so.

Q8:Can I store irrelevant data?

No. You should not collect from individuals that you do not need and you should delete or anonymise any data that you no longer need. This is because you must only store that is necessary for the purpose you collected it (see Q&A 7).

For example, if you run a chain of restaurants and a customer provides their address to find out where their nearest restaurant is, you only need to collect their postcode for this purpose and will not need to retain this information once you have responded to their query.

If you need to hold particular information about certain individuals, you should collect and store it for those individuals only. This is particularly important in respect of . For example, if you need to obtain specific health information about some of your because of the nature of the work they do (eg manual labour), you should not seek to obtain this information from all of your as this would be irrelevant for any who works in an office.

See Q&A 7 for a full list of considerations when storing data to make sure you only store data that is necessary and you comply with your legal obligations.

Q9:Do I need to review the data that I have stored?

Yes, you must keep the you are storing under review to check whether you still need it for the purpose(s) for which it was collected (see Q&A 12 for more information about how long you can keep data). If you have you no longer need, you must delete or anonymise it. This should be done in line with your data retention and disposal policies (see Q&A 16 for more information about how to delete data securely and Data protection policy for a template policy you can adapt for your business, which you can also create as part of our template Staff handbook and policies).

See Q&A 7 for a full list of considerations when storing data to make sure you only store data that is necessary and you comply with your legal obligations.

Q10:How can I store the data in a way that ensures that individuals cannot be identified?

If you want to store for the purposes of your own business (ie you are a , not a ), you must ensure that is not kept for longer than necessary in a form which allows for people to be identified. You could, for example, anonymise data or use pseudonyms to help you to store it more securely.

  1. Anonymisation

    Consider whether you should anonymise certain categories of data (eg data that you are only keeping for purely statistical purposes, such as analytics on your monthly sales). Once you cannot identify the person to which the information relates, even when combined with any other information you have, the anonymised data no longer falls under law. It can be very difficult in practice to determine whether data has been fully and irreversibly anonymised, so you must take care with how you go about it.

  2. Pseudonymisation

    Pseudonymisation means keeping in a form in which the individual can no longer be identified without the use of additional information, kept separately. Unlike completely anonymised data, pseudonymised data can still ultimately be traced back to identify the individual, therefore it still falls within the scope of law. It is a useful measure, helping to limit the damage caused in the event that your measures are compromised (see Q&A 26 for more information about what to do if your measures are compromised).

    There are several different technical approaches to pseudonymisation (eg hashing) which are outside the scope of this service, but any technique that you use must be considered on a case-by-case basis for the type of data concerned.

See Q&A 7 for a full list of considerations when storing data to make sure you only store data that is necessary and you comply with your legal obligations.

Q11:What do I need to do to make sure that the personal data I keep remains accurate?

If you want to store for the purposes of your own business you must ensure it is kept up to date where necessary, or deleted if inaccurate.

In practice, this means you should correct any inaccuracies that are brought to your attention and review your records periodically to ensure that they are kept up to date. You should also delete data if appropriate.

To ensure the you are storing is accurate you must:

  1. Keep your records up to date

    Whether you need to keep that you are storing up to date depends on why you are keeping it. If you need it to be current (eg bank details for payroll or customer address details for deliveries), you should obviously update it promptly. In most cases it will be clear whether it is appropriate to wait for the individual concerned to tell you about any changes to their or not, eg you should wait for customers to tell you their new contact details in the event that they change, but it may be appropriate to check periodically with your that the core personal details you hold about them are up to date.

    Of course, any that you keep as an historical record does not need to be updated.

  2. Correct inaccuracies

    If you find out that any you are storing is inaccurate, you must take all reasonable steps either to rectify or delete it.

    Individuals have the right to request that you rectify any inaccurate that you hold about them. You must deal with any such request promptly, usually within one month of receipt. See Requests to correct inaccurate data for more information about how to respond and Checklist for responding to a request to correct data for a checklist to help you to comply with your legal obligations when doing so.

Data retention
Q12:How long can I store personal data for?

You must only store for as long as it is necessary for the specific purpose(s) for which you collected it, or any related purpose.

