Introduction to this document

GDPR data protection policy

Our data protection policy statement reiterates the important data protection principles set out in the UK GDPR, outlines out how you intend to comply with them and clarifies what rights and obligations an employee has both in relation to their own personal data and when handling other people’s personal data.

Data protection principles

The UK GDPR requires you to comply with six data protection principles in your data processing activities. These say that personal data must be:

  • processed lawfully, fairly and in a transparent manner
  • collected only for specified, explicit and legitimate purposes and not further processed in a way that’s incompatible with those purposes
  • adequate, relevant and limited to what is necessary in relation to those purposes
  • accurate and, where necessary, kept up to date
  • not kept in a form which permits identification of data subjects for longer than is necessary for those purposes
  • processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against loss, destruction or damage.

You not only need to comply with these principles but also you must be able to demonstrate that you comply. This is called the principle of accountability. So, you must implement appropriate technical and organisational measures, including putting in place data protection policies and procedures and providing employee training, to ensure and be able to show that you carry out processing in accordance with the UK GDPR’s requirements.


Our GDPR Data Protection Policy sets out the principles and legal conditions that you, and your staff, must satisfy when processing personal data in the course of your business activities. This includes not only employees’ and other workers’ personal data but also personal data belonging to customers, clients and suppliers. The data protection principles are a central part of our policy statement as it outlines what those principles are and what your procedures are for ensuring that you comply with them. It also includes policy provisions governing the lawful basis for processing, subject access rights, the other rights of data subjects, data protection impact assessments and data retention and erasure. It’s intended to outline both your responsibilities, and the employee’s rights and obligations, in relation to the processing of personal data. That way, employees should clearly understand how to implement the data protection principles and apply them in practice. Finally, we’ve confirmed that a failure to follow data protection requirements is a disciplinary offence. You will need to adapt our policy statement to ensure it reflects the specific operational practices and procedures that you’ve put in place in relation to your data processing activities.