Effective Date: May 2024

GDPR (UK) Compliance Policy



Dr Green is committed to ensuring that all personal data handled by us in the UK is done so in accordance with the Data Protection Laws, its principles and any additional regulations and/or guidance laid out by government or the ICO. 

We are passionate about ensuring the safe, secure, ethical and fair use of all personal data and uphold the highest standards of data handling and processing. Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the Data Protection laws and its defining Principles. 

This document has been written to be appropriate for UK based firms with UK based customers, however, please refer to the section below regarding Brexit and EU based customers. As Dr Green undertakes business in glabally, it has a duty of care to the data of customers from those jurisdictions and therefore will impose the standards outlined in this document for all its data. 


The General Data Protection Regulation (GDPR) (EU)2016/679) was approved by the European Commission in April 2016 and applied to all EU Member States from 25th May 2018. As a ‘Regulation‘ rather than a ‘Directive’, its rules applied directly to the Member States, replacing their existing local data protection laws and repealing and replacing Directive 95/46EC and its Member State implementing legislation. 

Each Member State can also enforce the GDPR’s derogations and certain conditions through their own local legislation, which for the UK takes the form of the Data Protection Act 2018 (DPA18), which replaced the 1998 version. This legislation enacts the UK GDPR into UK law and covers extended data protection and privacy requirements specific to the UK. 

As Dr Green processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (UK GDPR) and DPA18 to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the data protection laws.  


The EU GDPR is an EU Regulation and it no longer applies to the UK.  

However, as Dr Green operates inside the UK (as well as other jurisdictions that this document does not cover – see above regards to implementation), it will need to comply with UK data protection law. The UK GDPR has been incorporated into UK data protection law as the UK GDPR – so in practice there is little change to the core data protection principles, rights and obligations found in the UK GDPR. 

The EU GDPR will still apply to any organisations in Europe who send data to the UK.  

The EU GDPR may also still apply directly, if we operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA. 

The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although the ICO hopes to continue working closely with European supervisory authorities. 


Purely domestic UK organisations which has all of its customers or key stakeholders based in the UK and is not transferring any personal data outside the UK, will not experience any real change from existing compliance levels, as the UK is adopting the EU’s General Data Protection Regulation (the EU GDPR) into its domestic law from 1 January 2021.  

Privacy terms issued to customers and employees will need to refer to applicable UK legislation, primarily the UK Data Protection Act 2018 (the UK DPA, which refers to and in effect incorporates the EU GDPR). 

Note that, in addition, the Privacy and Electronic Communications Regulations (PECR), which governs email and SMS marketing to consumers and the use of cookies / AdTech, will also continue to apply in the UK. 


Where a UK headquartered business provides services to consumers in the UK and in the EU, customers based in the EU will continue to benefit from the protection of the EU GDPR2 and that is what the UK based business must comply with in relation to them. As stated above, for UK based customers dealing with a UK firm, the UK DPA will apply to them. For UK customers dealing with any EU subsidiaries, the EU GDPR will apply. 

Privacy policies issued to customers need to make it clear which regime covers them, depending on where they are located, and which entity (if applicable) is dealing with them as the relevant data controller. 

Where we are providing services from the UK to customers based in Europe, we may need to appoint an EU based representative to be a point of contact for those customers and for EU based regulators. The EU representative must be in one of the countries where we have customers. If this is applicable, we will seek guidance from the European Data Protection Board (EDPB), the collective body of all EU based regulators. (Also note that under the UK DPA, there is a reciprocal requirement for EU firms to appoint a UK representative if they have customers in the UK).  


The protection of individuals in relation to the processing of personal data is a fundamental right.  

The purpose of the UK GDPR is to ensure that everyone has the right to the protection of personal data concerning him or her.  

The UK GDPR seeks to harmonise protection and ensure the free flow of personal data, providing a strong and clear data protection framework backed by strong enforcement.  

The UK GDPR’s aim is to create trust to allow the digital economy to develop and to ensure people have control of their own personal data. 

The protection of personal data affects us all. 

Any processing of personal data should be lawful and fair. This means it should be transparent to individuals what personal data concerning them is collected, used, shared and processed and to what extent. Information and communication should be in clear and plain language, easy to access and easy to understand. 


The UK GDPR requires that personal data shall be: 

  1. processed lawfully, fairly and in a transparent manner in relation to individuals; 

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; 

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; 

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals; and 

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

The UK GDPR also requires that: 

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles”. 


The UK GDPR expects there to be clear accountability. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the UK GDPR’s emphasis elevates their significance. 

Dr Green is expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances. 

The accountability principle requires Dr Green to demonstrate that it complies with the principles. The UK GDPR states explicitly that: 

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles”.  

Dr Green must document how it complies with the UK GDPR so it can demonstrate this to the ICO, if asked to do so. 


The UK GDPR applies to processing carried out by organisations operating within the UK and to organisations outside the UK that offer goods or services to individuals in the UK.  

It does not apply to certain activities including: 

  • processing covered by the Law Enforcement Directive 

  • processing for national security purposes  

  • processing carried out by individuals purely for personal/household activities with no connection to a professional or commercial activity. 

So, processing carried out by individuals in a personal capacity could include correspondence and the holding of addresses or social networking and would be exempt. However, the UK GDPR does apply to controllers or processors which provide the means for processing the data.  


The UK GDPR applies to: 


A controller determines the purposes and means of processing personal data. 


A processor is responsible for processing personal data on behalf of a controller. 

Processors still have to comply with some aspects of the UK GDPR, for example, maintaining records of processing and they will have a legal liability where they are responsible for any breach. 

Controllers are not relieved of their obligations simply because they pass processing onto a third party to process. The UK GDPR imposes further obligations to ensure contracts with processors comply with the UK GDPR. 


The UK GDPR applies to ‘personal data’.  

This means: any information relating to an identifiable person which can be directly or indirectly identified in particular by reference to an identifier. 

The UK GDPR applies to both automated personal data and manual filing systems.  

The definition provides for a wide range of personal identifiers, for example, name; identification number; location data; online identifiers, reflecting changes in technology and the way organisations now collect information from individuals. The biggest implication of this is that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of individuals and identify them. 

Similarly, the UK GDPR also covers the concept of ‘pseudonymous data’ – personal data that has been subjected to technological measures (for instance, hashing or encryption).  

Example 1: 

By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual. 

Example 2: 

Names are not necessarily required to identify someone. Simply because we do not know the name of an individual does not mean we cannot identify them. Many people do not know the names of all their neighbours, but they are still able to identify them. 


Some organisations must appoint a Data Protection Officer (“DPO”).  

If we are: 

  • A public authority; or, 

  • An organisation whose core activities consist of processing operations which require regular and systematic monitoring of individuals on a large scale; or,  

  • An organisation that carries out large scale processing of special categories of data such as health records or information about criminal convictions, 

Then we will need to appoint a DPO. However, any organisation can appoint a DPO even if they are not legally required to do so. In doing so, they will need to comply with the DPO rules fully. 

Public bodies and large organisations will easily be able to identify that they need to appoint a DPO. However, it is not always easy for small and medium sized enterprises (SMEs) as the rules are open to interpretation.  


Core activities are defined as the key operations necessary to achieve the controller or processor’s goals, including where the processing of data forms an inextricable part of the activities. 

Many organisations’ core activities are not processing data, however, if the core activity cannot be provided without processing the data then it will be included. 

Example 1:  

A hospital’s core activity is to provide healthcare. However, without processing patient data it cannot provide healthcare safely and effectively. The hospital must designate a DPO. 

Example 2:  

A private security company’s core activity is to carry out surveillance on a number of private shopping centres and public spaces. However, in order to carry out the surveillance Dr Green must process data and so it will be required to appoint a DPO. 

Example 3:  

An organisation processes employee data to pay its employees, and IT data to ensure the security of its systems. These are ancillary activities and would not alone require a DPO to be appointed. 


