Data protection basics

Take five guide - Data protection basics   

Any organisation that processes personal data is under a legal obligation to store it securely, to only hold it for legitimate reasons and to be transparent about how it is handled. Here are five basics every business needs to know.


1. Understand how data flows in and out of your business

It’s essential to understand how data is handled in your organisation. You should have a complete picture of the flow of data, including how it is collected and where from, why the data is needed, how long it is kept and which third parties it is sent to.

To help you track data processing, there are helpful templates on the Information Commissioner Office’s website – find them at data


2. Know why you process personal data

Every time you collect, store or share personal data, you must have a legitimate reason for doing so. There are six legal basis – these are:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
  • Vital interests: the processing is necessary to protect someone’s life
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or those of a third party. This applies unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Some data, known as Special Category Data, requires specific protection because of its sensitivity. This includes information about race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health, sex life or orientation.

Businesses must rely on additional legal basis to protect this data – among these are the explicit consent of the subject, or health or social care reasons.


3. Be sure data is secure

All personal data should be adequately protected, and you must ensure your business has security measures appropriate to the sensitivity of the personal data that you hold. The more sensitive the data, the more secure it must be.

Systems to protect data may include secure off-site backup, strong passwords and multi-factor authentication, training for staff on identifying phishing and cyber attacks, secure wi-fi and internet connections and the limiting of access to data only to those who need it.


4. Be transparent about the data you hold

You must inform people about why their data is collected, and how it is processed and stored.

The best way to do this is to have an up-to-date privacy policy which ideally should be displayed on your organisation’s website.

This will tell people why their data is gathered and stored in the first place, to which third parties it is transferred and how long it is kept for. Basically, it should summarise the information in points 1 and 2 above.

You should also have an internal privacy notice to inform your staff what you do with their personal data as their employer.


5. Be prepared to respond to Data Subject Access Requests

Any individual whose data is held by an organisation (a Data Subject) has the right to find out what personal information that organisation (a Data Controller) holds on them. This request is known as a Data Subject Access Request (DSAR). 

This right allows them: 

  • to obtain confirmation a data controller is processing their personal data 
  • to access their personal data 
  • to obtain certain other information about the processing and their rights – such as the right to rectification or erasure of certain information, or the right to complain to the Information Commissioner’s Office 

It is important that you familiarise yourself with DSARs, how to spot them and your legal obligations if you receive one. For example, you must respond within one month of receiving a DSAR. In certain circumstances it is possible to extend the period for up to an additional two months, but the initial response explaining the necessity for the extension must still be sent within the first month. 

Find out more about DSARS in our article Responding to DSARs here


Would you like to know more?

 Thrings Business Growth helps businesses thrive by providing practical business advice from commercial specialists.


Thrings legal take five guides