Data Protection Policy
A data protection policy establishes the principles, obligations, and operational requirements governing how an organisation collects, processes, stores, and shares personal data. The policy translates regulatory requirements into organisational commitments and practical guidance, creating accountability structures that ensure compliance with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and equivalent legislation in jurisdictions where the organisation operates.
- Personal data
- Any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
- Special category data
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning sex life or sexual orientation. This category requires additional protections and explicit consent or specific legal bases for processing.
- Processing
- Any operation performed on personal data, whether automated or manual, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- Data subject
- The identified or identifiable natural person to whom personal data relates.
- Controller
- The entity that determines the purposes and means of processing personal data. The organisation acts as controller for personal data it collects and processes for its own purposes.
- Processor
- An entity that processes personal data on behalf of a controller. Processors act only on controller instructions and hold specific obligations under data protection law.
- Data Protection Officer
- The designated individual responsible for informing and advising on data protection obligations, monitoring compliance, cooperating with supervisory authorities, and acting as contact point for data subjects.
Policy scope
This policy applies to all personal data processed by the organisation regardless of the data subject’s location, the processing location, or the storage medium. Paper records containing personal data fall within scope alongside electronic systems. Data processed by third parties on the organisation’s behalf remains the organisation’s responsibility; processor arrangements do not transfer accountability.
The policy binds all individuals processing personal data in connection with organisational activities. Employees, contractors, volunteers, interns, consultants, and partner organisation staff with access to organisational data operate under these requirements. Obligations commence at the point of data access and persist beyond the termination of the individual’s relationship with the organisation; confidentiality and non-disclosure requirements survive indefinitely.
Geographic scope extends to all jurisdictions where the organisation operates or where data subjects are located. When the organisation processes data concerning individuals in the European Economic Area, GDPR applies regardless of the organisation’s location. Processing data about individuals in the United Kingdom invokes UK GDPR and the Data Protection Act 2018. Organisations operating across multiple jurisdictions must identify the applicable regulatory framework for each processing activity and apply the most protective requirements when frameworks conflict.
Mission-driven organisations process personal data across diverse contexts that create particular compliance considerations. Beneficiary data collected during programme delivery, donor data supporting fundraising operations, staff data enabling employment relationships, and partner data facilitating collaboration each invoke distinct purposes, legal bases, and retention requirements. The policy framework must accommodate this diversity while maintaining consistent protection standards.
Data protection principles
Seven principles form the foundation of lawful data processing. Every processing activity must demonstrably comply with each principle. The organisation bears responsibility for compliance and must be able to demonstrate that compliance through documentation, technical measures, and organisational controls.
Lawfulness, fairness, and transparency
Processing must have a valid legal basis, operate fairly with respect to data subjects, and occur transparently. Lawfulness requires identifying and documenting a specific legal basis before processing begins; retrospective justification does not satisfy this requirement. Fairness prohibits processing that would be unexpected, prejudicial, or deceptive given the context in which data was collected. Transparency requires providing clear, accessible information about processing activities to data subjects at the point of collection and through ongoing availability of privacy notices.
The fairness requirement carries particular weight for mission-driven organisations working with vulnerable populations. Power imbalances between organisations and beneficiaries can undermine genuine consent and create processing that appears lawful but operates unfairly. Staff must consider whether data subjects would reasonably expect the processing, whether they have meaningful choice, and whether the processing could cause harm or disadvantage.
Purpose limitation
Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes. The specified purpose must be documented before collection occurs. Subsequent processing must align with the original purpose or fall within recognised compatible purposes such as archiving in the public interest, scientific research, or statistical analysis.
Purpose creep represents a significant compliance risk. Data collected for programme monitoring cannot subsequently support fundraising without establishing a new legal basis and providing appropriate notice. Organisations must resist the temptation to extract additional value from existing data sets without verifying compatibility with collection purposes.
