Using personal data, policies and record-keeping

This section provides a general overview of your obligations and the circumstances in which you can legally use . This includes helping you to create suitable policies, understanding when you will need to carry out an impact assessment or appoint a , what training you need to provide and the records you are required to keep.

Data protection obligations

  1. 1.What is a data controller?
  2. 2.If my business is a data controller, what are my data protection obligations?
  3. 3.What is a data processor?
  4. 4.If my business is a data processor, what are my data protection obligations?
  5. 5.Can I insure against fines for failing to follow data protection law?
  6. 6.What data protection policies does my business need?
  7. 7.How did Brexit affect my data protection obligations?

When to use personal data

  1. 8.When can my business use personal data?
  2. 9.Can I use someone's personal data to fulfil an order they have placed?
  3. 10.Can I use someone's personal data if the law requires me to?
  4. 11.What does a legitimate interest to use someone's personal data mean?
  5. 12.Can I use someone's personal data if I have a legitimate interest in doing so?
  6. 13.What is sensitive personal data?
  7. 14.When can my business use sensitive personal data?
  8. 15.What are my business's data protection obligations for sensitive personal data?
  9. 16.What are my business's data protection obligations for children's personal data?
  10. 17. Can my business use facial recognition technology?
  11. 18.Do I need a separate policy for sensitive personal data?
  12. 19.When can my business use data about criminal convictions?
  13. 20.What information must I give people about using their personal data?
  14. 21.When must I provide privacy information to individuals whose data I am using?
  15. 22.How should I provide privacy information to individuals whose data I am using?

Consent to use personal data

  1. 23.Do I need consent to use personal data?
  2. 24.How do I get consent to use personal data?
  3. 25.Can children give me consent themselves to use their data over the internet?
  4. 26.Do I have to keep a record of the consents I have received to use personal data?
  5. 27.How do I explain clearly what the consent to use personal data is for?
  6. 28.How do I get people to actively give their consent to use their personal data?
  7. 29.How do I make sure the consent request to use personal data is separate from other information?
  8. 30.How do I make sure someone is not pressured into giving consent to use their personal data?
  9. 31.How do I tell people they are free to withdraw their consent to use their personal data?
  10. 32.Do I need consent to use personal data for direct marketing?
  11. 33.Do I need consent to share personal data with other businesses?
  12. 34.Do I need consent to use sensitive personal data?
  13. 35.How do I get consent to use sensitive personal data?

ICO registration and fees

  1. 36.Do I need to register my business with the ICO?
  2. 37.When is a data protection fee to the ICO not payable?
  3. 38.How much is the data protection fee payable to the ICO?

Data protection impact assessments

  1. 39.What is a data protection impact assessment?
  2. 40.Do I have to carry out a data protection impact assessment if I am a data processor?
  3. 41.When must I carry out a data protection impact assessment?
  4. 42.What if I should have carried out a data protection impact assessment, but I didn't?
  5. 43.How do I carry out a data protection impact assessment?
  6. 44.What does the ICO recommend for data protection impact assessments?
  7. 45.What should I do once I have completed a data protection impact assessment?

Data protection officers and staff training

  1. 46.Do I need to appoint a data protection officer?
  2. 47.Can I appoint a data protection officer even if I don't need one?
  3. 48.Do I need to appoint a data protection officer after Brexit?
  4. 49.What data protection training do I need to provide for my staff?

Record-keeping

  1. 50.What data protection records do I need to keep to show I have followed data protection rules?
  2. 51.What data protection consent records do I need to keep?
  3. 52.What data protection officer records do I need to keep?
  4. 53.What internal data protection policy records do I need to keep?
  5. 54.What records on personal data breaches do I need to keep?
  6. 55.What records on data protection impact assessments do I need to keep?
  7. 56.What data processing records do I need to keep if I am a data controller?
  8. 57.What data processing records do I need to keep if I am data processor?
  9. 58.What contract records do I have to keep if I share personal data?

Data protection impact assessment policy

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment. This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments. It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT

Data protection policy

A data protection policy is an internal document providing a framework for how your organisation will comply with its data protection obligations when handling personal data. This includes what expectations you have of your staff when they are processing personal data on your behalf and how different legal obligations should be complied with. It might also be referred to as a data security policy, a data protection statement or a staff data protection policy. Whenever your business processes personal data, you are under strict legal requirements to put in place appropriate measures to ensure that your processing is compliant with data protection law at all times. This template will help you to set out what obligations your staff are under when they are processing any personal data for your business. This policy could form part of your staff handbook or it could be provided as a standalone policy. If you’re looking to produce an entire staff handbook, use our template staff handbook instead. Alternatively you can purchase this policy as part of the Data protection policy toolkit or the Remote working and cybersecurity toolkit .
£25 + VAT
See all solutions