For example, if your business has been conducting interviews for a new job, you should arrange for the interview notes to be destroyed after a fairly short period, as the purpose of them was to select a suitable candidate. The only other related use for the notes is to justify your hiring decision in the face of a potential claim for race or sex by an unsuccessful interviewee, which must be brought within three months. See Hiring staff for more information about your obligations when you are carrying out a recruitment process.

You are permitted to keep indefinitely for statistical purposes after you have finished using it for its original purpose, although you must take appropriate steps to ensure that it is stored securely. Pseudonymisation is likely to be appropriate for some statistical (see Q&A 10). You are also permitted to keep fully anonymised data indefinitely. As it cannot be traced to an identifiable person, once anonymised it does not qualify as so is no longer protected by law (see Q&A 10).

Otherwise, there is no universal time period for which you are permitted to store , so each category of will need to be assessed on its own merits. In each case, you might consider:

  1. how long the purpose for which you are collecting the will apply (you are not permitted to hold just in case you might need it for something else);

  2. whether you might need to keep a record of an individual after your relationship ends, eg keeping data about customers who have bought with a long period, or keeping basic information about former in case you are asked for a reference;

  3. whether you might need the data for any future legal action, eg complaints or claims about products or services you have provided;

  4. if you need to retain certain categories of information for particular periods of time by law (eg records must be kept for at least 3 years from the end of the financial year to which the records relate); and

  5. any industry standards or guidance from any governing body relevant to your business.

Q13:Do I have to review my retention periods?

Yes. You should keep your stated retention periods under review in case anything changes. When a data retention deadline that you have set passes, review whether or not you do still need the data, and act accordingly. If you do not need it any more, you should securely delete it, or anonymise it.

Q14:Do I have to tell individuals how long I am storing their personal data for?

Yes. Your privacy policies, both for your and for other people (eg customers or clients) should say how long you will keep each type of , if possible. See Staff privacy notice for a template (and Staff handbook and policies if you want to generate it as part of a full ) and Privacy policy for a template for customers for use on your website.

Q15:Can an individual request that I stop storing their data?

Yes. An individual has the right to request that you erase all of their in certain circumstances, eg if the that you are holding about them is no longer necessary for the purpose you originally collected it, or if you are storing it on the basis of their consent and they withdraw that consent.

See Requests to delete data for more information about how to respond to requests for erasure of and Checklist for responding to a request to delete data for a checklist to help you to comply with your obligations.

Q16:How do I dispose of personal data securely?

You may need to delete you are storing if:

  1. you have come to the end of the storage or retention period and it is no longer necessary for you to store the data;

  2. the individual concerned has asked that it be deleted;

  3. the or a court has instructed you to delete it; or

  4. you are a and the , at whose direction you are dealing with the data, has requested that you delete the data.

Whatever your reason for doing so, when you delete , you need to ensure that this is done securely and in accordance with your obligations. You must keep a log when electronic is erased, specifying that an item of data was erased on a stated date by a particular person. If your system was set up before 6 May 2016, you do not have to keep such a log until 6 May 2023 if it is a disproportionate effort to change your system to allow it.

Particular measures that you could take to ensure that erasure takes place securely include:

  1. ensuring that hard copy is shredded, either in-house or using a confidential shredding service;

  2. ensuring that electronic is permanently deleted rather than simply archived. If it is only archived, and can be retrieved, you will still be storing it for the purposes of law;

  3. ensuring that copies of relevant are also deleted from remote equipment, such as laptops and mobile phones;

  4. ensuring that any back-up copies of the that is being deleted are also erased; and

  5. if someone is storing the data for you (eg a cloud provider - see Q&A 24), contact them to assist with the secure deletion of the information they hold.

Q17:Do I have to tell anyone else that I am disposing of an individuals' personal data?

If you have decided to make some public and the person concerned requests that you delete it, you must take reasonable steps to inform anyone else who is using it about the request for deletion. What is reasonable will depend on the circumstances, but you must take into account available technology and the cost of any steps you could take. See Requests to delete data for more information about what to do if you get a request for erasure of and Checklist for responding to a request to delete data for a checklist to help you to comply with your legal obligations.

Secure data storage
Q18:What security measures do I need if I am storing personal data in hard copy?

