Data protection assurance

Recommended for first time users. Assess your compliance with data protection law. Includes the eight principle of the data protection act, registration, subject access, and data quality.



Your business has established an appropriate data protection policy.

A policy will help you address data protection in a consistent manner. This can be a standalone policy statement or part of a general staff policy. The policy should clearly set out your organisation's approach to data protection together with responsibilities for implementing the policy and monitoring compliance. The policy should be approved by management, published and communicated to all staff. The policy should also be reviewed and updated at planned intervals or when required to ensure it remains relevant.


Management responsibility

Your business has nominated a data protection lead.

It is good practice to identify a person or department in your business with day-to-day responsibility for developing, implementing and monitoring the data protection policy. Allocating these responsibilities to a data protection lead will help you effectively manage and co-ordinate data protection, and make your business more accountable. The lead should be appropriately skilled and have the necessary authority and resources to fulfil their duties.


Training and awareness

Your business provides data protection awareness training for all staff.

Many data security breaches are accidental and result from insider actions. You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required. Specialist training for staff with specific duties, such as marketing, information security and database management, should also be considered. The regular communication of key messages is equally important to help reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).



Your business has registered with the supervisory authority.

If you process personal data you may need to record the types of data you hold and why on the public register of data controllers. This is called 'registration', which should be renewed and updated annually.


Privacy notices

Your business has made privacy notices readily available to individuals.

The first principle of the DPA requires that you process personal data fairly and lawfully. To ensure the processing is fair you must be transparent about how you intend to use the data. It is good practice to include privacy notices on your website and any forms that you use to collect data. These should clearly explain the reasons for using the data, including any disclosures. The second principle of the DPA requires that you do not process personal data in any manner that is 'incompatible' with your specified purposes. If you want to use personal data for a new or different reason, that was not anticipated at the time of collection, you need to consider whether this would be fair. In practice, you often need to get prior consent to use or disclose personal data for a purpose that is additional to, or different from, the purpose you originally obtained it for.


Responding to subject access requests

Your business has established a process to recognise and respond to individuals' requests to access their personal data.

The sixth principle of the DPA requires that personal data is processed in accordance with individual rights under the DPA. In practice, this means you must be able to recognise and respond to any individual requests or notices in line with your legal obligations. A written data protection policy together with appropriate awareness training can help you to meet these obligations. The most significant of these is the right of access, which gives anyone you hold personal data about the right to request, to see and obtain a copy of the information. You should therefore have a process in place to recognise and respond to requests within statutory timescales.


Data quality and accuracy

Your business has established processes to ensure personal data is of sufficient quality to make decisions about individuals.

The third principle of the DPA requires that personal data is adequate, relevant and not excessive for your purposes. In practice, this means you should avoid collecting data without a legitimate business reason and collect only the minimum required to meet the purposes you need it for and which are specified in your privacy notice. The fourth principle requires that personal data is accurate and, where necessary, kept up-to-date. Personal data is inaccurate if it is factually incorrect or misleading. Where you identify any inaccurate data, make sure you update the records accordingly. You should regularly review information to identify when you need to do things like correct inaccurate records, remove irrelevant ones and update out-of-date ones. Records management policies, with rules for creating and keeping records (including emails) can help.


Retention and disposal

Your business has established a process to routinely dispose of personal data that is no longer required in line with agreed timescales.

The fifth principle of the DPA requires that personal data should not be kept for longer than necessary. In practice, you should identify what types of records or data sets you hold and discard, delete or anonymise personal data as soon as it becomes surplus to requirements. A written retention policy will remind you when to dispose of various categories of data, and help you plan for its secure disposal.


Your business has established an information security policy supported by appropriate security measures.

including the installation, management, operation, public awareness and signage

The seventh principle of the DPA requires that personal data is protected by appropriate security measures. Before you can decide what level of security is right for your business you will need to assess the risks to the personal data you hold and choose the security measures that are appropriate to your needs.



Your business ensures an adequate level of protection for any personal data processed by others on your behalf or transferred outside the European Economic Area.

If you outsource the processing of personal data you will still remain responsible for the data under the DPA. The seventh principle of the DPA requires that you choose an organisation that provides sufficient guarantees about how it will protect the data, and ensure written and enforceable contracts are in place setting out information security conditions. The eighth principle of the DPA requires that you ensure there is an adequate level of protection for personal data transferred to a country or territory outside the European Economic Area. You should consider whether outsourcing involves the transfer of data overseas and whether the recipient will provide adequate protection. You are likely to make such transfers if you use hosted services (including cloud computing solutions) that are based overseas.


Privacy impact assessments

Your business has established a process to ensure new projects or initiatives are privacy-proofed at the planning stage.

Build in privacy considerations at the start of projects or initiatives that involve the processing of personal data. Thinking about privacy early on will reduce risks and avoid costly changes at a later date. It is good practice to conduct privacy impact assessments (PIA) during the development, testing and delivery stages of any project.