How To Create a UK Data Protection Policy

employees learning about data protection policy

Why is a data protection policy important for your organisation? In this widely-research article, we share insights from the Information Commissioner's Office, the UN, the EU, Wired, SHRM and others to help you understand the basics of the 2018 Data Protection Act, the GDPR and what it means for your company’s data protection policy.

What Is the Data Protection Act?

In essence, the Data Protection Act isn’t just one law – it’s several. Here’s a bit of history, based on information from the Information Commissioner’s Office (ICO).

Back in the 1980s, the Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. On the 11th of November 1987, the Data Protection Act came fully into force in the UK.

This isn’t the law that most people who work with personal data are familiar with, though. You’re more likely to know about The Data Protection Act 1998 which was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system which came into force on the 1st of March 2000.

But… don’t get too hung up on that act, either… It was superseded by the Data Protection Act 2018 which updated data protection laws in the UK. This ruling complements the EU’s General Data Protection Regulation (commonly known as GDPR) which came into effect in May of that year and is currently the overarching rule that governs how we use and share data in the UK and beyond (if a company is using or sharing data belonging to citizens of the UK).

How Does This Relate to GDPR?

The GDPR is a beast of a document (containing 99 individual articles). GDPR can be considered as the world’s strongest set of data protection rules. Why is this important? Because it states both individuals’ and organisations’ rights and responsibilities with regards to the data they own and use.

Matt Burgess, Deputy Digital Editor at WIRED says it, "enhances how people can access information about them and places limits on what organisations can do with personal data." Think of it as one data legislation to rule them all.

What Are the Principles of Data Protection?

In essence, both the GDPR and the Data Protection Act 2018 control how personal information is used by companies, organisations and the government. The Data Protection Act 2018 is founded on several data protection principles, which are described below.

This is important because every single person responsible for using personal data should abide by these principles: especially those in HR!

The data protection principles, as listed on the page on the subject, are as follows. People must make sure the information is:

  • Used fairly, lawfully and transparently

  • Used for specified, explicit purposes

  • Used in a way that is adequate, relevant and limited to only what is necessaryaccurate and, where necessary, kept up to date

  • Kept for no longer than is necessary

  • Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

What Is a Data Protection Policy?

A data protection policy sets out how your organisation deals with data. This includes all the safeguards put in place and how to help people who request access to their data on your systems.

A data protection policy is a document, much like a home office policy or an equal opportunities policy, which outlines certain recommendations for and requirements of your employees. In this case, a data protection policy deals with how you monitor, manage and standardise the use of data. It’s intended to help your company protect and secure the data you use, store and manage.

All Your Employee Data in One Place

Digital Employee File

Maintain clean and secure records of all your employee data with Personio.

Does Your Organisation Need a Data Protection Policy?

While it’s not actually a legal requirement to have a data protection policy in the UK, IONOS explains that all UK-based online companies are required to be open with any users about how their personal data will be used.

They remind us that the Information Commissioner’s Office (ICO) can impose fines on those who don’t comply, or even bring about criminal proceedings if, as they explain, ‘any misleading practices are detected’.

So, if you think there’s a chance someone you employ might collect, disclose or use data without people’s consent and cause damage or distress to that person as a result, you should have a data protection policy!

Why is Data Protection Important for HR?

Data protection isn’t just important for HR: it’s absolutely critical. HR leaders and their team have a responsibility to protect their employees – and that goes for their data, too. In today’s risk-prone environment, when security risks, cyber attacks, phishing attacks and data breaches are increasingly common, HR must have a handle on:

  • Where and how your company’s data (and any data you have relating to individuals) is stored

  • What it’s used for

  • How it is accessed

  • Who can access it

  • Whether it’s used appropriately and, even,

  • When it is deleted

When you think about it, almost every single HR activity uses data: from recruitment to references, employee record-keeping and absence tracking to performance monitoring. It goes further than that, though. HR doesn’t just have the responsibility to keep your employees’ (and applicants’) data safe: it’s the law.

The consequences of noncompliance are dire. SHRM says, “not complying with the U.K.’s data protection law can result in a fine of 17.5 million pounds (approximately 23.47 million USD) or 4 per cent of the company’s total worldwide annual revenue.”

What Does a Data Protection Policy Look Like?

The good news is that a data protection policy doesn’t have to be complicated. Cloudian neatly summarises it by saying a good data protection policy should include:

  • The scope of required data protection,

  • Data protection techniques and policies applied by relevant parties such as individuals, departments, devices, and IT environments,

  • Any applicable legal or compliance requirements for data protection, and

  • The roles and responsibilities related to data protection, including data custodians and roles specifically responsible for data protection activities.

They suggest you should include nine key elements in your data protection policy, including the introduction and scope, definitions, GDPR principles, how you will lawfully process data (based on one of six legal justifications), roles and responsibilities of those handling data, data breach notification procedures, rights of your data subjects, how you will secure your data and keep records of its use and the contact information of the person at your company responsible for data protection (your Data Protection Officer, if you have one).

How Do You Implement a Data Protection Policy?

A data protection policy helps people know what best practice is and reminds them they have an important role to play in keeping your company and its data safe.

That’s why those boring security training sessions are very important. According to a study by IBM, human error is the main cause of 95% of cyber security breaches. HR has a responsibility to make sure that everyone knows they could be an organisation’s biggest weak point, and how to prevent that from happening.

Mandatory training is one way of implementing your data protection policy. Adding it to the staff handbook is another. It’s also important to give staff a short and sweet version of the policy so they can understand the gist, without getting bogged down in the detail. Lastly, it’s also important to tell relevant third parties about your policy, make sure they’re complying with it, or that they have their own protection in place, too.

All Your People Data to Power Decisions

Analytics and Reporting Salary Progression Report

Run custom reports on your entire workforce with Personio.

Should You Be Concerned About Your HR Data?

A small amount of concern is healthy. It prevents us from being complacent.

But humans do still make mistakes. That’s why it’s important to ensure wherever you store your company’s HR information – in a filing cabinet, on a hard drive, on a server or in the cloud –it’s being managed responsibly.

That’s why it’s often reassuring to know that companies like Personio, who can help you look after all your HR processes in one tool. Our practices are based on the legal framework of the European General Data Protection Regulation (EU GDPR) as well as common standards and guidelines such as ISO/IEC 27001 and the principles of basic IT protection (IT-Grundschutz) of the German Federal Office for Information Security (BSI).

You can trust us with your HR processes and your data. Find out more about our approach to data security here.


Secure All Your Employee Data

Digital Employee File