Data minimisation
Processing must be limited to personal data that is adequate, relevant, and limited to what is necessary for the specified purposes. Adequacy requires collecting sufficient data to achieve the purpose; inadequate data fails to serve legitimate objectives and introduces inaccuracy risks. Relevance requires a clear connection between each data element and the processing purpose. Necessity prohibits collecting data that might prove useful but is not required.
Minimisation applies throughout the data lifecycle, not solely at collection. Derived data, enriched profiles, and analytical outputs must each satisfy necessity tests. Access controls implement minimisation operationally by restricting data visibility to individuals with legitimate need.
Accuracy
Personal data must be accurate and, where necessary, kept up to date. Organisations must take reasonable steps to ensure inaccurate data is erased or rectified without delay. The accuracy obligation extends to corrections initiated by data subjects; rectification requests require prompt response and implementation.
Accuracy requirements scale with risk. Health data informing medical decisions demands higher accuracy standards than marketing preferences. Data influencing significant decisions about individuals, such as programme eligibility determinations, must undergo verification appropriate to consequence severity.
Storage limitation
Personal data must be kept in identifiable form only as long as necessary for the purposes for which it was collected. Retention periods require documented justification linked to processing purposes, legal requirements, or legitimate organisational needs. Data must be securely deleted or anonymised when retention periods expire.
The Data Retention and Records standard specifies retention periods by data category. This policy establishes the principle; that standard provides implementation detail. Staff must not retain personal data beyond specified periods regardless of storage convenience or speculative future utility.
Integrity and confidentiality
Processing must ensure appropriate security of personal data, protecting against unauthorised or unlawful processing, accidental loss, destruction, or damage. Security measures must be appropriate to the risk, considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing alongside risks to data subject rights and freedoms.
The Information Security Policy specifies technical and organisational security measures. This policy establishes the protection obligation; that policy provides implementation controls. Security failures that result in personal data breaches trigger notification obligations addressed in the breach management section below.
Accountability
The controller must be responsible for, and able to demonstrate compliance with, all data protection principles. Accountability requires not merely complying but proving compliance through documentation, policies, procedures, training records, audit trails, and privacy impact assessments. The organisation cannot claim compliance without evidence supporting that claim.
Accountability mechanisms include maintaining processing records, conducting data protection impact assessments for high-risk processing, implementing appropriate technical and organisational measures, appointing a Data Protection Officer where required, and establishing data protection by design and default. These mechanisms create the evidential foundation for demonstrating compliance to supervisory authorities, data subjects, and stakeholders.
Lawful bases for processing
Every processing activity requires a valid legal basis from the six bases established in GDPR Article 6. The legal basis must be identified, documented, and communicated to data subjects before processing begins. Once processing commences under a particular basis, changing to a different basis is permissible only in limited circumstances and requires careful documentation.
Consent
Consent serves as a legal basis when the data subject has given clear, affirmative indication of agreement to processing for specified purposes. Valid consent must be freely given, specific, informed, and unambiguous. Consent requests must be clearly distinguishable from other matters, presented in clear and plain language, and as easy to withdraw as to give.
Consent is not appropriate where significant imbalance exists between the organisation and the data subject. Employment relationships and beneficiary relationships can create power dynamics that undermine consent validity. Staff cannot genuinely refuse consent to processing their employer presents as necessary. Beneficiaries dependent on organisational services face similar constraints. These contexts require alternative legal bases.
Consent for special category data must be explicit, meaning the data subject must make an express statement of consent rather than merely failing to object. Consent for children’s data requires parental or guardian authorisation for children below the age of digital consent (16 in the UK, varying between 13 and 16 across EU member states).
Contract
Processing necessary for the performance of a contract with the data subject, or for pre-contractual steps at the data subject’s request, proceeds under the contract basis. Employment contracts, service agreements, and membership arrangements establish processing authority for data necessary to fulfil contractual obligations.
Necessity limits contract-based processing. Data must be genuinely required for contract performance, not merely useful or convenient. An employment contract justifies processing payroll data but does not extend to processing employee social media activity. Processing under the contract basis cannot exceed what a reasonable person would expect as necessary for the contractual relationship.
