Data protection impact assessment policy

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment. This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments. It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT

Data protection policy

A data protection policy is an internal document providing a framework for how your organisation will comply with its data protection obligations when handling personal data. This includes what expectations you have of your staff when they are processing personal data on your behalf and how different legal obligations should be complied with. It might also be referred to as a data security policy, a data protection statement or a staff data protection policy. Whenever your business processes personal data, you are under strict legal requirements to put in place appropriate measures to ensure that your processing is compliant with data protection law at all times. This template will help you to set out what obligations your staff are under when they are processing any personal data for your business. This policy could form part of your staff handbook or it could be provided as a standalone policy. If you’re looking to produce an entire staff handbook, use our template staff handbook instead. Alternatively you can purchase this policy as part of the Data protection policy toolkit or the Remote working and cybersecurity toolkit .
£25 + VAT
See all solutions
Using personal data, policies and record-keeping
Data protection obligations
Q1:What is a data controller?

If you use for the purposes of your own business, for example, when you use members' personal details to pay them or customers' personal details to process their orders for your product or services, your role is known as . For most businesses, most or all of the data they carry out is as a .

Whenever your business handles as a , there are various legal requirements that you must comply with. These obligations extend to any form of using, or , the data, covering almost anything you may be doing with it (see Q&A 2).

Note that you have fewer obligations if you are dealing with on behalf of someone else and in accordance with their instructions (this role is called , see Q&A 3); see Q&A 4 for your obligations when handling for someone else.

Q2:If my business is a data controller, what are my data protection obligations?

When using for the purposes of your own business, you must:

  1. be clear from the beginning about why you are collecting and what you intend to do with it. In practice, this can usually be done by including a list of reasons for which you are collecting the data in a ; see Q&A 20 for more information and Privacy policy for a template policy you can use;

  2. ensure that you only collect and use which is relevant and necessary in order to fulfil the purpose for which you are collecting it;

  3. store any securely and not keep it for longer than necessary, establishing time limits for deleting data or reviewing whether it needs to be deleted (see The rules about storing data for further information);

  4. do what you can to make sure that data you hold is accurate and where necessary, is kept up to date; if you become aware that data you hold is inaccurate then you must erase or amend it without delay;

  5. ensure that you have a lawful reason for (see Q&A 8 and following for further information);

  6. provide privacy information to individuals about how you will use their data, usually done online through your website (see Q&A 20 for guidance on privacy information, Privacy policy for a template policy and Privacy information for further information on how and when to use it);

  7. if you use on your website, ensure you obtain the relevant consents (see Using cookies for further information about this and Cookie policy for a template policy);

  8. pay a modest annual fee to the if you qualify to do so (see Q&A 36);

  9. have a procedure to be followed if you receive any request from an individual about the data you hold on them (see Policies and procedures for dealing with data subject requests);

  10. have comprehensive policies and procedures in place (see Q&A 6);

  11. devise and implement a () procedure to use when your data is likely to result in a high risk to the rights and freedoms of individuals (see Q&A 39 and following);

  12. consider whether you need to appoint a (DPO) or alternatively a member of who takes responsibility for matters within your business (see Q&A 46);

  13. provide appropriate training for (see Q&A 49);

  14. keep suitable records to demonstrate your compliance with law (see Q&A 50);

  15. create an internal process to deal with any data (eg the loss, theft or misuse of in your possession) and train your to carry it out (see Obligations when a data breach occurs);

  16. if you wish to with another person or business, review your to ensure it complies with your obligations under the (see Data processing agreements and data sharing agreements); and

  17. if you operate an online service which is likely to be accessed by children, ensure that you comply with the 's (see Privacy and children).

These obligations are ongoing, so you will need to ensure that you continually keep your processes under review. Adherence to a relevant approved code of conduct or certification scheme can also help you to demonstrate your compliance with law. The has not yet approved any codes of conduct, but you can find a list of approved certification schemes on its website.

Failure to comply with law can have serious financial and reputational consequences for your business, including fines of up to £17.5 million or 4% of your global annual (whichever is higher) in some cases. It is therefore important to take your obligations seriously.

Q3:What is a data processor?

You are a if you are dealing with on behalf of someone else and in accordance with their instructions. For example, you may be hired by another to carry out marketing for it, in which case you will likely be dealing with the of its customers in accordance with its instructions.

See Q&A 4 for an explanation of your business's obligations when acting as a .

Q4:If my business is a data processor, what are my data protection obligations?

Your business has different obligations when acting as the (see Q&A 3) (rather than the , see Q&A 1). You will have fewer responsibilities than you have when dealing with that you process for your own purposes (eg your own data and your own customer or client lists).

Your chief obligations when acting as a are:

  1. provide appropriate training for (see Q&A 49);

  2. keep suitable records to demonstrate your compliance with law (see Q&A 50);

  3. create an internal process to deal with any data (eg the loss, theft or misuse of in your possession) and train your to carry that process out (see Explaining personal data breaches);

  4. store any securely and do not keep it for longer than necessary (see The rules about storing data for further information);

  5. consider whether you need to appoint a (DPO) or alternatively a member of who takes responsibility for matters within your business (see Q&A 46); and

  6. if you need to the data with another person or business, you need to get written permission from the business under whose direction you are using the data (see The rules about sharing personal data for details).