To trigger the requirement to appoint a DPO, the processing must be carried out on a large scale. The UK GDPR does not define what ‘large scale’ is, however, the following factors should be taken into account: 

  • The number of data subjects concerned either as a specific number or as a proportion of the relevant population 

  • The volume of data and / or the range of different data items being processed 

  • The duration, or permanence, of the processing activity 

  • The geographical extent of the processing. 

Examples of large-scale processing include:  

  • processing of patient data in the regular course of business by a hospital 

  • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)  

  • processing of real time geo-location data of customers of an international fast-food chain for statistical purposes by a processor specialised in providing these services 

  • processing of customer data in the regular course of business by an insurance company or a bank 

  • processing of personal data for behavioural advertising by a search engine 

  • processing of data (content, traffic, location) by telephone or internet service providers  

Examples that do not constitute large-scale processing include:  

  • processing of patient data by an individual physician 

  • processing of personal data relating to criminal convictions and offences by an individual lawyer  

If unsure, Dr Green should appoint a DPO as a good practice measure. However, if it chooses to appoint a DPO it must comply with the rules fully.   


SMEs are not exempt for the requirement to appoint a DPO simply because they are a SME. SMEs should consider carefully what their processing activities are, how often / regularly they process data and on what scale. 

If a small organisation regularly and systematically process data for a significant proportion of its customer base then it should consider appointing a DPO. 


An online lender only has 5 members of staff. However, the lender uses software to screen thousands of applications each day to determine whether to accept or decline an application. When applications are accepted, the lender’s core activity is to advance credit and exercise its rights as a lender to recover debt. The lender should consider appointing a DPO or document its reasons for not doing so. 


The DPO’s minimum tasks are defined as: 

  • To inform and advise the organisation and its employees about their obligations to comply with the UK GDPR and other data protection laws. 

  • To monitor compliance with the UK GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits. 

  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc.). 

The DPO is not personally responsible for compliance with the UK GDPR; it is the controller or processor which remains accountable at all times 


Employers must ensure that: 

  • The DPO reports to the highest management level of our organisation – i.e. board level. 

  • The DPO operates independently and is not dismissed or penalised for performing their task. 

Adequate resources are provided to enable DPOs to meet their UK GDPR obligations. For example: 

  • Active support of the DPO’s function by senior management  

  • Sufficient time to for DPOs to fulfil their duties  

  • Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate  

  • Official communication of the designation of the DPO to all staff  

  • Access to other services within the organisation so that DPOs can receive essential support, input or information from those other services 

  • Continuous training 


The UK GDPR does not specify the precise credentials a data protection officer is expected to have. 

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing our organisation carries out, taking into consideration the level of protection the personal data requires. 

Dr Green may choose to recruit someone as DPO or it can appoint an existing employee as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. 

We can also contract out the role of DPO externally, for example, to external Compliance Consultants.  

The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. 


Under the UK GDPR there is a provision in the Digital Economy Act, which means it is a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work and, any money the ICO receives in fines will be passed directly back to the Government. 

Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for: 

  • organisations that process personal data only for: 

  • staff administration (including payroll); 

  • advertising, marketing and public relations (in connection with their own business activity); and 

  • accounts and records; 

  • some not-for-profit organisations; 

  • organisations that process personal data only for maintaining a public register; 

  • organisations that do not process personal information on a computer. 

The ICO has a helpful self-assessment tool online that individuals and organisations can use to determine if they need to register: ICO Do I Need to Register? Tool 

Only controllers need to register.  

Currently, firms pay a fee depending on their size. There are 3 tiers of fee and controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. 

The tier a firm would fall into depends on: 

  • How many members of staff we have 

  • Our annual turnover 

  • Whether we are a public authority 

  • Whether we are a charity Or 

  • Whether we are a small occupational pension scheme 

(Not all controllers must pay a fee, many can rely on an exemption). 




Tier 1 


Maximum turnover of £632,000 or no more than 10 members of staff 

Annual fee - £40 

Tier 2 

Small and medium organisations  

Maximum turnover of £36m or no more than 250 members of staff 

Annual fee - £60 

Tier 3 

Large organisations 

If we do not meet the criteria for tier 1 or 2 we will pay: 

Annual fee - £2,900 

The ICO will regard all controllers as eligible to pay a fee in tier 3 unless and until they tell the ICO otherwise. 


This includes all employees, workers, office holders and partners. It doesn’t matter where they are based (UK, overseas, both), they must be included. Part-time members of staff count as one member of staff. To calculate the average number working for Dr Green during the financial year: 

  1. Work out, for each completed month of Dr Green financial year, the total number who were members of staff in that month; 

  2. Add together the monthly totals; 

  3. Divide it by the number of months in the financial year.   

If Dr Green does not pay a fee when required to do so, or do not pay the correct fee, it will be breaking the law. The maximum penalty is a £4,350 fine. 


Under the UK GDPR, organisations have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. 

Privacy by design has always been an implicit requirement of data protection that the ICO has consistently championed. It means that privacy and data protection compliance should be a key consideration from the start, for example, when: 

  • Building new IT systems for storing or accessing data; 

  • Developing policy or strategies that have privacy implications; 

  • Embarking on a data sharing initiative; or, 

  • Using data for new purposes. 

It means thinking about what impact a project will have on data subjects and their data and implementing appropriate measures up front to safeguard their data and rights. All too often, data protection is an after-thought or a ‘bolt on’ to projects and initiatives, or even ignored completely, and data protection by design and default seeks to change this. Therefore, data protection should be a key consideration during throughout the lifecycle of any project. 

The benefits of this approach are: 

  • Potential problems are identified at an early stage, when addressing them will often be simpler and less costly. 

  • Increased awareness of privacy and data protection across an organisation.  

  • Organisations are more likely to meet their legal obligations and less likely to breach the UK GDPR. 

Actions are less likely to be privacy intrusive and have a negative impact on individuals.  


Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. 

DPIAs are an integral part of taking a privacy by design approach. 

The UK GDPR sets out the circumstances in which a DPIA must be carried out. 

Data protection impact assessments (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify and reduce the privacy risks of a project. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. 

A DPIA is a process for building and demonstrating compliance.  

The ICO suggests using screening questions to determine whether a project / initiative needs to carry out a DPIA: 

Key Questions 

Our Answer 

DPIA will be a useful exercise 

Will the project involve the collection of new information about individuals? 




Will the project compel individuals to provide information about themselves? 




Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information? 




Are we using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? 




Does the project involve we using new technology which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. 




Will the project result in we making decisions or taking action against individuals in ways which can have a significant impact on them? 




Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be particularly private. 




Will the project require we to contact individuals in ways, which they may find intrusive? 



The UK GDPR says that we must carry out a DPIA when: 

  • using new technologies; and 

  • the processing is likely to result in a high risk to the rights and freedoms of individuals. 

The UK GDPR does not require a DPIA to be carried out for every processing operation, which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”. It is particularly relevant when a new data processing technology is being introduced.  

This means that it is open to individual interpretation, however, the Article 29 working party of EU data protection authorities (WP29) published guidelines (adopted within UK GDPR) with nine criteria which may act as indicators of likely high-risk processing: 

The criteria for considering whether processing is likely to result in a high risk, includes: 

  1. Evaluation or scoring 

  2. Automated decision making with legal or similar significant effect 

  3. Systematic monitoring 

  4. Sensitive data or data of a highly personal nature 

  5. Data processed on a large scale 

  6. Matching or combining data sets 

  7. Data concerning vulnerable subjects 

  8. Innovative use or applying new technological or organisational solutions 

  9. Where the processing itself prevents individuals from exercising a right or using a service or contract 

In some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA. If the processing meets two of the criteria, then a DPIA is likely. The more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA, regardless of the measures which we envisage to adopt. 

In cases where it is not clear whether a DPIA is required, a DPIA should be carried out anyway as it is a useful tool to help controllers comply with data protection law. 