Legal obligation
Processing necessary for compliance with a legal obligation to which the controller is subject proceeds under this basis. Tax reporting requirements, statutory employment obligations, and regulatory compliance mandates establish processing authority for specified data categories. The legal obligation must be specific and binding, not merely a general organisational responsibility.
This basis requires identifying the specific legal provision creating the obligation. Processing for tax compliance cites applicable tax legislation. Processing for employment law compliance cites relevant employment statutes. Vague references to legal requirements without specific identification do not satisfy the basis requirements.
Vital interests
Processing necessary to protect the vital interests of the data subject or another natural person serves as a legal basis in emergency situations. Vital interests encompass life-threatening circumstances requiring immediate response. Sharing medical information with emergency responders to enable life-saving treatment exemplifies this basis.
Vital interests processing is restricted to circumstances where no other legal basis applies and life is genuinely at risk. The basis does not extend to general welfare or important interests falling short of life-threatening emergencies. Humanitarian organisations must resist over-reliance on this basis; most humanitarian data processing proceeds under legitimate interests or consent rather than vital interests.
Public task
Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller serves public sector bodies and organisations performing public functions. Mission-driven organisations rarely hold this basis; government agencies and bodies with statutory functions represent the primary users.
Organisations performing functions with a clear public interest character should examine whether this basis applies. Research institutions, certain healthcare providers, and organisations with statutory roles in service delivery may process under this basis for activities falling within their public function.
Legitimate interests
Processing necessary for the purposes of legitimate interests pursued by the controller or a third party serves as the most flexible basis, subject to a balancing test against data subject interests, rights, and freedoms. The controller must document the legitimate interest, demonstrate necessity, and conduct a balancing assessment before relying on this basis.
The balancing test weighs the controller’s interest in processing against the impact on data subjects. Factors include the nature of the interest, whether processing is necessary to achieve it, the nature and sensitivity of the data, the reasonable expectations of data subjects, the likely impact on individuals, and whether safeguards can reduce impact. Significant adverse impact on data subjects defeats legitimate interests claims regardless of the controller’s interest strength.
Mission-driven organisations frequently rely on legitimate interests for operational processing. Direct communications with supporters, fraud prevention, network and information security, and internal administrative purposes commonly proceed under this basis. Each use requires documented balancing assessment demonstrating that data subject interests do not override the claimed legitimate interest.
| Legal basis | Suitable contexts | Requirements | Limitations |
|---|---|---|---|
| Consent | Marketing communications, research participation, optional data collection | Clear affirmative action, easily withdrawn, granular choices | Invalid where power imbalance exists |
| Contract | Employment data, service delivery, membership administration | Processing must be genuinely necessary for contract performance | Cannot extend beyond contractual necessity |
| Legal obligation | Tax reporting, statutory employment records, regulatory compliance | Specific legal provision must be identified | Limited to scope of the legal requirement |
| Vital interests | Medical emergencies, life-threatening situations | Life must be genuinely at risk | Cannot use when other bases apply |
| Public task | Statutory functions, public interest research | Official authority or clear public interest function | Rare for non-governmental organisations |
| Legitimate interests | Operational processing, security, communications with supporters | Documented balancing test required | Data subject interests may override |
Special category data
Processing special category data requires both a standard legal basis from Article 6 and an additional condition from Article 9. The additional conditions include explicit consent, employment and social security obligations, protection of vital interests where consent is impossible, processing by nonprofit bodies concerning members, data manifestly made public by the data subject, legal claims, substantial public interest, health and social care purposes, public health, and archiving or research purposes.
Organisations processing health data, ethnic origin data for equality monitoring, or religious affiliation for programme targeting must identify both the Article 6 basis and the Article 9 condition. Explicit consent for special category data requires an express statement, not merely an affirmative action. Reliance on substantial public interest requires a basis in domestic law with appropriate safeguards.