Although it is likely that your business will be storing most of the it has collected electronically (see Q&A 19 below), you may have some hard copy files containing (for example you may have hard copy personnel files about your ). If this is the case, you will need to make sure that those files are physically secure by putting in place appropriate practical measures and training your to use them. The full extent of that will be necessary will depend on the type and volume of that you are storing.

For example, you should:

  1. make sure your business premises are physically secure and keep track of access given to anyone outside of your business, and consider the implications of giving access;

  2. as part of your and IT policies, include procedures about taking hard copy files off your premises (restricting this if practical) and train your to appreciate the importance of and of carrying out any other internal data handling policies you have (see Data protection obligations for more information about policies and IT, communications and social media policy and Data protection policy for template policies you can use, which can be produced individually or as part of our template Staff handbook and policies);

  3. use secure cabinets and make sure that only those who need to can access the files you are storing;

  4. make sure that you have appropriate confidential waste bins and that all waste paper with on it is shredded (see Q&A 16 for more information about how to dispose of securely); and

  5. think about whether it would be appropriate for you to store separately from other to make sure that only those who strictly need to access it may do so.

You should test and evaluate the of the measures you take regularly to protect which you are storing, to make sure they remain sufficient for your purposes. Document the results of any testing and act on any shortcomings that are found.

Q19:What security measures do I need when I am storing personal data electronically?

The detail of the measures you should be taking will be heavily dependent on the nature of your business, any relevant industry standards and best practice guidance, what you are storing and what format it takes. In the field of cybersecurity in particular, threats and solutions are always changing, so it is important to keep updating your cybersecurity measures, comprehensive treatment of which is outside the scope of the service. When determining what measures to put into place, you could consider the following:

  1. the physical of your equipment. See Q&A 20 for more information;

  2. restricting access to . See Q&A 21 for more information;

  3. using encryption. See Q&A 22 for more information; and

  4. cybersecurity measures. See Q&A 23 for more information.

See Q&A 26 for what you should do if your measures are .

It is likely that your business will store much of the it has collected in an electronic format. This could leave it exposed to as a result of theft, loss or damage to physical equipment or attacks by malicious software, ransomware (which makes your data unusable until you pay a ransom) or phishing emails (fake emails sent to users asking for sensitive information or containing viruses).

It is important that you make sure that the equipment on which data is stored is physically secure, and the data itself is technologically secure. Train your to appreciate the importance of and of carrying out any internal data handling policies you have (eg an IT policy), including what to do about taking offsite (eg on laptops, USB drives or phones). For template policies you can use setting out appropriate measures for your to follow, use IT, communications and social media policy for a general IT policy and Bring your own device policy for a policy you can use where use their own devices for work purposes.

You should test and evaluate the of the measures you take to protect which you are storing regularly, to make sure they remain sufficient for your purposes. Document the results of any testing and act on any shortcomings that are found.

Q20:How can I make sure that my equipment for storing personal data electronically is physically secure?

Options for keeping the your are storing electronically physically secure include:

  1. if you have servers, storing them in a separate room which has additional protection (eg a lock or access codes for entry);

  2. ensuring that back-up or storage devices are kept securely, disconnected and locked away when not in use;

  3. making sure that lost or stolen devices (eg smart phones) can be tracked, locked or wiped remotely (most devices include free web-based tools to do this); and

  4. securely removing all before disposing of old computers (by using software to do this or destroying the hard disk).

For template policies you can use to set out how your should ensure the of devices, see IT, communications and social media policy for a general policy and Bring your own device policy for a policy you can use when are working on their own personal devices.

See Q&A 19 for more information on measures to take when storing electronically.

Q21:How can I restrict access to personal data that I am storing electronically?

You should restrict access to users and sources that you trust. You can do this in a variety of ways, for example:

  1. use password protection on all equipment, giving each authorised user their own username and password and ensuring that your are aware of the risks of disclosing their log-in details to their colleagues;

  2. enforce strong passwords (with two authentication where appropriate and practical), limit the number of failed login attempts and enforce regular password changes;

  3. only allow authorised users to access, alter, disclose or destroy , and cancel access rights as soon as a member leaves your business;

  4. if appropriate, store separately to ensure that only those who need to access it may do so;

  5. only use accounts where strictly necessary (eg for installing known and trusted software) as attacks such as phishing can be far more damaging if access is gained to an account; and

  6. do not allow untrusted devices to connect to your network and ensure that your consider the risks of using work devices on untrusted networks, including the use of public Wi-Fi hotspots.