If Dr Green is unsure whether it needs to carry out a DPIA further, detailed, guidance can be found via www.ico.org.uk 

If Dr Green existing processing operations are likely to result in a high risk to the rights and freedoms of individuals and there has been a change of the processing risks then a DPIA is needed.  

For example, Dr Green implemented new technology or the data is being used for a different purpose. In other words, a DPIA should not be a one-off, static evaluation; the DPIA requirement provides for continual assessment and improvement over time. 

Under the UK GDPR, non-compliance with DPIA requirements can lead to fines imposed by the ICO. Failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the ICO where required, can result in an administrative fine of up to £8.7m, or up to 2 % of annual turnover, whichever is higher. 

DPIA’s should be carried out prior to the processing. 

The DPIA should be updated throughout the lifecycle of the project. It should be seen as an on-going process.  

A controller is responsible for ensuring the DPIA is carried out. It may, however, be conducted by someone inside or outside of the organisation (e.g. a Compliance Consultant), however, the controller remains ultimately accountable. 

If Dr Green appoints a DPO, it must seek their advice and document any decisions made in the DPIA. The DPO must also monitor the performance of the DPIA. See the DPO responsibilities section for more information. 

If the processing is wholly or partly performed by a data processor then the processor should assist Dr Green in carrying out a DPIA.  

Controllers must also seek the views of data subjects or their representatives, where appropriate. This could be done through, for example: 

  • Staff and customer surveys 

  • Focus groups and forums 

  • Commissioning studies 

Please remember that we need to have a lawful basis for processing any data involved in seeking such views.  

Whilst there is no set format for a DPIA, the UK GDPR sets out the minimum features of a DPIA: 

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller. 

  • An assessment of the necessity and proportionality of the processing in relation to the purpose. 

  • An assessment of the risks to individuals. 

  • The measures in place to address risk, including security and to demonstrate that we comply. 

A DPIA can address more than one project. Publishing a DPIA is not a legal requirement of the UK GDPR, it is the controller´s decision to do so. However, controllers should consider publishing at least parts, such as a summary or a conclusion of their DPIA. 

If, following a DPIA, Dr Green has identified that there are risks that cannot be adequately mitigated then it will need to consult with the ICO. If the risks have been considered as sufficiently reduced by the measures Dr Green has put in place then it does not need to consult the ICO and the processing may proceed.  

Whenever Dr Green cannot find sufficient measures to reduce the risks to an acceptable level (i.e. the residual risks are still high), consultation with the supervisory authority is required. 

The following illustrates the basic principles related to the DPIA in the UK GDPR: 



The UK GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate compliance. 

Associations may draw up codes of conduct relating to the application of the UK GDPR in certain areas and present them for approval by the ICO to oversee data protection compliance. Various provisions of the UK GDPR provide that adhering to an approved code of conduct is a way of demonstrating compliance with the legislation. It is anticipated that such codes will provide an important source of guidance in interpreting the UK GDPR. 

Additionally, certification mechanisms and compliance seals or marks may be developed by various institutions and will be issued by certifying bodies for the purpose of showing compliance by controllers or processors. The certification process will be voluntary and a certificate, once given, will last for three years. 

This is an emerging area and organisations are advised to keep an eye on the landscape within their industry / sector. Before signing up to any code of conduct / certification scheme Dr Green should ensure that it understands what responsibilities it has and what the consequences are for failing to comply. 

The ICO can be contacted at [email protected] if they wish to discuss informally, as part of their development phase, prior to a formal application being submitted. 



The UK GDPR contains explicit provisions about documenting processing activities and the information may need to be provided to the ICO on request. 

 Dr Green must maintain records on several things such as processing purposes, data sharing and retention. It may be required to make the records available to the ICO on request. The ICO refers to this requirement as ‘documentation’. 

Controllers and processors both have documentation obligations. For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities. 

Records must be kept in writing, kept up to date and reflect current processing activities. 

Documenting processing activities is a legal requirement and also helps to demonstrate compliance and support good governance.  

As a controller, Dr Green needs to document the following: 

  • Its name and contact details. 

  • If applicable, the name and contact details of the DPO. 

  • If applicable, the name and contact details of any joint controllers – any other organisations that decide jointly why and how personal data is processed. 

  • The purposes of the processing – why it uses personal data, e.g. customer management, marketing, recruitment. 

  • The categories of individuals – the different types of people whose personal data is processed, e.g. employees, customers, members. 

  • The categories of personal data processed – the different types of information processed about people, e.g. contact details, financial information, health data. 

  • The categories of recipients of personal data – anyone Dr Green shares personal data with, e.g. suppliers, credit reference agencies, government departments. 

  • If applicable, the name of any third countries or international organisations that Dr Green transfers personal data to – any country or organisation outside the UK. 

  • If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations. An exceptional transfer is a non-repetitive transfer of a small number of people’s personal data, which is based on a compelling business need. 

  • If possible, the retention schedules for the different categories of personal data – how long Dr Green will keep the data for. This may be set by internal policies or based on industry guidelines, for instance. 

  • If possible, a general description of Dr Green technical and organisational security measures – the safeguards for protecting personal data, e.g. encryption, access controls, training. 

The ICO has put together a helpful template for documenting controllers’ processing activities.  


Dr Green must have a lawful basis for processing personal data. There are six available lawful bases and which one to use depends on the purpose and the relationship with the individual. 

Most lawful bases require that processing is ‘necessary’. If Dr Green can reasonably achieve the same purpose without the processing, it won’t have a lawful basis.  

The UK GDPR places an emphasis on being accountable for and transparent about lawful bases for processing. 

Dr Green must clearly document its lawful basis so that it can demonstrate compliance and it must now inform people upfront about the lawful basis for processing their personal data. It must be communicated to individuals and ensure included in all future privacy notices. 


Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing always has to be essential. However, it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if Dr Green can reasonably achieve the purpose by some other less intrusive means.                             

It is not enough to argue that processing is necessary because Dr Green has chosen to operate its business in a certain way. The question is whether the processing is a necessity for the stated purpose, not whether it is a necessary part of Dr Green chosen method of pursuing that purpose. 


Joe Smith makes an online purchase, from XYZonlineshopper.com XYZonlineshopper.com processes Mr Smith’s address in order to deliver the goods. This is necessary in order to perform the contract. 

However, the profiling of Mr Smith’s interests and preferences based on items purchased is not necessary for the performance of the contract and XYZonlineshopper.com cannot rely on ‘necessary for the contract’ as the lawful basis for this processing. Even if this type of targeted advertising is a useful part of XYZonlineshopper.com’s customer relationship and is a necessary part of its business model, it is not necessary to perform the contract itself

It doesn’t mean that the profiling is unlawful, it just means that the firm needs to look for a different legal basis.  

The first principle requires that all personal data must be processed lawfully, fairly and in a transparent manner. Processing is only lawful if there is a lawful basis and is can be demonstrated that a lawful basis applies. 

If no lawful basis applies, our processing will be unlawful and in breach of the UK GDPR. Individuals also have the right to erase personal data which has been processed unlawfully. 

The individual’s right to be informed requires Dr Green to provide people with information about its lawful basis for processing.  This means it will need to include these details in a privacy notice. 

The lawful basis for processing can also affect which rights are available to individuals.  

This depends on the specific purposes and the context of the processing. Dr Green should consider which lawful basis best fits the circumstances. It might consider that more than one basis applies, in which case it should identify and document all of them from the start. 

Dr Green must not adopt a one-size-fits-all approach. It may need to consider a variety of factors, including:           

  • What is the purpose – what is trying to be achieved? 

  • Can it reasonably be achieved it in a different way? 

  • Is there a choice over whether or not to process the data? 

For some processing it will be clear what legal basis to use. For example, because of a legal obligation or to perform a contract.  

If processing for other purposes then the appropriate lawful basis may not be so clear cut. In many cases a choice will need to be made between using legitimate interests or consent. We should ask ourself:                                    

  • Who does the processing benefit? 

  • Would individuals expect this processing to take place? 

  • What is our relationship with the individual? 