Data subject rights
Data protection law grants individuals specific rights regarding their personal data. The organisation must enable exercise of these rights and respond to requests within specified timeframes. Rights requests require verification of the requester’s identity before processing to prevent unauthorised disclosure.
Right to be informed
Data subjects hold the right to receive clear, transparent information about data processing. Privacy notices must be provided at the point of data collection, or within one month for data obtained from other sources. Notices must identify the controller, explain processing purposes, specify legal bases, describe recipient categories, explain retention periods, and inform data subjects of their rights.
Privacy notices must be concise, easily accessible, and written in clear and plain language. Layered notices presenting essential information upfront with detailed information accessible through links satisfy accessibility requirements while enabling comprehensive disclosure.
Right of access
Data subjects hold the right to obtain confirmation of whether their personal data is being processed and, where that is the case, access to the personal data and specified supplementary information. Access requests must receive response within one month of receipt, extendable by two additional months for complex or voluminous requests with notification to the requester.
Responses must provide a copy of the personal data in an accessible format alongside information about processing purposes, data categories, recipients, retention periods, the source of data not collected from the data subject, and the existence of automated decision-making. Exemptions protect the rights of third parties, legal privilege, and certain organisational interests, but exemptions are interpreted narrowly.
Right to rectification
Data subjects hold the right to have inaccurate personal data corrected and incomplete data completed. Rectification requests require response within one month. Where data has been disclosed to third parties, the organisation must inform those recipients of the rectification unless doing so proves impossible or involves disproportionate effort.
Right to erasure
Data subjects hold the right to have personal data erased in specified circumstances. Erasure applies where data is no longer necessary for collection purposes, where consent is withdrawn and no other legal basis applies, where the data subject objects and no overriding legitimate grounds exist, where processing has been unlawful, or where erasure is required for legal compliance.
The right to erasure is not absolute. Exemptions exist for processing necessary for freedom of expression, legal compliance, public health purposes, archiving in the public interest, and legal claims. Organisations must evaluate exemption applicability for each erasure request rather than applying blanket refusals.
Right to restrict processing
Data subjects hold the right to restrict processing in specified circumstances, including where accuracy is contested, where processing is unlawful but erasure is not requested, where the organisation no longer needs the data but the data subject requires it for legal claims, or pending verification of whether legitimate grounds override an objection. Restricted data may only be stored, processed with consent, processed for legal claims, processed to protect another person’s rights, or processed for important public interest reasons.
Right to data portability
Data subjects hold the right to receive their personal data in a structured, commonly used, machine-readable format and to have that data transmitted directly to another controller where technically feasible. Portability applies only to data provided by the data subject and processed by automated means on the basis of consent or contract. The right does not extend to data derived from analysis or to data processed under other legal bases.
Right to object
Data subjects hold the right to object to processing based on legitimate interests or public task grounds. Upon objection, the organisation must cease processing unless it demonstrates compelling legitimate grounds overriding the data subject’s interests or processing is necessary for legal claims. The right to object must be explicitly brought to data subjects’ attention at the point of first communication and in privacy notices.
For direct marketing purposes, data subjects hold an absolute right to object. No balancing test applies; objection requires immediate cessation of marketing processing. This absolute right extends to profiling related to direct marketing.
Automated decision-making rights
Data subjects hold the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects. Exceptions exist for decisions necessary for contract performance, decisions authorised by law with appropriate safeguards, or decisions based on explicit consent. Where automated decisions are permitted, data subjects retain rights to obtain human intervention, express their point of view, and contest decisions.
