Data Protection

If you store personal information on clients, employees or other individuals, you must comply with data protection regulations. We suggest that you review your policies, practices and procedures associated with this kind of data, and regularly review the necessity to hold / appropriateness of holding such data, and how it is protected. You may also need to review the terms and conditions that apply to your website.

Data protection principles: law and good practice

  • Personal data should be processed fairly and lawfully and people whose data you hold should be notified of what is being done with their data
  • Personal data should be used only in accordance with the purposes for which is was collected
  • Personal data held should be adequate, relevant and not excessive (and not just ‘in case it might be useful’)
  • Personal data must be accurate and where necessary kept up to date, with individuals given the ability to update their data, or have it updated, including for marketing communications purposes
  • Personal data must be kept for no longer than is necessary. You should develop a retention policy for personal data and ensure it is enforced.
  • Personal data must be processed in accordance with the rights of data subjects. You should ensure that any requests from individuals for a copy of their data are responded to promptly and the data is provided in a timely manner.
  • Appropriate technical and organisational measures must be established to protect the data from intrusion, wrongful sharing and other types of compromise


  • Personal data – information relating to a living individual.
  • Data subject – the person about whom the data relates.
  • Data subject access request – the right of an individual to request a copy of their data under a formal process and payment of a fee.
  • Data controller – an organisation or body which uses personal data.
  • Processing of personal data – storage, transfer, viewing, access, analysis of personal data.
  • Notification – a formal process of notifying the Information Commissioner’s Office by an organisation of the use of personal data.
  • Sensitive personal data – data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal record.


  • Digital or electronic data (including CCTV images).
  • Data in manual filing systems (paper-based systems), if it is considered to be a structured filing system. A relevant filing system is defined as “a manual file that is well indexed with marked tabs so a particular document within the file is very easy to find”.

General Data Protection Regulation (GDPR)

If you process personal data of European Union (EU) citizens, you must legally comply with the General Data Protection Regulation (GDPR)