For template policies you can use to set out what measures your must adhere to when storing electronically, see IT, communications and social media policy for a general policy and Bring your own device policy for a policy you can use when your members are working from their own devices.

See Q&A 19 for more information on measures to take when storing electronically.

Q22:How do I use encryption to store personal data securely?

You should consider using encryption to ensure that you are storing can only be accessed by authorised users who have the correct key to decode it (typically a strong password). Encryption could be particularly helpful to protect data that is being transferred from one device to another for storage (eg across an internet connection), data that is kept on a remote device (eg laptop or phone) which may be lost or stolen, or data which you are storing with a cloud service provider (see Q&A 24).

The level of encryption that you use will depend on the risks posed to the stored by your business, but you should ensure that you have a clear encryption policy in place and that you have provided appropriate training to your . This should take into account any sector-specific guidance relevant to your business, and you should regularly review your policy and methods of encryption to ensure that is is providing an appropriate level of .

See Q&A 19 for more information on measures to take when storing electronically.

Q23:What cybersecurity measures can I take to store personal data securely?

The () estimates that half of all have experienced a cyber at some point. It is therefore important that you put in place measures to provide protection from cyber attacks which could compromise the of the you are storing.

The has a guide for small businesses which contains suggestions for improving cyber within your organisation. Steps that you should consider taking include the following:

  1. Back up your data

    Make regular backups of the that you store to ensure that it can be quickly restored in the event of natural disasters (eg fire or flood), theft or ransomware attacks (which make your data or systems unusable until you pay a ransom).

    If practical, at least one of your back up copies should be kept off-site, or at the very least, separate from your network, and you should ensure there are strict measures in place. For example, you might consider restricting access to backups to certain individuals within your organisation. Consider using cloud services as a cost-effective and efficient way of backing up your files automatically (see Q&A 24 for more information about cloud services), but do not use cloud syncing services as your only backup.

  2. Malware protection

    Malware is malicious software or web content (eg viruses) that can harm your business by infecting your software. To prevent malware from your data , you should:

    1. ensure that you have suitable, up to date anti-virus or anti-malware and anti-spyware software installed on all computers and laptops, and act upon any alerts that you receive;

    2. switch on your boundary firewalls (most operating systems now include them);

    3. switch on internet gateways to prevent your from accessing websites or other online services that could be a threat and prevent from downloading apps or other products from unknown sources;

    4. ensure that your computer equipment, software, mobile phones and apps are maintained and software is kept up to date, and remove unused software and services from your devices. In particular, you should install updates as soon as they are available and use the most up-to-date versions of operating systems and apps;

    5. consider restricting how USB drives and memory cards are used by your to transfer files (eg by only permitting them to use approved drives on business devices); and

    6. consider signing up to the Action Fraud Alert Service (this is a free service) to receive updates about cyber scams and fraud in your area.

  3. training

    Train your to:

    1. recognise and deal with threats such as phishing emails and other malware (eg emails in relation to services you have not used with attachments containing malware, or emails containing poor grammar or from illegitimate email addresses)

    2. use strong passwords (eg with a combination of letters, numbers and other characters) which are changed regularly. Note that the recommends using two- authentication for important accounts where possible; and

    3. understand what steps to take (eg who to report to) if they believe your business has been the victim of a cyber attack (see Q&A 26 for further guidance).

    For template policies you can use to set standards for your to adhere to, see IT, communications and social media policy for a general policy and Bring your own device policy for a policy you can use when members are working off their own devices.

  4. Consider what additional steps will need to be taken if your work remotely

    When your are working from home there may be additional cyber measures your business will need to take to address new vulnerabilities. See Staff working from home for further guidance.

