A Data Protection Policy is a key compliance document. It demonstrates commitment from senior management to the delivery of goods, services and support operations in a way that is compliant with data protection legislation. Therefore, it is important that the Data Protection Policy is approved by the board of directors or equivalent senior management team.

It is also a reference for colleagues to access information about the organisation’s key data protection policies and procedures, helping to signpost further information.

The Data Protection Policy should cover roles and responsibilities for data protection compliance and define the ultimate responsibility of the board (or equivalent) for the compliant management of the organisation and delivery of goods and services, and the responsibility of all staff for compliance with relevant policies and procedures. It should indicate the role of the Risk Committee or Risk Manager in monitoring data protection compliance risks and identify the designated Data Protection Officer (where required) or internal contact for further information about data protection.


Roles and responsibilities – have you identified:
• Who is responsible for providing and maintaining secure computing capability?
• Who is responsible for handling exercises of subject rights (eg. Access to data)?
• Who handles requests for access to CCTV and Audio recordings?
• Who should be contacted in the event of a suspected data security breach?
• Who is responsible for liaising with the ICO in the event of a serious data security breach?

Policies and procedures – does your policy signpost other key policies and procedures, particularly:
• for responding to exercise of subject rights
• for releasing CCTV images
• for carrying out DPIAs
• for handling requests for access to CCTV and Audio recordings
• for responding to data security breaches
• for working from home
• for bring your own device
• for document retention
• for business continuity planning
• for disaster recovery