Note that you may also be required to help the person or persons for whom you are the data to carry out a where necessary (see Q&A 39 and following).

Q5:Can I insure against fines for failing to follow data protection law?

Probably not. Fines for your obligations can potentially be very damaging, the maximum amount being £17.5 million or 4% of your annual global , depending on the type of .

Even if you can find an insurer who will provide affordable coverage for these fines, any such policy is likely to ultimately prove legally unenforceable if you try to make a claim. The main reason for this is that the fine is intended to have a deterrent effect and if businesses are able to mitigate against the risk of a fine by having insurance, the deterrent effect will be lost.

Q6:What data protection policies does my business need?

If you are a (see Q&A 1), you must put in place the necessary measures to comply with your obligations. This includes putting in place appropriate policies to demonstrate how you comply with those obligations. You must also tell the people whose information you have some key information about what that information is, what you will do with it, how long you will keep it, what their rights are etc. In most cases, this will mean having appropriate privacy notices setting out this information.

The following documents provide templates for:

  1. a Privacy policy and Cookie policy. These set out the information you are required to give to people about how you will use their data. You can use these templates to produce documents that you can put on your website for your customers or clients. See Privacy and cookies for more information on when and how to use them;

  2. Data protection policy and Staff privacy notice. These policies can be generated individually or as part of our Staff handbook and policies to produce policies suitable for your . The policy sets out what responsibilities your are under when they are , and the sets out the information you are required to give your about how you will use their data.

You can find all the policies you need at Data protection policy toolkit.

Following Brexit, there was a transition period until 31 December 2020, during which time the continued to apply in the . Now that the transition period is over, the has been retained in law as the . The together with the Act 2018 now form the backbone of law in the . Whilst the key principles under the remain the same as those under the , there have been some technical amendments to ensure that it works in a only context. If you have not done so already, you should review your documentation to identify any references to the or law (including to any international data transfers) and make necessary changes required. If you outside the , you should also review any provisions in your documentation about this; see Sharing personal data outside the UK for further guidance.

For your own internal use, you will need to set proper processes to cover at least the following situations:

  1. the way in which you will deal with data retention, accuracy and (see The rules about storing data for guidance);

  2. the way in which you will deal with requests from individuals about their data (see Policies and procedures for dealing with data subject requests for guidance);

  3. the way in which you will deal with a data (see Obligations when a data breach occurs for guidance);

  4. the procedures and rules your must follow when carrying out any activities (see Direct marketing for guidance); and

  5. how you intend to carry out impact assessments, when necessary (see Q&A 39 and following for guidance).

Q7:How did Brexit affect my data protection obligations?

Now that the Brexit transition period has ended, from 1 January 2021 the has been retained in law as the . In practical terms, this means that your key obligations remain the same and you should generally continue to follow existing guidance. Make sure you have reviewe your privacy documentation to make any minor amendments required to ensure that it works in a only context (eg by removing any references to law) (see Q&A 6).

However, if your business has contacts or customers in the or internationally, or it offers , services or monitors the behaviour of individuals in Europe, you may need to take additional steps to ensure compliance following Brexit. Bear in mind that you will also need to comply with the as well as the in relation to those data activities.

The steps your business will need to take depend on what you do. For example:

  1. Does your business with organisations outside the ?

    The end of the Brexit transition period had implications for transfers of to and from the and the mechanism that your business can rely on.

    You should check whether the transfer mechanism you relied on before 1 January 2021 is still valid and, if not, consider alternatives. You may need to review your current DPIAs for references to law. For more information about what steps you need to take to ensure your data flows outside the can continue, see Sharing personal data outside the UK. You should also review your privacy documentation to make sure transfers of outside the are properly documented.

  2. Does your business have an office, branch or other establishment in an country?

    You must comply with law. Find out which European regulator will be your lead supervisory authority for compliance following Brexit (see Data processing agreements and data sharing agreements for more information about lead supervisory authorities).

  3. Does your business have customers in the or monitor their behaviour?

    If you do not have a presence in another country but you have customers or monitor the behaviour of individuals there, you may be required to appoint a representative in the (see Q&A 48).

  4. Are you any data that you obtained prior to 1 January 2021?

    This data is called 'legacy data', and until the made an for the on 28 June 2021, it must have been dealt with in accordance with the as it was at 31 December 2020. Now that an has been made for the , this data can be processed in accordance with the , provided the is not repealed or suspended; see Sharing personal data outside the UK for further guidance.

When to use personal data
Q8:When can my business use personal data?

If you are acting as a (see Q&A 1), you can only do so if you have one of a limited number of specific reasons for doing so (known as a lawful basis).

There are six of these reasons for using, or , data; the four most likely to apply to are explained below (note that there are stricter rules if you want to process (such as data revealing racial or ethnic origin or health data) or data relating to criminal convictions; see Q&A 14 for further information about this).

The specific reasons to use someone's are:

  1. you need to process the data in order to fulfil a contract with the individual (eg an order). See Q&A 9;

  2. you need to process the data because the law requires you to do so (eg paying to ). See Q&A 10;

  3. you have a legitimate reason for the data. See Q&A 12;

  4. the individual has consented to you using their data. See Q&A 23;

Provided one of these bases applies, you have a right to process the data. However, this is not the end of your obligations when handling . In particular, you must make sure that you also fulfil your obligations listed in Q&A 2.