  • Are we in a position of power over them? 

  • What is the impact of the processing on the individual? 

  • Are they vulnerable? 

  • Are some of the individuals concerned likely to object? 

  • Are we able to stop the processing at any time on request? 

  • We may prefer to consider legitimate interests as our lawful basis  

  • If we wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them then we should consider using legitimate interests as our lawful basis. 

  • However, if we prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), we may want to consider relying on individuals’ consent. 


There are six lawful bases for processing. At least one of these must apply whenever processing personal data:          


Legal Basis 




The individual has given clear consent to process their personal data for a specific purpose. 



The processing is necessary for a contract with the individual, or because they have asked for specific steps to be taken before entering into a contract. 


Legal obligation 

The processing is necessary to comply with the law (not including contractual obligations). 


Vital interests 

The processing is necessary to protect someone’s life. 


Public task 

The processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law. 


Legitimate interests 

The processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.  



The UK GDPR sets a high standard for consent. Often, consent won’t be needed. If consent is difficult, look for a different legal basis.  

Genuine consent means offering real choice and control.  The UK GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires individual (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service. Relying on inappropriate or invalid consent could destroy trust and harm our reputation – and may leave we open to large fines. 

The following table highlights what must and must not be considered / acceptable in relation to consent:  



Consent is the most appropriate lawful basis 

Consent is not the most appropriate lawful basis 

Positive opt-in method 

Use of pre-ticked boxes 

Explicit, clear, specific and unambiguous statements 

Default consent 

Separate from other terms and conditions 

Vague or blanket consents 

Separate consent for separate things 

Consent is a pre-condition of a service 

Name any third party controllers who will rely on the consent 

Penalising individuals who wish to withdraw consent 

Tell people they can withdraw consent and how to do so 

Buried in small print 

Make it easy for people to withdraw consent 


Keep evidence of consent – who, when, how and what we told people 


Review and refresh consent if anything changes 


For employers: take extra care to ensure consent is given freely & avoid over-reliance on consent 


Consider use of privacy dashboards or other preference management tools as good practice 


Act promptly on withdrawals of consent 


Comply with the Privacy and Electronic Communications Regulations (PECR) when sending electronic marketing messages  


Consent is appropriate if real choice and control can be offered to people over how their data is used, and to build their trust and engagement. But if a genuine choice cannot be offered then consent is not appropriate. If Dr Green would still process the personal data without consent, asking for consent is misleading and inherently unfair. 



The UK GDPR says that consent must be freely given; this means giving people genuine ongoing choice and control over how a firm uses their data. 

Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly. 

Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity. 

Explicit consent must be expressly confirmed in words, rather than by any other positive action. 


There is no set time limit for consent. How long it lasts will depend on the context. It should be reviewed and refreshed as appropriate. 


Make a consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include: 

  • Company name; 

  • the name of any third party controllers who will rely on the consent; 

  • why we want the data; 

  • what we will do with it; and 

  • that individuals can withdraw consent at any time. 

Dr Green must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing. 

The ICO has drafted guidance on consent.  


Infringements of the basic principles for processing personal data, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of total worldwide annual turnover, whichever is higher. 



Example 1: 

A company that provides credit cards asks its customers to give consent for their personal data to be sent to credit reference agencies for credit scoring. However, if a customer refuses or withdraws their consent, the credit card company will still send the data to the credit reference agencies on the basis of ‘legitimate interests’. So, asking for consent is misleading and inappropriate – there is no real choice. The firm should have relied on ‘legitimate interests’ from the start. To ensure fairness and transparency, the firm should still tell customers this will happen, but this is very different from giving them a choice. 

Example 2: 

A company asks its employees to consent to monitoring at work. However, as the employees rely on the firm for their livelihood, they may feel compelled to consent, as they don’t want to risk their job or be perceived as difficult or having something to hide. A different lawful basis needs to be applied. 


Example 1: 

An individual drops their business card into a prize draw box in a coffee shop. This is an affirmative act that clearly indicates they agree to their name and contact number being processed for the purposes of the prize draw. However, this consent would not extend to using those details for marketing or any other purpose. 

Example 2: 

An individual submits an online survey about their eating habits. By submitting the form they are clearly indicating consent to process their data for the purposes of the survey itself. Submitting the form will not, however, be enough to show valid consent for any further uses of the information. 


Example 1: 

Company A provides the following information to individuals:  

“Email address (optional):  

“We will use this to send we emails about our products and special offers.”  

If someone enters their email address, this is likely to be specific, informed and an unambiguous affirmative act agreeing to such emails – but is arguably still implied rather than explicit consent.  

Example 2: 

Company B uses the following statement instead:  

I consent to receive emails about our products and special offers  

If the individual ticks the box, they will have explicitly consented to the processing. 



A gym runs a promotion that gives members the opportunity to opt in to receiving emails with tips about healthy eating and how to get in shape for their summer holiday that year. As the consent request specifies a particular timescale and end point – their summer holiday – the expectation will be that these emails will cease once the summer is over. The consent will therefore expire. 




Dr Green should document its decision to rely on each lawful basis and ensure that it can justify its reasoning. Appendix 6 contains a checklist to help with this. 


Before processing, document the lawful basis and take care to get it right. Do not swap to a different basis at a later date without good reason. The privacy notice will need to explain the lawful bases for processing as well as the purpose for processing.  

However, if the purposes change, it may be possible to continue processing under the original lawful basis if the new purpose is compatible with the initial purpose (unless the original lawful basis was consent). 

Dr Green must determine our lawful basis before starting to process personal data. It’s important to get this right first time. If, at a later date, it finds that the chosen basis was actually inappropriate, it cannot simply swap to a different one. Even if a different basis could have applied from the start, retrospectively switching lawful bases is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.       


A company decided to process on the basis of consent and obtained consent from individuals. An individual subsequently decided to withdraw their consent to the processing of their data, as was their right. However, the company wanted to keep processing the data so decided to continue the processing on the basis of legitimate interests. 

Even if it could have originally relied on legitimate interests, the firm cannot do so at a later date – it cannot switch basis when it realised that the original chosen basis was inappropriate (in this case, because it did not want to offer the individual genuine ongoing control). It should have made clear to the individual from the start that it was processing on the basis of legitimate interests. Leading the individual to believe they had a choice is inherently unfair if that choice will be irrelevant. Dr Green must therefore stop processing when the individual withdraws consent 

If there is a genuine change in circumstances or there is a new and unanticipated purpose which means there is a good reason to review the lawful basis and make a change, the individual will need to be informed and the change documented. 


Processing of special category data or criminal conviction data or data about offences carries a requirement to identify both a lawful basis for general processing and an additional condition for processing. 

Whilst this type of processing is outside the scope of this guide, Dr Green should be aware of these requirements. The additional conditions are held at Appendix 7. If processing this type of data, further guidance should be sought.  


UK GDPR provides certain rights for individuals. 


The right to be informed encompasses the obligation to provide ‘fair processing information’, typically through a privacy notice. 

It emphasises the need for transparency over how personal data is used. 

The UK GDPR sets out the information that should be supplied and when individuals should be informed. 

The information that is required is determined by whether or not the personal data was obtained directly from individuals. See the table below for further information on this. 

The information about the processing of personal data must be:  

  • concise, transparent, intelligible and easily accessible; 

  • written in clear and plain language; and 

  • free of charge. 

The table below summarises the information requirements: 

What information must be supplied? 

Data obtained directly from data subject 

Data not obtained directly from data subject 

Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer 



Purpose of the processing and the lawful basis for the processing 



The legitimate interests of the controller or third party, where applicable 



Categories of personal data 



Any recipient or categories of recipients of the personal data 



Details of transfers to third country and safeguards 



Retention period or criteria used to determine the retention period 



The existence of each of data subject’s rights 



The right to withdraw consent at any time, where relevant 



The right to lodge a complaint with a supervisory authority 



The source the personal data originates from and whether it came from publicly accessible sources 



Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data 



The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences 



When should the information be provided? 