  5. Consider signing up to the Cyber Essentials certification scheme

    If you want to reassure your clients or customers that you store their in a secure environment, protected against cyber attacks, you could consider signing up to the government backed Cyber Essentials certification scheme.

See Q&A 19 for more information on measures to take when storing electronically.

Q24:What security measures do I need if I am outsourcing the storage of personal data (eg to the cloud)?

When you outsource storage of , you must have in place a written contract with your storage provider (called a ), and you must ensure that the provider gives you that their data storage is secure enough to meet your needs under law. Check any standard term contract that you are provided with to make sure it requires the storage provider to:

  1. keep any confidential;

  2. take appropriate and proportionate measures when storing for you;

  3. only act on your instructions in respect of the (unless they are under a legal requirement to do otherwise);

  4. assist you (as far as possible) to comply with law, including helping you respond to any you receive (see Data subject requests in general for more information about how to deal with these); and

  5. delete or return to you all of the being stored on your behalf when the contract ends (unless they are legally obliged to keep a copy).

For more information about sharing and see The rules about sharing personal data.

your data storage (or other IT requirements) can be a highly cost effective storage solution. Many businesses choose to use cloud storage, including for .

See Q&A 25 for information on the risks associated with data storage.

Q25:What are the additional security risks associated with outsourcing data storage?

When data storage, you must consider the additional risks that sharing the data could present and assess the measures that the storage provider has in place to make sure that they are appropriate and adequately address the risks posed. In particular:

  1. consider encrypting data before sending it to your storage provider to make sure that it can only be accessed by authorised users (see Q&A 19 for more information about encryption). Make sure you have access controls in place, especially for remote access to the cloud (eg two authentication);

  2. make sure that you know where the is being stored by your storage provider. If the data will be stored outside of the , you must ensure that the country concerned has adequate safeguards or that you have other safeguards in place, such as suitable in a contract between your business and the storage provider. See Sharing personal data outside the UK for how to go about checking this;

  3. make sure that you are kept informed about any changes to your storage provider's arrangements and keep your relationship with them under review;

  4. consider putting in place an process that will alert you if there is any unauthorised access, deletion or modification of the you are storing; and

  5. check whether the storage provider adheres to any approved code of conduct or certification mechanism in respect of .

Note that if you are using at the direction of another business (ie you are a ), you must not outsource the storage of that without prior authorisation from them.

For more information about your obligations when transferring to a cloud storage provider or other , see The rules about sharing personal data.

See Q&A 24 for more on measures to take when the storing of to a .

Q26:What should I do if my security measures are compromised?

If your measures have been weakened or compromised, you must assess immediately whether there has been a . A is when a problem with your leads to being lost, destroyed, changed, or accessed or disclosed without authorisation. Note that this covers a much wider range of events than having your system hacked or a member's laptop being stolen. It also includes much less dramatic data such as if is accidentally sent to the wrong person (eg in an incorrectly addressed email), or becomes inaccessible (eg if your storage system gets corrupted and you do not have a back up copy).

If you believe that a may have occurred, it is vital that you are able to respond quickly and effectively. If the data was for use by your business and you were acting as a , you may have to notify the and/or any individuals affected. Failure to notify the when you are required to can result in a fine of up to £8.7 million or 2% of your , whichever is highest.

You do not have to notify the of every . You must notify them if the is likely to put the rights and freedoms of the people involved at risk. This requires you to consider every data in terms of the likely effects on individuals. For example, if a containing customers' financial details is hacked, the potential impact on those customers is serious and it is reasonably likely that the details will be used or sold on to unscrupulous third parties, so the should be notified. You can call the on 0303 123 1113 if you think you might need to report a . Notification must be made within 72 hours of your becoming aware of it.

You may need to notify the individuals concerned if the is highly likely to put their rights and freedoms at risk – so a higher threshold than for reporting to the . Any such notification must be prompt, but is not subject to the 72 hour time limit for notifying the .

In all cases, you should document your decision so that you can later justify it if needed.

If you think that your business may have been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website. The () has produced a 5-point action plan for small businesses to help them to respond and recover from cyber attacks.

For full guidance about how to respond to , see Obligations when a data breach occurs and for a summary of the steps you should take after you become aware of a data , see Checklist for responding to a data breach.