Here are some of the questions we see most often, regarding topics such as data protection roles, subject access requests (SARs), and privacy obligations. If you need any further guidance, you can always contact us for help.
Yes — in fact, we offer outsourced DPO services, where we take on the role of DPO for your organisation, ensuring ongoing compliance and serving as a point of contact with regulatory authorities.
Whether your organisation needs a Data Protection Officer (DPO) depends on several factors related to the type of data you process and the scale of your operations. Under the General Data Protection Regulation (GDPR), appointing a DPO is mandatory if:
Even if your organisation is not legally required to appoint a DPO, having one can be highly beneficial. A DPO can help ensure that your organisation remains compliant with data protection laws, manage data protection risks, and serve as a point of contact with data protection authorities and individuals whose data you process.
If you’re unsure whether your organisation needs a DPO, DPAS can conduct an assessment to determine your specific requirements and recommend the best course of action.
A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. DPAS can support you to conduct DPIAs to ensure that potential privacy risks are addressed before they become issues.
An audit is a process in which your data protection compliance position is examined. As a part of this we will examine your policies and procedures, key documents such as DPIAs/ROPA, your training practices, your data sharing procedures and your individual rights handling (amongst others).
We will talk to individuals within your organisation to determine what the knowledge level is like as well as examining key documents. Information will be collated and an Audit Report will be prepared that outlines where compliance is being met, where it is not, and what actions can be taken to improve the compliance position.
If you’re interested in understanding your data protection compliance, DPAS can conduct an audit for you.
Yes, personal data of individuals within the UK can be transferred internationally, however depending on the country the data is being transferred to, there will be some additional considerations.
When transferring to the United States of America, you will need to check whether the US entity is certified under the UK Extension to the EU-US Data Privacy Framework.
If no such certification is in place, you may rely on one of two options, which may be used for transfers of data to any country who does not have an adequacy decision:
When making an international transfer of personal data, you should also complete an International Transfer Risk Assessment.
Policies and Procedures set the foundation for what your organisation will do when it comes to looking after personal data, and sets out the responsibilities of employees of the organisation, as well as the organisation as a whole. A good document should contain both elements of policy (the what), and procedure (the how).
You should have in place a comprehensive suite of policies, as this is what individuals will refer to should they need information. This can include (but is not limited to) a:
A Record of Processing Activities is a key document that organisations should have when considering data protection and accountability. It is a document that outlines exactly how personal data is being processed within the organisation, where that data is stored, and what measures are in place to keep that data safe. Not only will a ROPA assist in improving transparency and accountability, but is also a requirement under Article 30 of the UK GDPR.
An Information Asset Register may be contained within the ROPA, or its own standalone document. This outlines an organisation’s information assets, such as the systems/applications that are used to process personal data (such as a CRM or HR management platform). This document is a key way to understand your personal data processing flows, and will help to manage the information assets, and the risks posed to each asset.
In order to process personal data, you must have identified a legal basis that allows you to do so. These are:
Where the processing involves special category data, additional protection is afforded and therefore an additional Article 9 condition for processing will need to be identified to ensure the processing is lawful.
These are:
A Senior Information Risk Owner (SIRO) is a member of senior management/the board who is responsible for managing information risks within an organisation. If you are a public sector organisation or are contracted to deliver services under an NHS Contract, you must have a SIRO. The SIROs responsibilities include being accountable for the organisation’s information security, information risk management, embedding a culture of good information governance and data protection, and conducting Privacy Impact Assessments/DPIAs.
A Caldicott Guardian is a senior role for an organisation that processes health and social care data and plays a key role in ensuring that the organisation meets the highest practical standards for keeping personal data safe and protecting the confidentiality of such data. The Caldicott Guardians responsibilities include overseeing the protocols for the use and sharing personal information with other organisations, and help ensure compliance with data protection laws such as the UK GDPR.
The SIRO and the Caldicott Guardian will work closely together, however they are two distinct roles, with distinct differences such as:
An Information Asset Owner (IAO) is an individual who is responsible for the management and security/protection of assets such as databases, documents and systems. Some of the responsibilities include ensuring that access is limited to only authorised users, managing risks associated with assets (such as data breaches), and ensuring each asset is used effectively within the organisation.
The Data Protection Fee is an annual payment to the Information Commissioner’s Office (ICO) and varies from £40 to £60 depending on the size of the business. Large businesses are subject to a fee of £2,900. Paying this fee also ensures that the business is registered with the ICO.
A privacy notice is an outward-facing document intended for clients, customers, website visitors, authorities, and other relevant parties (sometimes called a transparency notice, or fair processing notice). It outlines how the company handles personal data, specifying the types of data collected, the legal basis for processing it, and whether it is shared with third parties.
Typically, a privacy notice details an organisation’s data processing practices and sets expectations for website visitors. It explains how personal data is collected, how long it is retained, the security measures in place to protect it, and how users can exercise their privacy rights in accordance with applicable laws.
While a privacy notice is crucial for addressing the UK GDPR’s transparency principle, having one alone is not enough to demonstrate full compliance.
In a word, YES! Any staff working/processing or handling personal data must undergo regular GDPR training and this includes volunteers and temporary staff.
No they are not – if you collected the information from your clients then you are responsible for what happens to that information and you are responsible for the security and confidentiality of that data. You are the data controller and the organisation hosting that data is purely the storage facility. So it’s up to you to have all the necessary data protection steps in place i.e. do you have consent to keep the information? Have you provided a privacy notice? Are you familiar with your responsibilities?
A Subject Access Request (SAR) is a request from an individual to access the personal data an organisation holds about them. This right is granted under the GDPR and the Data Protection Act 2018.
Organisations typically have one month to respond to a SAR. This can be extended by two months if the request is complex. You must inform the requester if you extend the deadline and record your reasons for doing so.
Individuals can request access to all personal data held by the organisation, including contact details, financial records, correspondence, and more.
Yes, if the request is manifestly unfounded, excessive, or if it affects the rights of others. The organisation must inform the requester of the reasons and their right to complain to the ICO.
Yes, certain exemptions apply, such as data related to crime prevention, legal privilege, or third-party privacy. In such cases, the organisation may withhold the relevant information.
Data redaction involves editing documents to remove or obscure personal data that is not relevant to the SAR or that pertains to third parties. This process ensures that only the requester’s personal data is disclosed while protecting the privacy of others.
Generally, no. However, a reasonable fee can be charged if the request is manifestly unfounded, excessive, or repetitive, to cover administrative costs.
Ensure compliance by verifying the requester’s identity, locating and compiling all relevant data, redacting non-relevant information, and responding within the timeframes.
Implement efficient data management systems, staff training, policies and procedures, and consider outsourcing SAR processing to ensure timely and compliant responses.
If the SAR involves a large amount of data, you will need to carefully review and filter the information to ensure only relevant data is disclosed. Consider using data management and Ediscovery tools or outsourcing to handle complex requests efficiently.
Failing to meet the SAR deadline can lead to complaints to the ICO and potential fines. If you anticipate a delay, you must inform the requester within the initial one-month period and provide reasons for the delay.
The data should be provided in a clear, accessible format, such as a PDF or electronic file. If the requester asks for a specific format, you should accommodate their request if possible.
If you need any support with your data protection obligations, get in touch with our expert team.
Either email us at info@dataprivacyadvisory.com, call us on 0203 3013384, or click below to fill in a contact form.
Want to receive a copy of our monthly Data Protection newsletter and news from the DPAS team?
Helping organisations access the value of their data, create a vision, embed the change and build the future.
Please note all information on this website is for your help and guidance. It should not be regarded as an authoritative or definitive statement of the law.
