Storing personal data securely

You are likely to store some form of during your business activities, either electronically or in hard copy. This is regulated by law and of your legal obligations can result in significant fines. This section will guide you through your obligations, including carrying out an impact assessment, how long you can store data for and how to delete or anonymise it. It will also help you to consider what measures you need and what to do if these fail.

The rules about storing data

  1. 1.Can I store personal data?
  2. 2.Does the personal data I store have to be easy to access?
  3. 3.Do I need to carry out a data protection impact assessment before storing personal data?
  4. 4.Do I need to review my data protection impact assessment once it is done?
  5. 5.Do I need to carry out a data protection impact assessment when using a third party to store personal data?
  6. 6.What if my data protection impact assessment indicates that storage poses a significant risk?
  7. 7.How do I make sure that I am only storing necessary personal data?
  8. 8.Can I store irrelevant data?
  9. 9.Do I need to review the data that I have stored?
  10. 10.How can I store the data in a way that ensures that individuals cannot be identified?
  11. 11.What do I need to do to make sure that the personal data I keep remains accurate?

Data retention

  1. 12.How long can I store personal data for?
  2. 13.Do I have to review my retention periods?
  3. 14.Do I have to tell individuals how long I am storing their personal data for?
  4. 15.Can an individual request that I stop storing their data?
  5. 16.How do I dispose of personal data securely?
  6. 17.Do I have to tell anyone else that I am disposing of an individuals' personal data?

Secure data storage

  1. 18.What security measures do I need if I am storing personal data in hard copy?
  2. 19.What security measures do I need when I am storing personal data electronically?
  3. 20.How can I make sure that my equipment for storing personal data electronically is physically secure?
  4. 21.How can I restrict access to personal data that I am storing electronically?
  5. 22.How do I use encryption to store personal data securely?
  6. 23.What cybersecurity measures can I take to store personal data securely?
  7. 24.What security measures do I need if I am outsourcing the storage of personal data (eg to the cloud)?
  8. 25.What are the additional security risks associated with outsourcing data storage?
  9. 26.What should I do if my security measures are compromised?

Data protection impact assessment policy

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment. This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments. It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT

Data protection policy

A data protection policy is an internal document providing a framework for how your organisation will comply with its data protection obligations when handling personal data. This includes what expectations you have of your staff when they are processing personal data on your behalf and how different legal obligations should be complied with. It might also be referred to as a data security policy, a data protection statement or a staff data protection policy. Whenever your business processes personal data, you are under strict legal requirements to put in place appropriate measures to ensure that your processing is compliant with data protection law at all times. This template will help you to set out what obligations your staff are under when they are processing any personal data for your business. This policy could form part of your staff handbook or it could be provided as a standalone policy. If you’re looking to produce an entire staff handbook, use our template staff handbook instead. Alternatively you can purchase this policy as part of the Data protection policy toolkit or the Remote working and cybersecurity toolkit .
£25 + VAT
See all solutions