| Right | Trigger | Response timeframe | Key exemptions |
|---|---|---|---|
| To be informed | Data collection or acquisition | At collection or within 1 month | National security, crime prevention |
| Of access | Request from data subject | 1 month (extendable to 3) | Third party rights, legal privilege |
| To rectification | Request concerning inaccuracy | 1 month | None specific |
| To erasure | Request with qualifying grounds | 1 month | Legal obligation, legal claims, public interest |
| To restrict | Request with qualifying grounds | 1 month | None specific |
| To portability | Request for data provided on consent/contract basis | 1 month | Only applies to provided data, not derived data |
| To object | Objection to legitimate interests or public task processing | Without undue delay | Compelling legitimate grounds override |
| Regarding automated decisions | Automated decision with legal or significant effect | Not specified; without undue delay | Contract necessity, legal authorisation, explicit consent |
Privacy by design and default
Data protection must be integrated into processing activities and business practices from the design stage through the lifecycle of processing. Privacy by design requires implementing appropriate technical and organisational measures during system design, not retrofitting protections after deployment. Privacy by default requires that, without any action from the data subject, only personal data necessary for each specific purpose is processed.
Design requirements
Systems processing personal data must incorporate data protection considerations from initial specification. Design documentation must address data minimisation mechanisms, access control architecture, encryption implementation, retention enforcement, and subject rights enablement. Systems must be capable of responding to access requests, implementing erasure, and restricting processing as required.
Procurement specifications for systems processing personal data must include data protection requirements. Vendor assessments must verify capability to support privacy by design principles. Contract terms must establish processor obligations, audit rights, and breach notification requirements.
Default settings
System defaults must reflect maximum privacy protection. Data collection interfaces must not pre-select optional processing consent. Sharing settings must default to minimum disclosure. Retention must default to minimum periods with automatic deletion or archiving at expiry. Users must take affirmative action to reduce privacy protections from default levels.
Data protection impact assessments
Processing likely to result in high risk to data subject rights and freedoms requires a Data Protection Impact Assessment (DPIA) before processing begins. High-risk indicators include systematic and extensive profiling with significant effects, large-scale special category data processing, and large-scale systematic monitoring of public areas.
DPIAs must describe the processing and its purposes, assess necessity and proportionality, identify and assess risks to data subjects, and specify measures addressing those risks. The Data Protection Officer must be consulted during DPIA preparation. Where residual risk remains high after mitigation measures, consultation with the supervisory authority is required before processing begins.
International transfers
Personal data transfers to countries outside the UK and European Economic Area require appropriate safeguards unless the destination country holds an adequacy decision. Adequacy decisions recognise that a country’s data protection framework provides protection essentially equivalent to UK/EU standards. Current adequacy decisions cover Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom (from EU perspective), the United States (under the EU-US Data Privacy Framework for certified organisations), and Uruguay.
Transfer mechanisms
Transfers to non-adequate countries require one of several transfer mechanisms. Standard Contractual Clauses (SCCs) are pre-approved contractual terms that impose GDPR-equivalent obligations on data importers. The organisation must conduct a Transfer Impact Assessment evaluating whether the destination country’s legal framework permits the importer to comply with SCC obligations.
Binding Corporate Rules enable multinational organisations to transfer data within their corporate group under internally binding data protection policies approved by supervisory authorities. Certification mechanisms and codes of conduct may authorise transfers where they provide appropriate safeguards.
Derogations permit specific transfers in limited circumstances. Explicit consent, contract necessity, important public interest reasons, legal claims, vital interests, and public register transfers each authorise specific transfers but do not permit ongoing systematic transfers.
Transfer impact assessments
SCCs require supplementary measures where destination country law prevents importer compliance. Transfer Impact Assessments evaluate the legal framework, identify risks of government access or other compliance obstacles, and determine whether supplementary technical, contractual, or organisational measures adequately address those risks.
Supplementary technical measures include encryption with organisation-held keys, pseudonymisation preventing recipient re-identification, and split processing across jurisdictions. Supplementary contractual measures include importer notification obligations and agreement to challenge disclosure requests. Where no supplementary measures adequately address risks, the transfer cannot proceed.
| Transfer mechanism | Use case | Key requirements |
|---|---|---|
| Adequacy decision | Transfers to recognised adequate countries | Verify current adequacy status |
| Standard Contractual Clauses | Most third-country transfers | Execute appropriate SCC module; complete Transfer Impact Assessment |
| Binding Corporate Rules | Intra-group transfers | Supervisory authority approval; internal compliance programme |
| Explicit consent | Occasional transfers with informed consent | Specific, informed, freely given; not for systematic transfers |
| Contract necessity | Transfers necessary for data subject’s contract | Limited to what is strictly necessary for contract performance |
Breach notification
A personal data breach is a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Breaches trigger assessment and potential notification obligations regardless of whether the breach resulted from malicious action, accident, or system failure.