Q9:Can I use someone's personal data to fulfil an order they have placed?

Yes, you are allowed to use someone's to the extent necessary in order to fulfil a contract with them, or in order to take any steps that they have asked you to take before entering into a contract. For example, you are allowed to use a person's name, billing and delivery address and credit card details in order to fulfil an order that they have placed with you. Or you can use a person's details to prepare a quote that they have requested. Note that you can rely on this reason only if the data is necessary to carry out the contract.

See Q&A 8 for a list of other acceptable reasons to use someone's .

Q10:Can I use someone's personal data if the law requires me to?

You are allowed to use someone's to comply with a legal obligation (other than an obligation under a contract with them, see Q&A 9). This might include meeting your legal obligations as an , eg to pay tax or to , or complying with an order imposed by a court, the police or other government body.

See Q&A 8 for a list of other acceptable reasons to use someone's .

Q11:What does a legitimate interest to use someone's personal data mean?

This is the most flexible basis on which you can use an individual's . You can rely on this basis in many different circumstances. The interests or purpose can include your own commercial interests, or those of a . Preventing fraud or highlighting a possible criminal act will also be a legitimate interest.

This basis may also apply when you are using or customer . However, before you can rely on as your legal reason, you need to carry out the three-stage test set out in Q&A 12.

See Q&A 8 for a list of other acceptable reasons to use someone's .

Q12:Can I use someone's personal data if I have a legitimate interest in doing so?

Yes, you can use someone's if:

  1. you have a legitimate reason or purpose for doing so (eg to manage your workforce or further your business's commercial interests, see Q&A 11), or if you are disclosing it to someone else who has a legitimate reason; and

  2. it is necessary for you to do so to achieve your purpose. If there is another reasonable way you can do it without using , you cannot rely on having a legitimate interest; and

  3. the individual's interests do not override your reason. Generally, this will mean that you can use this basis if the individual would reasonably expect you to use their data in the way you want to. For example, if a customer stops paying sums due under a agreement and it becomes necessary for you to disclose their data to a debt collection agency in order to recover the sums due, this is likely to be legitimate – the customer should expect it as a consequence of their actions, even though they may not be happy for you to their data in this way.

See Q&A 8 for a list of other acceptable reasons to use someone's

Q13:What is sensitive personal data?

is:

  1. data which reveals a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;

  2. genetic or biometric data identifying a person, including voice authentication and ; and

  3. data concerning a person's health, sex life or sexual orientation.

See Q&A 14 for information on using .

Q14:When can my business use sensitive personal data?

There are strict rules about using . As an , you will generally only be able to do so in the following circumstances:

  1. with the explicit consent from the person concerned (see Q&A 35 for how to get consent);

  2. if the is necessary for you to comply with your legal obligations as an or to exercise your rights as an . 'Necessary' here means that using the is a proportionate way for you to comply with your legal obligations or exercise these rights. For example, if one of your has a physical , you have a legal obligation to make reasonable adjustments and in order to do this, you will need to collect regarding that 's health (see Records and staff data for further information about this);

  3. if the is necessary to assess the working capacity of your . 'Necessary' here means that using the is a proportionate way for you to assess the working capacity of your . If you are relying on this rule about using (eg for carrying out health checks), the health data must be processed by (or under the supervision of) someone who is under a professional obligation of secrecy (eg a doctor or occupational therapist). See Background checks on job applicants for more information;

  4. where the data has deliberately been made public by the person concerned; or

  5. where the is necessary in the context of legal proceedings that are taking place.

If any of the above circumstances apply, you will be able to use , provided that you have also identified a specific reason (or lawful basis) for doing so (see Q&A 8). However, this is not the end of your obligations when handling . In particular, you must make sure that you also fulfil your obligations listed in Q&A 15.

Q15:What are my business's data protection obligations for sensitive personal data?

carries enhanced obligations. In addition to your general obligations (eg to only keep what data is necessary for your purpose, store it securely and delete it when it is not needed etc, (see Q&A 2)), you must:

  1. keep a written record about your use and storage of any (note some of this information may already be found in your ), including:

    1. the name and contact details of your business;

    2. what the consists of, who it is about and why you need it;

    3. how long you will keep the data;

    4. a brief description of the measures you take to ensure data ; and

    5. if you will the data with anyone, and if so, who and where they are based if they are outside the , together with details of the safeguards you have to ensure that the data is kept securely by them;

  2. provide a copy of these records about your use etc of to the on request;

  3. you are likely to need to carry out a () given that is likely to be high risk. The recommends that if you are unsure about whether or not you need to carry out a when you are , you carry one out anyway. See Q&A 39 and following for more information; and

  4. you may need a specific policy in place (see Q&A 18).

Q16:What are my business's data protection obligations for children's personal data?

