News & Insights

Privacy compliance checklist

According to the ACC Chief Legal Report 2022, cybersecurity, compliance and data privacy remain the most critical areas for business, with the highest levels of perceived risk involved (supported by the FTI Consulting General Counsel Report 2022).

We have outlined below what we feel are the top 10 areas to help ensure privacy compliance within your business.

  1. Registration and responsibility
    • Ensure you are registered as a data controller at the ICO and have paid the fee
    • Consider whether a Data Protection Officer should be appointed
    • Ensure data compliance is a board level issue
    • Ensure there is accountability and ongoing monitoring
  2. What data do you process?
    • Ensure you know what is included within the scope of “personal data” and “special category data”
    • Undertake a data audit to determine the personal data processed (and refresh periodically)
    • Create and maintain records of your process and findings
  3. Why do you process that data?
    • Establish the specified, explicit and legitimate purposes for processing personal data
    • The most common purposes are performance of a contract, legal obligation, legitimate interest and consent
    • Ensure that any additional steps required to establish the legitimate reason identified are taken, e.g. fully informed and freely given consents are recorded
  4. Minimising data use and retention
    • Ensure personal data processed is relevant and adequate for the legitimate reason identified
    • Ensure data processing is limited to what is necessary
    • Establish how long categories of personal data needs to be retained
    • Have clear retention periods that are applied and checked
  5. Internal procedures and training
    • Written procedures and technology systems should be in place to ensure compliance
    • Ensure training is given to staff on their obligations and what to do in the event of a data breach
    • Consider more detailed training for board and management roles
  6. Providing privacy information
    • Provide information to data subjects on the data processed, the reasons for processing, your security and retention periods and their rights
    • Your privacy notices incorporating this information should be legally reviewed and must cover all data subjects (e.g. customers, suppliers, employees, contractors, etc)
    • Privacy policies and notices need to be periodically reviewed and updated
  7. Keeping data secure
    • Personal data must be processed in a manner that ensures appropriate security
    • You must ensure you avoid unauthorised or unlawful processing and accidental loss, destruction or damage
  8. Sharing personal data
    • Ensure you know who you share personal data with and why
    • If you export data outside of the UK, make sure the appropriate safeguards are in place and your privacy policy reflects this
  9. Respecting data subjects’ rights
    • Ensure you know about and have processes in place to handle data subject access requests and handling complaints
  10. Thinking about privacy before implementing innovations
    • Think about a Data Protection Impact Assessment (DPIA) if you are planning a new process or project
    • Your internal policies and procedures should cover DPIAs and staff should be trained to understand when one is necessary and what needs to be done.

For further information, please do watch our webinar, which goes into more detail on each area, or contact Cathrine Ripley: [email protected] or Charlotte Burroughs: [email protected].