At the time the data are obtained. 

Within 1 month of obtaining the data* 

* If the data is used to communicate with the individual, at the latest, when the first communication takes place; or, if disclosure to another recipient is envisaged, at the latest, before the data is disclosed. 

The ICO has published guidance on how to comply: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/ 

The Article 29 Working Party has published guidelines on transparency: file:///C:/Users/Amanda/Downloads/wp260_enpdf.pdf 


Under the UK GDPR, individuals have a right to access to their personal data so that they can verify the lawfulness of the processing. Individuals have a right to obtain: 

  • confirmation that their data is being processed; 

  • access to their personal data; and 

  • other supplementary information – this largely corresponds to the information that should be provided in a privacy notice. 

This information must be provided free of charge. Although, if the request is manifestly unfounded or excessive (particularly if it is repetitive) a ‘reasonable’ fee may be charged. 

If asked to provide further copies of the same information, a reasonable fee may be charged which must be based on the administrative cost to provide it.  

Information must be provided without delay and within one month of receiving the request. 

However, if requests are numerous / complex this may be extended by a further two months as long as the individual is informed within one month of receipt of the request, explaining why the extension is necessary.  

If a (Subject) Access Request (SAR) is received that is manifestly unfounded or excessive, particularly if repetitive a reasonable fee may be charged to provide information or Dr Green may refuse to provide it. 

If refusing to provide the information Dr Green must write to the individual, within one month of receipt of the SAR, explaining why and informing them of their right to complain to the ICO and to a judicial remedy. 

Dr Green must always verify the individual making the request, using reasonable means. 

If a request is made electronically Dr Green should provide the information in a commonly used electronic format. If Dr Green is able to provide access to a secure self-service system that would allow the individual direct access to his/her information, the UK GDPR states that this would-be best practice. However, it recognises this is not feasible for all organisations.  

If Dr Green processes large amounts of data about individuals, it is permitted to ask the individual to specify the information the request relates to. There is no exemption under the UK GDPR for requests for large amounts of data, however, we may consider whether the request is ‘manifestly unfounded or excessive’. 


Individuals are entitled to have their data rectified if it is inaccurate or incomplete.  

Additionally, if the data was disclosed to others each recipient must be contacted to inform them what needs to be rectified unless to do so proves impossible or involves disproportionate effort.  

If the individual asks, the recipients must be disclosed to them. 

A response is required within month, although this can be extended by up to two months for complex requests. 

If Dr Green is not taking action in response to a request for rectification, we it explain to the individual why not and inform them of their right to complain to the ICO and to a judicial remedy. 


Commonly referred to as the ‘right to be forgotten’, the principle enables an individual to request deletion or removal of personal data where there is no compelling reason for its continued processing. 

However, it does not provide an absolute right to ‘be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances: 

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. 

  • When the individual withdraws consent. 

  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. 

  • The personal data was unlawfully processed (i.e. otherwise in breach of the UK GDPR). 

  • The personal data has to be erased in order to comply with a legal obligation. 

  • The personal data is processed in relation to the offer of information society services to a child. 

Under the UK GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger. 

There are some specific circumstances where the right to erasure does not apply and Dr Green can refuse to deal with a request. 

Dr Green can refuse to comply for one of the following reasons: 

  • to exercise the right of freedom of expression and information; 

  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority. 

  • for public health purposes in the public interest; 

  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or 

  • the exercise or defence of legal claims.  

  • If it disclosed the data to others it must contact each recipient and inform them of the erasure of the data unless to do so proves impossible or involves disproportionate effort.  

  • If the individual asks, Dr Green must disclose the recipients to them. 

  • The UK GDPR reinforces the right to erasure by clarifying that organisations in the online environment who make personal data public should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question. 

  • While this might be challenging, if processing personal information online, for example on social networks, forums or websites, we must endeavour to comply with these requirements. 

  • However, there may be circumstances in which an exemption applies, for example: 


  • A search engine notifies a media publisher that it is delisting search results linking to a news report as a result of a request for erasure from an individual. If the publication of the article is protected by the freedom of expression exemption, then the publisher is not required to erase the article. 


Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, Dr Green is permitted to store the personal data, but not further process it. 

Dr Green can retain just enough information about the individual to ensure that the restriction is respected in future. 

Dr Green must restrict processing under the following circumstances: 

  • Where an individual contests the accuracy of the personal data, the processing should be restricted until the accuracy of the personal data can be verified. 

  • Where an individual has objected to the processing (where it was necessary for the purpose of legitimate interests), and Dr Green is considering whether its legitimate grounds override those of the individual. 

  • When processing is unlawful and the individual opposes erasure and requests restriction instead. 

  • If Dr Green no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim. 

If Dr Green has disclosed the personal data in question to others, it must contact each recipient and inform them of the restriction on the processing of the personal data  - unless this proves impossible or involves disproportionate effort. If asked to, Dr Green must also inform the individuals about these recipients. 

Dr Green must inform individuals when it decides to lift a restriction on processing. 



The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. 

It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. 

Some organisations in the UK already offer data portability through the “midata” initiative and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe. 

It enables consumers to take advantage of applications and services which can use this data to find them a better deal or help them understand their spending habits. 


“midata” is used to improve transparency across the banking industry by providing personal current account customers access to their transactional data for their account(s), which they can upload to a third party price comparison website to compare and identify best value. A price comparison website displays alternative current account providers based on their own calculations. 

The right to data portability only applies: 

  • to personal data an individual has provided to a controller; 

  • where the processing is based on the individual’s consent or for the performance of a contract; and 

  • when processing is carried out by automated means. 

The personal data must be provided in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data. 

The information must be provided free of charge. 

If the individual requests it, Dr Green may be required to transmit the data directly to another organisation if this is technically feasible. However, Dr Green is not required to adopt or maintain processing systems that are technically compatible with other organisations. 

If the personal data concerns more than one individual, Dr Green must consider whether providing the information would prejudice the rights of any other individual. 

Dr Green must respond without undue delay, and within one month. 

This can be extended by two months where the request is complex or if a number of requests are received. Dr Green must inform the individual within one month of the receipt of the request and explain why the extension is necessary. 

Where Dr Green is not taking action in response to a request, it must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month. 


Individuals have the right to object to: 

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); 

  • direct marketing (including profiling); and 

  • processing for purposes of scientific/historical research and statistics. 

Individuals must have an objection on ‘grounds relating to his or her particular situation’. If Dr Green process data for legal tasks or legitimate interests, then it must stop processing the data unless it can demonstrate that it has compelling legitimate grounds for the processing, which over-ride the interests, rights and freedoms of the individual, or: 

  • The processing is for the establishment, exercise or defence of legal claims.  

  • is for direct marketing purposes in which case processing must cease as soon as an objection is received. There are no exemptions or grounds to refuse. 

Dr Green must deal with an objection to processing for direct marketing at any time and free of charge. 


The UK GDPR has provisions on: 

  • automated individual decision-making (making a decision solely by automated means without any human involvement); and 

  • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. 

The UK GDPR applies to all automated individual decision-making and profiling and there are additional rules to protect individuals if carrying out solely automated decision-making that has legal or similarly significant effects on them. 

Automated individual decision-making is a decision made by automated means without any human involvement. 

Examples of this include: 

  • an online decision to award an e-card or account; and 

  • a recruitment aptitude test which uses pre-programmed algorithms and criteria. 

Automated individual decision-making does not have to involve profiling, although often it does. 

The UK GDPR definition of profiling is: 

“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”   

Organisations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organisations might collect.   

Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals.  

Based on the traits of others who appear similar, organisations use profiling to: 

  • find something out about individuals’ preferences; 

  • predict their behaviour; and/or 

  • make decisions about them. 

This can be very useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing. 

However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms, which require appropriate safeguards.   

These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.    

Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.   

The UK GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. 

The UK GDPR says: 

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significant affects him or her.” 

The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the UK GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.  