Children (ie under-18s) have enhanced protections under law, which you must consider if you will be their . In addition to your usual obligations (see Q&A 1 and following), the steps you must take when children's include:

  1. consider carrying out a if you will be regularly children's . You must carry one out if you wish to target children (eg for marketing), use or you offer online products or services which are likely to be used by them (see Q&A 41);

  2. carefully consider whether the lawful basis you are relying on to process is appropriate in the context of children's data. In particular, if you are relying on consent, bear in mind that if you offer services to children under 13 which are delivered over the internet, they cannot give consent themselves – you will need consent from a parent or guardian before you collect or use any of the child's (see Q&A 25);

  3. provide children with privacy information in a clear and easily accessible way (even if you are relying on parental consent to process their ) (see Privacy information for further guidance);

  4. do not children's unless you have a compelling reason to do so (eg for safeguarding purposes), and carry out a before doing so; and

  5. if it is reasonable and proportionate for you to do so, consider consulting with children about the way in which their data is processed.

There are additional requirements for your business if you operate an online service for remuneration which is directed at, or likely to be used by, children. For further guidance, see Privacy and children.

Full guidance on and children is outside the scope of this service and it is recommended that you speak to a lawyer if you will be routinely children's . For access to a specialist lawyer in a few simple steps, you can use our Ask a Lawyer service.

Q17: Can my business use facial recognition technology?

The use of , which can scan and recognise faces in a crowd and check for matches within databases of people, is controversial because it results in the collection and use of significant and . The has advised that for the use of to be lawful, data controllers must identify a lawful basis and a condition to process relevant data. You must ensure your is necessary and proportionate to your objectives, ensure it is fair and justified, and take steps to mitigate any potential biases in your systems to ensure accurary. Before deciding to use facial recognition in public places, you should complete a to assess the risks and potential impacts on the rights and freedoms of individuals. Overall, you will need to apply a high level of scrutiny to your use of the technology, as there is a high bar for it to be considered legal. You may also consider contacting the to ask whether your proposed use of the technology is likely to be allowed.

Q18:Do I need a separate policy for sensitive personal data?

Unless you have collected the with the express consent of the person concerned, because they have made it public, or you are collecting health data to assess the working capacity of your , you must also:

  1. have an appropriate, up to date policy explaining why you are entitled to collect and use the , how you comply with your obligations, how long you will retain the data and how you will store and delete it (see Privacy policy; Staff handbook and policies (where you can choose to generate the policy either on its own or as part of a full ) or Staff recruitment privacy notice for policy templates you can use that cover );

  2. provide a copy of your policy on request to the ; and

  3. keep a record of whether you are using and storing the in line with your written policy (and if not, why not).

You will need to keep this policy for at least six months after you stop the in question.

For considerations specific to dealing with health data about job applicants, see Hiring staff.

Q19:When can my business use data about criminal convictions?

You are not allowed to process data relating to criminal convictions or offences unless you are doing so in an official capacity or meet one of a list of special conditions, the most relevant of which is if you need to perform criminal record checks of your due to the nature of your business.

For this, you must have a detailed up to date policy explaining how you will collect, use and store the data, together with how long it will be kept for. See Staff recruitment privacy notice for a template providing the necessary information to job applicants on whom you plan to run a criminal records check, and Background checks on job applicants for your full obligations when running a criminal records check.

Q20:What information must I give people about using their personal data?

Assuming you are handling as a (see Q&A 1), you are legally required to provide the below key privacy information about how you use that data to the people whose data it is:

  1. the identity and contact details of your business and of your , if you have one;

  2. what you will collect (and where from if you are not getting it from the individual directly), what you plan to do with the person's data and your justification for using it (see Q&A 8 for an explanation of the limited circumstances in which you are allowed to use someone's );

  3. whether individuals are required by law or under contract to provide their , and if there are any consequences if they do not provide it;

  4. details about any plans to the data (remember that you may also need consent for this; see Q&A 23 for further information obtaining consent and The rules about sharing personal data for further information about sharing data);

  5. if you plan to keep the data, details about how long you plan to keep it (see Data retention for further information about storing data);

  6. information about individuals' rights, eg the right to:

    1. request access to information held about them and to ask for it to be amended or deleted (see Policies and procedures for dealing with data subject requests for further information about this);

    2. withdraw consent if they have been asked to give it (see Q&A 23 for further information about this); and

    3. complain to the .

You must be transparent about the way in which you handle individuals' . It is common to set out all of the above information in a single document, known as a . See Q&A 21 for more information about when to provide your privacy information and Q&A 22 for guidance on how to provide it.

Q21:When must I provide privacy information to individuals whose data I am using?

You must provide individuals whose data you are using with your privacy information at the point at which you collect the data (see Q&A 20 for more information about what privacy information you need to provide). If the that you are using is not provided to you directly by the individual in question (eg because you have bought a marketing list from another business), you will not necessarily be able to provide your privacy information at the point at which you collect the data. In these circumstances therefore, you must provide your privacy information to the individuals whose data you are using:

  1. within a month of you obtaining the ;

  2. if you are using the to communicate with the individual concerned, at the point you first communicate with them, at the latest; or

  3. if you are planning to disclose the to someone else, at the latest, at the point at which you disclose the .

There are some exceptions to the requirement to provide your privacy information when you have received from a , which are set out in detail in Key obligations when sharing personal data.

See Q&A 22 for guidance about how to provide your privacy information.

Q22:How should I provide privacy information to individuals whose data I am using?

How you provide your privacy information will very much depend on the way in which you are collecting the , but in all circumstances, the information must be easily accessible, clear, concise and it must be written in plain language.

