Firstly, what is a data policy?  It is the internal guideline that you will follow when processing data.

You do not have to show this policy to anyone outside your organisation, but you should have terms and conditions written and a privacy policy shown on your website (if you have one) available for any interested party to read.


Basically, your policy only needs to show how you will ensure the principles shown below will be covered within your organisation.

The data policy should identify the type of data collected, why you collect it, why you store it, the length of time you would store it and how you would dispose of it.  The processes underneath the policy will show where the accountability lies within the organisation.  Recent UK data protection legislation has categories like personal data and special category data.  There is also a special mention of information stored of children.

Completing your policy is normally simpler than the above diagram implies as there is normally a contract between an organisation and an individual (or another organisation) to provide goods, or services, so it’s easy to define lots of this easily.

Simple fair and transparent really means make sure that the reason why an organisation has data is clear and this relates to what is called the legal basis for processing, the why if you like.  I have a contract, or I have given consent to, and other reasons like this.  The detail of this topic is the topic of another blog.

Some things are not so easy, for example, as an employer, there is a legal obligation to provide HMRC with the PAYE data for each employee you have, as well as having a contractual relationship between the employer and the employee.  This is an expected complication of being an employer and having complementary policies is very important


Storing data is not an exact science as there can be various determinants.  What do I mean?  Well you’ll need to keep any financial data relating to your interaction with a customer for the qualifying period (a minimum of 6 years under HMRC guidelines at the time of writing this blog).  It depends what your transaction is and what tax you would be liable to pay under HMRC rules that determines the actual longevity of storing data in some cases.

Other personal information can be kept for an undetermined amount of time where there is an ongoing dispute or legal process.  Your complimentary policy (the HR policy in this case) just has to state the how, why and when such a thing would come into effect.


You must store special category data more securely than personal data and appropriate measures must be taken for data relating to children as well.  What the “appropriate measures” amounts to is very unclear, but I would suggest that storage of special category data should be matched by that of data relating to children.  Storing data more securely means using encryption, but that which is appropriate for an organisation of your size.

The destruction of any personal data must be appropriate to its type, in this case personal or special category data.  Nothing should just be thrown in the bin.  Any organisation can purchase a document shredder easily and cheaply, but the larger an organisation gets, the more careful it is expected to be when destroying data.



There is so much more information available, some of it very detailed.  Please look through the other blogs and see if the information you want is provided.

If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.


Leave a Reply

Your email address will not be published. Required fields are marked *