A legal effect is something that adversely affects someone’s legal rights. Similarly, significant effects are more difficult to define but would include, for example: 

  • automatic refusal of an online e-account application 

  • e-recruiting practices without human intervention. 

If the processing does not match the UK GDPR (Article 22) definition then it can continue to be carried out. 

But the UK GDPR principles must still be complied with: 

  • Identify and record the lawful basis/es for the processing. 

  • Have in place processes so people can exercise their rights. 

Individuals have a right to object to profiling in certain circumstances. Details of this right must be specifically brought to their attention. 

Carrying out this type of decision-making is only permitted where the decision is: 

  • necessary for the entry into or performance of a contract; or 

  • authorised by UK state law (e.g. for the purposes of fraud prevention or tax evasion); or 

  • based on the individual’s explicit consent. 

For special category data only carry out this processing if: 

  • Dr Green has the individual’s explicit consent; or 

  • the processing is necessary for reasons of substantial public interest. 

Because this type of processing is considered to be high-risk the UK GDPR requires firms to carry out a Data Protection Impact Assessment (DPIA) to show that they have identified and assessed what those risks are and how they will be addressed. 

The UK GDPR also: 

  • requires firms to give individuals specific information about the processing; 

  • obliges firms to take steps to prevent errors, bias and discrimination; and 

  • gives individuals rights to challenge and request a review of the decision. 

These provisions are designed to increase individuals’ understanding of how their personal data might be used. 

Dr Green must: 

  • provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual; 

  • use appropriate mathematical or statistical procedures; 

  • ensure that individuals can: 

  • obtain human intervention; 

  • express their point of view; and 

  • obtain an explanation of the decision and challenge it; 

  • put appropriate technical and organisational measures in place, so that it can correct inaccuracies and minimise the risk of errors; 

  • secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects. 

The EU’s Data Protection Working Party has produced guidance (WP29)3 and if processing data in this way it is strongly advised to review this.  


It is common practice for controllers to engage processors to process personal data on its behalf. 

The UK GDPR states that processing by a processor shall be governed by a contract or other legal act that is binding on the processor with regard to the controller. 

This means that whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in place. 

Controllers have a responsibility to check that their processors are competent to process the personal data in accordance with all the requirements of the UK GDPR. Due diligence should take into account the nature of the processing together with the risks to data subjects. This is because the UK GDPR says that we must only use a processor that can provide “sufficient guarantees” in terms of its resources and expertise to implement technical and organisational measures to comply with the UK GDPR and protect the rights of data subjects.   

As a data controller Dr Green is ultimately responsible for ensuring that personal data is processed in accordance with the UK GDPR. This means that, regardless or the use of a processor, Dr Green may be subject to any of the corrective measures and sanctions set out in UK GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines. 

Unless Dr Green can prove that we are “not in any way responsible for the event giving rise to the damage”, we will be fully liable for any damage caused by non-compliant processing, regardless of its use of a processor. This ensures that the data subject is properly compensated. Dr Green may however be able to claim back all or part of the amount of compensation from the processor, to the extent that it is liable. 

The processor also has some direct responsibilities and liabilities under the UK GDPR. When drawing up and negotiating a contract for data processing, it is good practice to make sure that the processor understands this. 

If using a processor, Dr Green must have a written contract in place.  

The contract must set out the responsibilities and liabilities of both parties. The UK GDPR sets out what must be included in the contract. Currently, no standard clauses have been drafted by the EU or the ICO although this is likely to happen in the future. 

Controllers are liable for their compliance with the UK GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the UK GDPR will be met and the rights of data subjects protected. In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement – though again, no such schemes are currently available. 

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the UK GDPR and may be subject to fines or other sanctions if they don’t comply. 

Dr Green must be clear about the extent of the processing that it is contracting out and it cannot use very general or ‘catch all’ terms. There is a helpful checklist of things we must include and consider at Appendix 8. 

In addition to the written contract, the processor has the following responsibilities and liabilities under the UK GDPR. Processors must: 

  • only act on the written instructions of the controller; 

  • not use a sub-processor without the prior written authorisation of the controller; 

  • only engage a sub-processor under a written contract; 

  • co-operate with supervisory authorities (e.g. ICO); 

  • ensure the security of their processing; 

  • keep records of processing activities; 

  • notify any personal data breaches to the controller; and, 

  • employ a DPO, if required. 

Processors should also be aware that: 

  • they may be subject to investigative and corrective powers of supervisory authorities; 

  • if they fail to meet their obligations they may be subject to an administrative fine; 

  • if they fail to meet their UK GDPR obligations, they may be subject to a penalty and / or may have to pay compensation. 

Processors which determine the purpose and means of processing (rather than acting on the instructions of the controller) will be considered to be a controller and will have the same liability as a controller.   

If a processor uses a sub-processor it will still remain directly liable to the controller for the performance of the sub-processor’s obligations.  


The UK GDPR imposes restrictions on the transfer of personal data outside the UK, to third countries or international organisations. 

These restrictions are in place to ensure that the level of protection of individuals afforded by the UK GDPR is not undermined. 

Personal data may only be transferred outside of the UK in compliance with the conditions for transfer set out in the UK GDPR. 

Transfers may be made where the UK has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection – this is known as “adequacy regulations” see footnote 1 above. 

Dr Green may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

Adequate safeguards may be provided for by: 

  • a legally binding agreement between public authorities or bodies; 

  • binding corporate rules (agreements governing transfers made between organisations within in a corporate group); 

  • standard data protection clauses in the form of template transfer clauses adopted by the Commission; 

  • standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission; 

  • compliance with an approved code of conduct approved by a supervisory authority; 

  • certification under an approved certification mechanism as provided for in the UK GDPR;  

  • contractual clauses agreed authorised by the competent supervisory authority; or 

  • provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority. 

The UK GDPR limits the ability to transfer personal data outside the UK where this is based only on an own assessment of the adequacy of the protection afforded to the personal data.The UK GDPR provides derogations from the general prohibition on transfers of personal data outside the UK for certain specific situations. A transfer, or set of transfers, may be made where the transfer is: 

  • made with the individual’s informed consent; 

  • necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request; 

  • necessary for the performance of a contract made in the interests of the individual between the controller and another person; 

  • necessary for important reasons of public interest; 

  • necessary for the establishment, exercise or defence of legal claims; 

  • necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or 

  • made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register). 

Even where there is no UK decision authorising transfers to the country in question, if it is not possible to demonstrate that individual’s rights are protected by adequate safeguards and none of the derogations apply, the UK GDPR provides that personal data may still be transferred outside the UK. 

However, such transfers are permitted only where the transfer: 

  • is not repetitive (similar transfers are not made on a regular basis); 

  • involves data related to only a limited number of individuals; 

  • is necessary for the purposes of the compelling legitimate interests of the organisation (provided such interests are not overridden by the interests of the individual); and 

  • is made subject to suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data. 

In these cases, organisations are obliged to inform the relevant supervisory authority of the transfer and provide additional information to individuals. 



The UK GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. 

Keeping IT systems safe and secure can be a complex task and does require time, resource and specialist knowledge. The measures put in place should fit the needs of the business. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT existing systems. 

The following steps help put in place good security measures to: 

  • Assess the threats and risks to the business 

  • Identify which security controls will help to address those threats, e.g.: 

  • Boundary walls and internet gateways 

  • Secure configuration 

  • Restrict access controls 

  • Malware protection 

  • Patch management and software updates 

  • Ensure data is secured on the move and in the office: 

  • Separate or limit access between network components 

  • Secure data sent by email or post 

  • Prevent untrusted devices connecting to our network 

  • Mobile device policies which staff must follow 

  • Storing servers separately 

  • Baking up data / devices 

  • Clear desk policies 

  • Acceptable use policy 

  • Encrypt data 

  • Remote disable or wipe facility on mobile devices 

  • Restrict employees’ use of own devices  

  • Secure data in the cloud: 

  • Identify what data is stored in the cloud 

  • Consider use of two factor-authentication, especially for remote access to cloud data 

  • Back up data: 

  • Employ easy to use business continuity processes that all employees are aware of 

  • Robust data back-up strategies 

  • Ensure back-ups are not permanently visible to the rest of the network 

  • At least one back-up should be off-site 

  • Train staff: 

  • Train staff to be aware of threats, such as phishing emails & other malware 

  • Alert staff to the risks of posting business activities on social networks 

  • Promote and encourage a good security culture 

  • Keep knowledge up to date 

  • Stay alert: 

  • Check alerts and warning systems regularly 

  • Check our systems to make sure we can identify if there is something there which shouldn’t be 

  • Run regular vulnerability scans and penetration tests 

Document the controls in place and identify where improvements need to be made. Once any improvements are in place, continue to monitor the controls and make adjustments where necessary. 