It is common to set all of the information out in a and make it available on your website. See Privacy information and How to tell people about a privacy policy and a cookie policy for how to do this. See also Privacy policy and Cookie policy for templates you can use on your website for your customers or clients. However, it will not always be appropriate to only provide privacy information on your website. For example, if you are collecting from individuals on a paper form (eg a hard copy order form), you should provide your privacy information on the application form itself so that individuals can refer to it as they fill out the form. Equally, if you are collecting over the telephone, you should provide your privacy information over the phone at the same time. For specific guidance about how to provide your privacy information when making sales to customers, see Collecting personal data when selling from a website or app for internet sales, Collecting personal data when selling over the telephone for telesales, Collecting personal data when selling by mail-order for mail-order sales and Collecting personal data when selling from a shop for shop sales.

Note that you cannot discharge your legal obligations by simply putting your privacy and policies in one place (eg on your website) for people to find – you must draw their attention to the relevant parts of it at the time that they give you their . See How to tell people about a privacy policy and a cookie policy for further guidance about how to do this. Equally, if run an online service (eg a website or app selling ) which is likely to be accessed by children, you should also comply with the 's when providing your privacy information. See Privacy and children for further guidance.

ICO registration and fees
Q36:Do I need to register my business with the ICO?

If your business is a , you do not have to register with the but you will likely need to pay a modest fee. If your business is required to pay the fee and fails to do so, the can levy a fine of up to £4,350.

See Q&A 37 for information on when you do not need to pay the fee.

Q37:When is a data protection fee to the ICO not payable?

You do not have to pay the fee if you only process :

  1. without using a computer or other technology; and/or

  2. for administration (eg payroll, disciplinary procedures, managing leave etc); and/or

  3. for advertising, marketing or PR for your own business (note that if you sell or trade your customer list with another business, you will have to pay the fee); and/or

  4. for keeping accounts or records of purchases or sales for your own business.

The has produced an online self-assessment tool to help you determine whether you have to pay the fee or not.

Q38:How much is the data protection fee payable to the ICO?

The fee depends on the size of your business, and there is a £5 discount for paying by direct debit:

Tier

Characteristics

Fee payable per annum

Tier 1: micro businesses

Either no more than 10 , or a maximum of £632,000 in your financial year

£40

Tier 2: small and medium businesses

Either no more than 250 , or a maximum of £36 million in your financial year

£60

Tier 3: Large businesses

Businesses not qualifying as either micro, small or medium

£2,900

When counting , you must include all , , office holders and partners in your business and work out an average across the year to take account of any fluctuations. Count the number of working for you in each month, add up the totals and divide by 12 to get the average across your financial year.

Following Brexit, the will continue to be the supervisory body for in the and businesses will still be required to pay the fee where applicable.

Data protection impact assessments
Q39:What is a data protection impact assessment?

Conducting a () is a requirement under the and is mandatory in certain circumstances.

A involves considering the impact of your proposed operations on the protection of , so you can decide whether your is necessary and proportionate, bearing in mind any risks to the rights and freedoms of the person involved. Where a is required, you should conduct it before you start using the data, so that you can assess the likelihood and severity of the risk to individual privacy rights, and any suggested measures into your process.

See Data Protection impact assessment policy for a template internal policy to help you comply with your obligation to carry out a when necessary.

It is important that a is carried out when required and done properly, as failure to do so can lead to a fine of up to £8.7 million or 2% of your annual , whichever is higher.

Note that if Brexit has impacted upon your data activities, you may need to review your DPIAs to ensure that they cover your under the , which is applicable in the from 1 January 2021. This will be particularly relevant if you carry out any international data sharing outside of the . For more information about how Brexit affects your obligations, see Q&A 7.

Q40:Do I have to carry out a data protection impact assessment if I am a data processor?

You do not have to carry out a if you are a , ie you are dealing with on behalf of someone else (see Q&A 3), rather than for the purposes of your own business (see Q&A 1). However, you must help the business that you are working for to carry out their own where necessary.

Q41:When must I carry out a data protection impact assessment?

You do not have to do a for every type of you carry out as a (see Q&A 1); one is only legally required when the is likely to result in a high risk to the rights and freedoms of individuals. As an there are some situations in which a must be carried out; the most likely situations are as follows:

  1. when you are doing something new which is likely to result in a high risk to the in question because you are also planning on data on a large scale, such as:

    1. installing a new IT system for storing and accessing ; or

    2. installing a new surveillance system or adding new technology to an existing system, such as adding automatic number plate recognition to existing CCTV;

  2. if you intend to track your customers eg by collecting geolocation data on them;

  3. if you wish to target children (eg for marketing) or you offer online products or services which are likely to be used by them (see Privacy and children for further guidance about your obligations when children are likely to use your online service); or

  4. if you wish to combine, compare or match that you get from lots of different sources (eg in order to build up a profile of a customer's preferences across multiple websites).

There is nothing to stop you from carrying out DPIAs in situations where they are not legally required, and it can be good practice to do so. The strongly recommends you carry out a if you are in any doubt and you should record how you reached your decision as to whether or not to carry one out.

The also recommends that it is best practice to also consider carrying out a if you are carrying out any large scale , you will be or monitoring individuals or if you will be (eg health data) or data belonging to vulnerable individuals. Equally, they suggest carrying out a before you begin any new project involving the of .

For information about how to carry out a , see Q&A 43, and see Data Protection impact assessment policy for a template internal policy you can use to help you follow the rules.