Assessment and documentation
All suspected breaches require immediate assessment to determine scope, affected data categories, data subject impact, and notification requirements. The organisation must document all breaches including those not requiring notification, recording the facts of the breach, its effects, and remedial actions taken. This documentation enables supervisory authority verification of compliance.
Supervisory authority notification
Breaches likely to result in a risk to data subject rights and freedoms require notification to the supervisory authority within 72 hours of becoming aware of the breach. Awareness occurs when the organisation has reasonable certainty that a security incident has compromised personal data; investigation to confirm details does not delay the awareness clock indefinitely.
Notification must describe the nature of the breach including data categories and approximate numbers of affected data subjects and records, provide contact details for further information, describe likely consequences, and describe measures taken or proposed to address the breach and mitigate adverse effects. Where full information is unavailable within 72 hours, notification may be provided in phases.
Data subject notification
Breaches likely to result in a high risk to data subject rights and freedoms require notification to affected individuals without undue delay. High risk exists where the breach could lead to physical, material, or non-material damage such as discrimination, identity theft, fraud, financial loss, reputational damage, or loss of confidentiality for data protected by professional secrecy.
Data subject notification must describe the breach in clear and plain language, provide contact details, describe likely consequences, and describe measures taken and recommendations for affected individuals to protect themselves. Notification is not required where appropriate technical measures rendered data unintelligible to unauthorised persons (such as encryption with secure keys), where subsequent measures eliminated high risk, or where notification would involve disproportionate effort (in which case public communication substitutes).
Roles and responsibilities
Data protection compliance requires clear accountability across the organisation. Every individual processing personal data bears responsibility for lawful processing within their role. Specific roles hold designated responsibilities for policy implementation, compliance monitoring, and supervisory authority liaison.
Data Protection Officer
The organisation appoints a Data Protection Officer (DPO) with responsibility for informing and advising on data protection obligations, monitoring compliance including awareness-raising and training, providing advice on Data Protection Impact Assessments, cooperating with the supervisory authority, and acting as contact point for the supervisory authority and data subjects.
The DPO operates independently without instruction regarding task performance. The organisation must not dismiss or penalise the DPO for performing their duties. The DPO may hold other roles provided those roles do not create conflicts of interest; the DPO cannot hold positions determining processing purposes and means, such as IT Director or HR Director.
Controller responsibilities
Senior leadership holds ultimate accountability for data protection compliance. The designated data controller representative, typically a senior executive, ensures adequate resources for compliance, approves policies, and accepts residual risks. Department heads ensure compliance within their areas, approve processing activities, and escalate risks appropriately.
Staff responsibilities
All staff must process personal data only for authorised purposes, maintain confidentiality, apply data minimisation in practice, report breaches and suspected breaches immediately, respond to data subject requests directed to them, and complete required data protection training. Deliberate or negligent data protection violations constitute misconduct addressable through disciplinary procedures.
Training and awareness
All staff processing personal data must complete data protection training within 30 days of commencing their role and annually thereafter. Training covers data protection principles, lawful processing requirements, data subject rights, breach identification and reporting, and role-specific obligations. Completion records must be maintained as evidence of compliance.
Supplementary training addresses specific processing contexts. Staff handling special category data, staff in high-risk processing roles, and staff with supervisory data protection responsibilities require enhanced training commensurate with their obligations.
Awareness activities supplement formal training. Regular communications reinforce key messages, highlight emerging risks, and share lessons learned from incidents. Data protection awareness integrates with broader security and compliance awareness programmes.