Refer to the Government’s Cyber Essentials https://www.cyberessentials.ncsc.gov.uk/ initiative. The Cyber Essentials scheme provides businesses small and large with clarity on good basic cyber security practice. By focusing on basic cyber hygiene, Dr Green will be better protected from the most common cyber threats.  

Many small businesses outsource some or all of their IT requirements to a third party. Where this is the case, Dr Green should be satisfied that they are treating data with at least the same level of security. The following steps should be carried out as best practice:  

  • Ask for a security audit of the systems containing data. This may help to identify vulnerabilities which need to be addressed.  

  • Review copies of the security assessments of the IT provider. If appropriate, visit the premises of the IT provider to make sure they are as we would expect.  

  • Check the contracts in place. They must be in writing and must require the contractor to act only on Dr Green instructions and comply with certain obligations of the UK GDPR.  

  • Don’t overlook asset disposal – if using a contractor to erase data and dispose of or recycle IT equipment, make sure they do it adequately. Dr Green may be held responsible if personal data is extracted from its old IT equipment when it is resold. 


The UK GDPR says that personal data should be accurate, up-to-date and kept for no longer than is necessary. Over time large amounts of personal data may have been collected. Some of this data may be out-of-date and inaccurate or no longer useful. 

Decide if the data is still needed. If it is, make sure it is stored in the right place. If holding data that needs to be kept for archive purposes but not regular access, move it to a more secure location. This will help prevent unauthorised access. For data no longer needed, it should be deleted. This should be in line with Dr Green data retention and disposal policies. Specialist software or assistance may be required to do this securely. 

it is good practice to establish standard retention periods for different categories of information, taking account of any professional rules or regulatory requirements that apply. It is also advisable to have a system for ensuring retention periods are kept to in practice, and for documenting and reviewing the retention policy.  

How long to keep personal data depends on the purpose for which it was obtained and its nature. If it continues to be necessary to hold the data (e.g. such as compliance with anti-money laundering law), then it should be retained for as long as that reason applies. On the other hand, information with only a short-term value may have to be deleted within days. 

It may not be necessary to dispose of all data when the relationship with an individual ends. For example, it might be necessary to continue to hold some of their data to confirm that the relationship existed. 

There are a number of legal and professional requirements / guidelines for retaining certain records. For example: 

  • Information needed for tax returns 

  • Information required for audit purposes 

  • Information for health and safety  

  • To comply with financial services regulations 

  • To comply with other statutory requirements such as Proceeds of Crime provisions 

  • Information to defend possible claims or in defence of legal proceedings 

  • Records of data for credit reference purposes 

How long records are required depends on the law, regulatory requirement or other industry guidelines.  

At the end of the retention period, or the life of a particular record, it should be reviewed and deleted, unless there is some special reason for keeping it. Automated systems can flag records for review, or delete information after a pre-determined period. This is particularly useful where many records of the same type are held. 

However, there is a significant difference between permanently deleting a record and archiving it. If a record is archived or stored offline, this should reduce its availability and the risk of misuse or mistake. However, only archive a record (rather than delete it) if it still needs to be held. Be prepared to give subject access to it, and to comply with the data protection principles. If it is appropriate to delete a record from a live system, it should also be deleted from any back-up of the information on that system. 

The word ‘deletion’ can mean different things in relation to electronic data. The ICO has produced detailed guidance which sets out how organisations can ensure compliance when archiving or deleting personal information. 

There are a number of options for securely deleting data but the pros and cons of each must be considered before deciding how best to remove data. 

For example: 

  • Physical destruction 

  • Secure deletion software 

  • Restoring to factory settings 

  • Sending to a specialist 

  • Formatting 

  • Over-writing 

  • Contacting cloud service providers regarding information held in the cloud 



The UK GDPR introduces a duty on all organisations to report certain types of personal data breach to the ICO and within 72 hours of becoming aware of the breach, where feasible. 

Dr Green should ensure it has robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not to notify the ICO and the affected individuals. 

Dr Green must also keep a record of any personal data breaches, regardless of whether it is required to notify. 

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. 


Personal data breaches can include: 

  • access by an unauthorised third party; 

  • deliberate or accidental action (or inaction) by a controller or processor; 

  • sending personal data to an incorrect recipient; 

  • computing devices containing personal data being lost or stolen;  

  • alteration of personal data without permission; and 

  • loss of availability of personal data. 

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals. 

The UK GDPR makes clear that when a security incident takes place, we should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required. 

When a personal data breach has occurred, Dr Green will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then Dr Green must notify the ICO without undue delay; if it’s unlikely then Dr Green doesn’t have to report it. However, if Dr Green decides it does not need to report the breach, it will need to be able to justify this decision, so it should be documented. 

In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. The UK GDPR explains that: 

“A personal breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.” 

This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. This therefore needs to be assessed on a case-by-case basis, looking at all relevant factors. 

Example 1: 

An firm’s customer database is stolen. The data contained within the database may be used to commit identity fraud and so would need to be notified given the impact this is likely to have on those individuals who could suffer loss or other consequences. 

Example 2: 

A company lost its staff telephone list. The ICO would not normally need to be identified as the impact is likely to be minimal. 

On becoming aware of a breach, Dr Green should try to contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen. 

If any of Dr Green sub-processors suffers a breach, then it must inform Dr Green without undue delay as soon as it becomes aware. 


Dr Green (as controller) contracts an IT services firm (as processor) to archive and store customer records. The IT firm detects an attack on its network that results in personal data about its clients being unlawfully accessed. As this is a personal data breach, the IT firm must promptly notify Dr Green. Dr Green, in turn, must notify the ICO. 

If we are using a processor, the requirements on breach reporting should be detailed in the contract between Dr Green and the processor. 

A notifiable breach must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If taking longer than this, the reasons for the delay must be given. 

When reporting a breach, the UK GDPR says we must provide: 

  • a description of the nature of the personal data breach including, where possible: 

  • the categories and approximate number of individuals concerned; and 

  • the categories and approximate number of personal data records concerned; 

  • the name and contact details of the data protection officer (if our organisation has one) or other contact point where more information can be obtained; 

  • a description of the likely consequences of the personal data breach; and 

  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects. 

The UK GDPR recognises that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. The UK GDPR allows organisations to provide the required information in phases, as long as this is done without undue further delay. 

However, the ICO expects organisations to prioritise the investigation, give it adequate resources, and expedite it urgently.  

Example 1: 

Dr Green detect an intrusion into its network and becomes aware that files containing personal data have been accessed, but it doesn’t know how the attacker gained entry, to what extent that data was accessed, or whether the attacker also copied the data from the system. 

Dr Green should notify the ICO within 72 hours of becoming aware of the breach, explaining that it doesn’t yet have all the relevant details, but that it expects to have the results of its investigation within a few days. Once the investigation uncovers details about the incident, Dr Green should give the ICO more information about the breach without delay. 

Dr Green can call the ICO to report a breach on 0303 123 1113. 