Q42:What if I should have carried out a data protection impact assessment, but I didn't?

If you are already carrying out the activities listed in Q&A 41 without having done a , it is best practice to do one to make sure you are complying with the relevant obligations. The has a helpful DPIA screening checklist, which you can use to help you determine whether or not you should carry out a . The has also produced a useful Have we written a good DPIA checklist, which will help you to show that you have considered the risks involved in the data , and you have complied with your legal requirements.

For information about how to carry out a , see Q&A 43, and see Data Protection impact assessment policy for a template internal policy you can use.

Q43:How do I carry out a data protection impact assessment?

There is no set legal formula for carrying out a , since the process is supposed to be flexible in order to fit in with your business's needs and existing processes. DPIAs do not always need to be very complex and lengthy, particularly if you are a small business with limited resources. Every will be different, depending on your business and the procedure you are contemplating. In most cases, you should not need to engage a professional to help you carry out a . However, if your project is large scale or you consider that it might be particularly high risk, then you should consider engaging a professional with expertise to assist you, and/or consulting the about your plans. When consulting the , you will need to provide details of the activity together with measures and safeguards you have in place to protect privacy rights, and information about the results of your .The will usually respond to you within eight weeks.

If you have a DPO or other person responsible for looking after matters within your business, that person may well be best placed to take the lead on carrying out your ; see Q&A 46 for further information about appointing such a person. You can appoint whoever you choose within your business if there is someone more suitable, or outsource the process if you would prefer, although you will remain legally responsible for ensuring the is properly carried out. Note that if you have a DPO, they must at least be consulted as part of the process. You must ensure that any other responsibilities you give to your DPO in relation to your do not conflict with their ability to carry out this consultation in an independent manner.

See Q&A 44 for the 's recommendations for carrying out a and see Data Protection impact assessment policy for a template internal policy you can use to help you follow the rules.

You do not need to carry out a in every situation; see Q&A 39 for further information about when you must consider carrying one out.

Q44:What does the ICO recommend for data protection impact assessments?

The key steps recommended by the are as follows (note that, depending on what you propose to do, it may be appropriate for you to consider other matters than those of general application outlined below):

  1. Identify the need for a

    Consider and record why you think you need to conduct a , explaining the purpose of the project or task in question and how the use of fits into it.

  2. Describe what data is involved and what you will do with it

    Consider and record:

    1. what sort of you are dealing with, how much there will be (including how many people will be affected and over what sort of geographical area) and where it will come from;

    2. how will be collected, used and retained and why;

    3. who will have access to it;

    4. what measures you will deploy;

    5. how you will comply with any codes of conduct or policies to which you are subject; and

    6. whether the people involved would expect you to use their data in the way proposed.

    Do not forget to mention specifically if any or criminal offence data will be involved (see Q&A 14), and whether the data of any vulnerable groups of people will be involved, eg children.

  3. Consult where appropriate

    Consider whether to carry out any consultation with the people whose data you plan to use. You should consult with them unless there is a good reason not to (eg if it would commercial confidentiality or be impracticable to do so).

    Consider whether to consult with any relevant individuals within your business, your DPO if you have one, or any experts (internal or external) eg in information . In each case, if you do not think there is a need for consultation, record that fact and say why.

  4. Consider whether the proposed use of the data is necessary and proportionate

    Consider and record the reason you are using the (which must be from the list of permitted reasons, see Q&A 8), and whether it helps you achieve your aims or if there is some other way to reach the same outcome without using people's . Think about the benefits to your business and to the individual whose data is used. Consider and record how you can keep data use to a minimum, keep people informed and guard against their rights over their . Outline how you plan to make sure that the people actually handling the data do so appropriately, and give particular consideration to any proposed data transfers out of the country.

  5. Conduct a data

    Consider what impact the activity in question will have on individuals' privacy. This primarily means the impact that the will have on the ability of an individual to control, edit, manage or delete information about themselves and decide how it is communicated to others. These rights can be impacted when you collect a large amount of personal information, where you plan to disclose it without consent or where you plan to monitor individuals, for example. It can be exacerbated if you keep inaccurate or irrelevant data or hold on to it for too long, if you use it in a way that would not be expected by the individual or if you do not keep the data secure.

    Consider and record the risks to individuals, and the possible impact your use of their data may have. Also think about any risks to your business, such as damage to your reputation and sanctions from the if things go wrong.

    Think of ways to reduce or eliminate the privacy risks that you have identified; you may do this, for example, by using appropriate technology, deciding not to store particular types of information or not to store it on less secure devices, such as laptops, and ensuring are properly trained and aware of privacy risks. In most cases, you will not be able to eliminate risks entirely, but you should be able to reduce them to what you consider to be an acceptable level. If you cannot reduce or eliminate the risk by reasonable means, you will need to consult the before you press ahead with the activity; the has the power to stop operations where it considers it necessary.

You need to have an internal procedure in place for carrying out DPIAs when required. See Data Protection impact assessment policy for a template you can use, which includes a schedule on which you can record your and the outcome.

Q45:What should I do once I have completed a data protection impact assessment?

Once the is complete, you should get appropriate sign-off for the project from within your business and produce a report summarising the process and the steps taken to reduce risks or decisions to accept identified risks. Consider publishing the report or other relevant information about the process, to improve transparency and accountability.

