Data protection – How to build a culture of good policy and practice

4th October 2021

Barry Spriggs
Data Protection Officer at Wilson James



Where to start?


Data Protection Policy


Building a great culture and awareness around data protection starts with getting the basics right; in this case an initial data protection policy. This provides guidance to all in the enterprise about what is expected from staff, what assurances are given from the business around how personal data will be treated.


Publish and promote it. Don’t forget to make your organisational colleagues aware of the policy by proper publication and signposting. Your policy should provide assurance, leaving no doubt that personal data will be treated with the utmost respect and confidentiality in line with the data protection principles.


Retention Policy


So, you have made a start and the board has approved your data protection policy.  What’s next?  You need to build a comprehensive data retention policy that allows all areas of the business to understand how long personal data items should be kept and crucially when they should be deleted. Moving forward this amounts to more than just the usual HR/Finance items. Don’t forget with the advent of O365 environment you can put in place great auto delete features on MS Teams chats and emails.  As we all know, less emails around means less data breaches and less items to redact in the subject access request process. Ultimately good data control includes compliant deletion as much as retention.


Awareness raising and training


Think of your staff.  It is no good having great policies if you don’t implement some simple awareness raising or training.  Make the effort to ensure all employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date. The regulator, Information Commissioners Office (ICO), state All’ should receive training.


The truth is that every colleague is a link in the data protection chain and should know their role in protecting your organisation from breaches or improper retention.


Privacy by design and default


You’re doing great so far. But hang on, I.T in cahoots with HR have commissioned a new system that involves personal data and haven’t told you. The worst thing is the go live date is next week!


The truth is that these days all improvement programmes should ensure that IT and Procurement are on board from the planning stages, with the whole privacy by design theme. They need to involve data protection at the outset so that your DPO can ensure that this new system can indeed service all the rights of a data subject.  It really isn’t going to be good having to tell the ICO that you didn’t know about it when there’s a data breach. No one wants to be the one to tell the board that there’s a fine or other action on the way, as carrying out a Data Protection Impact Assessment (DPIA) is mandatory in some cases.



Rights of a Data Subject – that includes you!


A business must ensure that it can service all the rights of a data subject. The most common one of these is the right of access. As everyone becomes more aware of how valuable personal data is this right is becoming widely used and will only become more popular as we move along the data journey. People want to know what personal data a business holds on them. Ensure you have an efficient process in place where this can be facilitated. All the personal data you collect on staff or customers must be able to be accessed by them. This can be very time consuming and resource intensive if good procedures are not in place.


Am I done?


Not quite. Don’t forget your Privacy Notices, Record of Processing Activity (ROPA), Data Breach procedures, International Data Transfers and Cookie Policy to name but a few.



What’s coming up in 2022?


The Covid-19 aftermath


All in all, 2021/2 will hopefully turn devastation into much needed growth and prosperity, but the data protection challenges ahead will test the resilience that we have all learnt to practice in 2020. How do we manage our staff Covid data? Will Covid passports be brought in? Can we share our staff Covid status? How do we share securely?  Data breach involving health data – far from becoming simple, organisations should be planning now for an increasingly complex set of requirements with more vigorous oversight from industry bodies. The growth of technology in all its forms has been key to withstanding the shock of the pandemic, but this means that individuals and organisations need to be more mindful than ever of what data they hold and why.


The growth of representative actions


An added touch of drama for data protection professionals will result from often unexpected legal actions claiming damages derived from data protection infringements. Opportunist tactics will become more sophisticated as representative actions mature. So, privacy and data protection litigation will become a new and active field to explore. The new PPI is here… Just ask British Airways how defending a class action for a data breach.



Who can help?


Appointing a suitably qualified Data Protection Officer (DPO) will help you and your business navigate all this work. This is mandatory in some circumstances. If you do not have the right member of staff for this work, you can always outsource your DPO requirements. This is an accepted procedure by the ICO and is particularly useful for small businesses that may not have the resource for a full time DPO. The outsourced DPO carries out all the requirements under Data Protection Act 2018 and UKGDPR.