If, however, Dr Green has experienced a data breach, needs to report it to the ICO but is confident it has dealt with it appropriately, it may prefer to report it online. It can do so by completing the form at Appendix 9 and emailing it to:  with ‘UK GDPR Breach Notification Form’ in the subject field, or by post to:[email protected] with ‘UK GDPR Breach Notification Form’ in the subject field, or by post to: 

The Information Commissioner’s Office 

Wycliffe House,  

Water Lane,  



SK9 5AF 

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says we must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible. 

A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. Again, Dr Green will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, Dr Green will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach. 

If Dr Green decides not to notify individuals, it will still need to notify the ICO unless it can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. The ICO has the power to compel organisation to inform affected individuals if it considers there is a high risk. In any event, Dr Green should document our decision-making process in line with the requirements of the accountability principle. 

Describe, in clear and plain language, the nature of the personal data breach and, at least: 

  • the name and contact details of the DPO other contact point where more information can be obtained; 

  • a description of the likely consequences of the personal data breach; and 

  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects. 

All breaches must be recorded, regardless of whether or not they need to be reported to the ICO.  The UK GDPR requires organisations to document the facts relating to the breach, its effects and the remedial action taken. This is part of the overall obligation to comply with the accountability principle. 

As with any security incident, Dr Green should investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps. 

It is important to be aware that there may be additional notification obligations under other laws. For example: 

  • notify the FCA. 

  • Consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals. 

Failing to notify a breach when required to do so can result in a significant fine up to £8.7 million  or 2 per cent of global turnover.  



A breach affecting individuals in EEA countries will engage the EU GDPR. This means that as part of our breach response plan, we should establish which European data protection agency would be our lead supervisory authority for the processing activities that have been subject to the breach. (For more guidance on determining who our lead authority is, please see the Article 29 Working Party guidance on identifying our lead authority). 


As stated above, Dr Green should ensure that it record all breaches, regardless of whether or not they need to be reported to the ICO. In addition, Article 33(5) requires we to document the facts regarding the breach, its effects and the remedial action taken. This is part of our overall obligation to comply with the accountability principle, and allows us to verify our organisation’s compliance with its notification duties under the UK GDPR. 

As with any security incident, we should investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented. Human error is the leading cause of reported data breaches.  

To reduce the risk of this, consider: 

  • mandatory data protection induction and refresher training; 

  • support and supervising until employees are proficient in their role. 

  • updating policies and procedures for employees should feel able to report incidents of near misses; 

  • working to a principle of “check twice, send once”; 

  • implementing a culture of trust – employees should feel able to report incidents of near misses; 

  • investigating the root causes of breaches and near misses; and 

  • protecting our employees and the personal data we are responsible for. This could include: 

  • Restricting access and auditing systems, or 

  • Implementing technical and organisational measures, e.g. disabling autofill.                                    

As mentioned previously, as part of our breach management process we should undertake a risk assessment and have an appropriate risk assessment matrix to help we manage breaches on a day-to-day basis. This will help we to assess the impact of breaches and meet our reporting and recording requirements. This will provide a basis for our breach policy and help we demonstrate our accountability as a data controller. 

The following isn’t a specific UK GDPR requirement regarding breaches, but we should take them into account when we’ve experienced a breach. 

As a result of a breach an organisation may experience a higher volume of data protection requests or complaints, particularly in relation to access requests and erasure. We should have a contingency plan in place to deal with the possibility of this.  It is important that we continue to deal with those requests and complaints, alongside any other work that has been generated as a request of the breach.  We should also consider how we might manage the impact to individuals, including explaining how they may pursue compensation should the situation warrant it. 


Dr Green understands all regulations and laws made under the Privacy and Electronic Communications Regulations 2003, in respect to any related business activity. 

Dr Green confirms that where individuals are concerned, we will only send direct marketing media (emails, calls or postal), when solicited (given direct prior consent) and will retain proof of all such consent for recording and auditing purposes. 

Where any marketing material is delivered using an automated calling system, it will be done so only with the individual prior consent and any request to remove such consent will be recorded and applied with immediate effect. 

No unsolicited tele-sales or marketing calls will be made where an individual is registered on the TPS (Telephone preference service). 

Any solicited tele-sales or marketing calls made by Dr Green will be in accordance with the below requirements: – 

  • Agents will identify themselves and Dr Green form which they are calling from 

  • Agents will disclose the nature and purpose of the call 

If asked, the agent will provide a valid business address and contact telephone number 

Any sales or marketing emails will: – 

  • identify the name of Dr Green, their trading address and a valid contact number 

  • contain an opt-out request for the individual to unsubscribe to any further emails 

  • comply with regulations 7 and 8 of the Electronic Commerce (EC Directive) Regulations 2002 




  • Review the purposes of all processing activities and select the most appropriate lawful basis (or bases) for each activity. 

  • Confirm processing is necessary for the relevant purpose, and there is no other reasonable way to achieve that purpose. 

  • Decision on which lawful basis applies has been documented to help demonstrate compliance. 

  • Information about the purposes of the processing and the lawful basis for the processing has been set out in our privacy notice. 

  • Special category data: identify a condition for processing and document this. 

  • Criminal offence data: identify a condition for processing and document this. 



As a good practice measure, it should also state that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under GDPR and reflect any indemnity that has been agreed 



Report a personal data breach 

Please do not include any of the personal data involved in the breach when completing this form. For example, do not provide the names of data subjects affected by the breach. If we need this information, we will ask for it later. 

If we have already spoken to a member of ICO staff about this breach, please give their name: 

About the breach 

What has happened? 

Tell us as much as we can about what happened, what went wrong and how it happened. 

Was the breach caused by a cyber incident? 

How did we find out about the breach?   

When did we discover the breach?   



When did the breach happen? 



Categories of personal data included in the breach (tick all that apply)   

Data revealing racial or ethnic origin 

Political opinions 

Religious or philosophical beliefs 

Trade union membership 

 Sex life data 

Sexual orientation data 

 Gender reassignment data 

Health data 

Basic personal identifiers, eg name, contact details 

Identification data, eg usernames, passwords 

Economic and financial data, eg credit card numbers, bank details 

Official documents, eg driving licences 

Location data 

Genetic or biometric data 

Criminal convictions, offences 

Not yet known 

Other (please give details below) 


How many data subjects could be affected? 


Categories of data subjects affected (tick all that apply)    





 Customers or prospective customers 



 Vulnerable adults 

 Not yet known 

Other (please give details below) 


Potential consequences of the breach 

Please describe the possible impact on data subjects, as a result of the breach. Please state if there has been any actual harm to data subjects 

What is the likelihood that data subjects will experience significant consequences as a result of the breach?   

Please give details 

(Cyber incidents only) Has the confidentiality, integrity and/or availability of our information systems been affected? 

(Cyber incidents only) If we answered yes, please specify 


(Cyber incidents only) Impact on our organization 

(Cyber incidents only) Recovery time 

If there has been a delay in reporting this breach, please explain why  


Taking action 

Describe the actions we have taken, or propose to take, as a result of the breach   

Include, where appropriate, actions we have taken to fix the problem, and to mitigate any adverse effects, eg confirmed data sent in error has been destroyed, updated passwords, planning information security training. 

Have we told data subjects about the breach?   

Have we told, or are we planning to tell any other organisations about the breach?   

eg the police, other regulators or supervisory authorities. In case we need to make contact with other agencies 

If we answered yes, please specify 


About we 

Organisation (data controller) name   


Registered organisation address 


Person making this report 

In case we need to contact we about this report 



Data protection officer 

Or the senior person responsible for data protection in our organisation 

Same details as above  


Sending this form 

Send our completed form to [email protected], with ‘DPA breach notification form’ in the subject field, or by post to:  

The Information Commissioner’s Office 
Wycliffe House 
Water Lane 
SK9 5AF 

Please note that we cannot guarantee security of forms or any attachments sent by email.  

What happens next? 

When we receive this form, we will contact we within seven calendar days to provide:  

  • a case reference number; and 

  • information about our next steps  

If we need any help in completing this form, please contact our helpline on 

0303 123 1113 (operates 9am to 5pm Monday to Friday).