Crucially, do not consider your to be a box ticked and just let it lie on file. Implement any steps for eliminating risk set out in the and continue to use the throughout the project where appropriate and monitor any actions which will continue after the has been completed. It is good practice to record what you can learn from the for future projects.

You need to have an internal procedure in place for carrying out DPIAs when required. See Data Protection impact assessment policy for a template you can use.

Data protection officers and staff training
Q46:Do I need to appoint a data protection officer?

It is mandatory to appoint a (DPO) in some circumstances, although most will not need to. As such, detailed advice about DPOs is beyond the scope of this service.

Note that, even if you do not need a DPO, it is important to take your obligations seriously and to ensure there are individuals within your business who understand the relevant requirements and will take the lead on ensuring they are followed. Failure to comply with law can have serious financial and reputational consequences for your business, including in the most serious cases fines of up to £17.5 million or 4% of your global annual , whichever is higher.

Businesses must appoint a DPO in the following circumstances:

  1. where your core business activities consist of operations which require regular and systematic monitoring of individuals on a large scale; for example, a large online retailer would qualify if it monitors the searches and purchases of its users to target them with offers and recommendations;

  2. where your core business activities consist of sensitive data or data relating to criminal convictions and offences on a large scale; for example, an insurance might process health data on a large number of people and would need a DPO.

You must review your operations on an ongoing basis and consider whether or not you do fall within the categories set out above and so will require a DPO. It is particularly important to do this if and when your activities change. The ICO has an online questionnaire to help you decide if you need a DPO or not. If you conclude that you do not require a DPO, you should keep a record of your decision; see Q&A 50 for further information about keeping records. Note that Brexit does not impact upon the requirement to appoint a DPO (see Q&A 48).

Q47:Can I appoint a data protection officer even if I don't need one?

Even if you are not legally required to have a DPO, there is nothing to stop you appointing one on a voluntary basis. However, you must be aware that a voluntarily appointed DPO will be subject to all of the same rules and obligations that a legally required DPO is subject to. This includes the fact that DPOs are required to have expert knowledge of law and practice so that they can advise your business on its obligations and liaise with the , as required. There must be no conflict of interest between their role as a DPO and their role within the , so they cannot usually also be the CEO, COO or CFO, for example.

For many businesses, it will not be necessary or desirable to have a DPO. However, you do need to make sure you have within your business who have a reasonable level of knowledge about matters and can make sure you comply with your obligations. It is likely to be more suitable to appoint a member or members of to be in charge of related issues but not in a DPO capacity. If you do this, you must make sure that it is clear that those members of are not formal DPOs and therefore are not subject to DPO requirements; it is therefore important not to give them the title of DPO or refer to them as such in correspondence.

Q48:Do I need to appoint a data protection officer after Brexit?

The requirements for appointing a have not changed following Brexit (see Q&A 46 for guidance about what those requirements are).

However now that the transition period is over, if you are based in the and have no branch or other establishment in an country, but you either offer or services to individuals in an country or monitor the behaviour of individuals in an country, then unless your activities are considered to be low risk (eg because they are occasional and don't involve you any ), you will need to appoint a representative in a relevant . This representative will need to be authorised in writing to act on your behalf in relation to your compliance with the in the , including dealing with any supervisory bodies or individuals. As most are unlikely to require an representative, detailed guidance is outside the scope of this service.

Q49:What data protection training do I need to provide for my staff?

As your are likely to come into contact with that your organisation holds on a day to day basis, a will in many cases come as a result of a mistake or misunderstanding. To minimise this risk, you should ensure that receive adequate training about your processes and procedures and are fully aware of your policies; see Q&A 6 for further information about putting policies in place. For example, it may be appropriate to train to recognise contact from a person whose data your business holds, requesting it be deleted or amended, or objecting to your use of it.

Make sure that training is refreshed regularly, and check to make sure your are complying with your policies. For example, if you discover a data in your business, you may need to provide further training to to prevent a recurrence.

If you have a DPO, they will usually be in charge of training on how to properly handle and data requests; if not, the person you have appointed to take responsibility for matters is probably best placed to do so. See Q&A 46 for further information about appointing such a person.

Remember you can be held responsible for the actions of your if they law during the course of their employment by you.

Now that the Brexit transition period has ended, you should ensure that key people in your organisation (eg your DPO if you have one) are aware of its impacts and that they keep up to date with guidance issued by the Government and the . In some instances, you may need to consider getting legal advice about how Brexit affects your business's use of . For access to a specialist lawyer in a few simple steps, you can use our Ask a Lawyer service.

Record-keeping
Q50:What data protection records do I need to keep to show I have followed data protection rules?

You must keep certain records to demonstrate you compliance with law, as follows:

  1. consent records. See Q&A 51;

  2. records. See Q&A 52;

  3. internal policies. See Q&A 53;

  4. . See Q&A 54;

  5. impact assessments. See Q&A 55;

  6. records. See Q&A 56; and

  7. your contracts if you with another person or business. See Q&A 58.

Q51:What data protection consent records do I need to keep?

