Data Protection

By Andrew Willis
28 Jul 2023

While members of the public may have access to specific information, certain pieces are confidential and protected by the Data Protection Act 2018.

This was set up as a way to protect the confidentiality of the personal information your organisation collects. With General Data Protection Regulation (GDPR), they form the basis for how you’ll collect, process and store confidential information.

In this piece, we’ll explore the current legislation and highlight the seven guiding principles of data protection. There’s also a template as guidance for creating your policy.

A data protection shield showing that the company is protecting its data

What is data protection?

It’s the system in place that aims to safeguard personal information from compromise. Be it through corruption, theft or loss.

As an employer, you have a legal obligation of transparency when it comes to how you’ll process, use and store the information you collect.

 It’s important to ensure the workforce operates in a way that complies to these laws.

What is the Data Protection Act?

In May 2018, the government enacted an update to the Data Protection Act 1998 to control how business and government institutions use personal information and to include wording related to the General Data Protection Regulation (GDPR).

According to the Data Protection Act 2018, your employees have the right to know:

  • What data you hold about them.
  • How you use the information.

Employees also have a right to:

  • Update incorrect date.
  • Have their data removed.
  • Restrict or stop the processing of data.
  • Object to how you use their data.
  • Obtain and re-use their data for a different purpose

If you receive a request regarding personal information, you’ll have one month to provide access to this information.

When addressing complicated or multiple requests, you can take a further two months to provide it.

There are also instances when you can withhold information from employees or clients. Examples include when the information relates to:

  • The prevention, detection or investigation of a crime.
  • National security.
  • The assessment or collection of taxes
  • Judicial or ministerial appointments.

In certain circumstances, you’re required to complete a Data Protection Impact Assessment (DPIA) to help you identify and minimise the risks to data protection during a project. This includes:

  • Where the type of data processing you carry out is likely to result in a high risk to the rights and freedoms of others; and
  • Where you carry out systematic and extensive profiling with significant effects
  • Where there is large scale use of special categories of data (previously known as sensitive data)

In it, you’ll:

  • Describe the nature, scope, context and purpose of the processing.
  • Assess the necessity, proportionality and compliance measures in place to identify risks.
  • Identify and assess the risk to individuals.
  • Explore additional measures and support to mitigate the above risks.

Data protection principles

Article five of the GDPR set out seven key principals that lie in the heart of your approach to the processing of personal data.

As opposed to providing hard and fast rules relating to GDPR, these principles serve as an embodiment of the general spirit of the legislation that you base the general data protection on. Principles include:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation.
  3. Data minimisation.
  4. Accuracy.
  5. Storage limitation.
  6. Integrity and confidentiality (security).
  7. Accountability.


Data protection breach examples

You’ll need to recognise cases relating to the breach of the regulations in place to protect data.

Examples of data protection breaches in the workplace include:

  • Loss or theft of physical notes, computers, mobile devices or USB drives.
  • Unauthorised individuals gain access to the company’s computer, email account or computer network.
  • A break-in where individuals gain access to personnel information in unlocked storage.
  • An employee copying contact lists for their personal use.

Data protection policy template

There’s a free sample data protection policy you can refer to when producing your policy.

This sample provides you with information relating to the data protection principles, procures and disclosures as well as your commitment to data protection within all aspects of your business.

Expert support

If you have any further questions relating to data protection or GDPR, speak to a Croner expert on 0800 470 2810.

About the Author

Andrew Willis

Andrew Willis is the senior manager of the Litigation and Employment Department and assumes additional responsibility for managing Croner’s office based telephone HR advisory teams, who specialise in employment law, HR and commercial legal advice for small & large organisations across the United Kingdom.





Get expert views & insights delivered directly to your inbox