Assuming you are acting as a (see Q&A 1), you will in some circumstances require consent in order to process ; see Q&A 23 for further information about when consent is necessary and how to obtain it. If this is the case, you must be able to show that you have received the consent which means that you will need to have a record of it. The information that you keep must be specific; the recommends that your record should include the following:

  1. the person's name or other identifier;

  2. when they consented (eg keep a copy of a dated document or online records including a time stamp, or for oral consent, a note of the time and date);

  3. what information the person was given about your use of their data (eg a master copy of the document or data capture form containing the consent statement in use at the time, including any separate , with version numbers and/or dates to match the date consent was given, or if consent was given orally, a copy of the script used at the time);

  4. how the individual consented:

    1. for written consent, keep a copy of the relevant document or data capture form;

    2. for online consent, record the data submitted as well as a timestamp so you can link it to the relevant version of the data capture form; and

    3. for oral consent, keep a note made at the time of the conversation (there is no need to give a full account of the conversation); and

  5. note if consent has been withdrawn and if so, when.

See Q&A 50 for a list of all the records you need to keep to show that you have complied with law.

Q52:What data protection officer records do I need to keep?

If you came to the conclusion that you do not need a DPO, you should record your analysis in order to show that you have properly considered the matter. Since it is mandatory to appoint a DPO in certain situations, you may be sanctioned if your analysis is superficial and you clearly came to the wrong conclusion in failing to appoint a DPO. See Q&A 46 for further information about DPOs.

See Q&A 50 for a list of all the records you need to keep to show that you have complied with law.

Q53:What internal data protection policy records do I need to keep?

Assuming you are handling as a (see Q&A 1), you are required to put in place the necessary measures to comply with your obligations and in most cases, this will mean putting in place a policy or policies which set out what these measures are; see Q&A 6 for further information about this, Data protection policy for a template policy (which you can produce individually or as part of our Staff handbook and policies), Privacy policy for a template and Cookie policy for a template policy. You should maintain and update master copies of your policies, archiving any out of date versions rather than destroying them.

See Q&A 50 for a list of all the records you need to keep to show that you have complied with law.

Q54:What records on personal data breaches do I need to keep?

Where a occurs, you are required to keep a record of it. Your record must include the nature of the , its effects and what you have done to correct it.

See Obligations when a data breach occurs for further information about your legal obligations in the event of a . See also Template personal data breach register for a template internal register that you can keep your records on.

See Q&A 50 for a list of all the records you need to keep to show that you have complied with law.

Q55:What records on data protection impact assessments do I need to keep?

You will need to keep a record of any DPIAs you carry out, including any conclusions and proposals. See Data Protection impact assessment policy for a template internal policy that will help you to keep records.

For more information on DPIAs, see Q&A 39 and following.

See Q&A 50 for a list of all the records you need to keep to show that you have complied with law.

Q56:What data processing records do I need to keep if I am a data controller?

If your organisation has fewer than 250 , you are only legally required to maintain records of what you do with if:

  1. the is something which is likely to result in a risk to the rights and freedoms of individuals (this may include eg your customers or transfers of data outside the );

  2. the is not just occasional (this is likely to include relating to your which you use regularly to administer their contracts or manage them, or perhaps the of customers eg if they have opted in to receiving marketing messages from you and you send them out regularly); or

  3. the includes such as medical records, data relating to criminal convictions and offences, eg if you carry out health checks as part of your recruitment process or if a member has been signed off work sick for a period of time (see Q&A 14 for further information about when and how you can use these).

In any of these circumstances, as a general rule, if you are a (see Q&A 1), you must record:

  1. the name and contact details of your business and your DPO (if you have one);

  2. the name and contact details of your representative (if you have one; see Q&A 48 for more information);

  3. the name and contact details of any (if applicable), ie. any other organisations that decide jointly with you why and how is processed;

  4. the purpose for which you are the (eg administering , marketing to customers);

  5. the categories of people whose data you are using (eg , customers etc);

  6. the categories of you process (the different types of information you process about people, e.g. contact details, financial information, health data);

  8. if you are sharing the data with other parties, who you are sharing it with (eg government departments such as );

  9. if applicable, what safeguards you have in place for 'exceptional transfers' of to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s , which is based on a compelling business need;

  10. if possible, how long you will keep the different categories of for; and

  11. if possible, a record of what safeguards you have in place to protect (eg technical solutions, training etc).

Q57:What data processing records do I need to keep if I am data processor?

If you are a (see Q&A 3), as a general rule you must document:

  1. the name and contact details of your business, your DPO (if you have one) and the name and contact details of whoever you are the data for;

  2. the name and contact details of your representative (if you have one) and/or the 's representative (if they have one); see Q&A 48 for more information about representatives;

  3. what sort of data you do for them (eg marketing or IT services);

  4. the name of any third countries or international organisations that you transfer to (if applicable;

  5. what safeguards you have in place for 'exceptional transfers' of to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s , which is based on a compelling business need; and

  6. if possible, a record of what safeguards you have in place to protect (eg technical solutions, training etc).

See Q&A 50 for a list of all the records you need to keep to show that you have complied with law.

Q58:What contract records do I have to keep if I share personal data?

You must have a contract in place if you with someone else, eg if you use an outside to manage your payroll or IT services. Keep copies of these contracts which should include suitable provisions to ensure any is properly protected (see Data processing agreements and data sharing agreements for information about ).

See Q&A 50 for a list of all the records you need to keep to show that you have complied with law.