UK Data Protection Policy

1. Purpose

This policy sets out how [Company Name] meets its obligations under the Data Protection Act 2018 (DPA), the UK GDPR and applicable ICO codes of practice.

2. Scope

Applies to all personal data processed by [Company Name] in any format, and to all workers acting on its behalf.

3. Governance

4. Principles

[Company Name] applies the six UK GDPR principles plus the accountability principle. Compliance evidence is maintained in the ISMS / records suite.

5. Lawful bases

[Company Name] relies on contract, legal obligation, legitimate interests and consent as recorded in its RoPA. Special category data uses an Article 9 condition combined with a DPA 2018 Schedule 1 condition where required.

6. Rights of individuals

Requests are routed to [DPO Email] and handled under the Subject Access Request Procedure. Identity is verified before disclosure. Exemptions in DPA 2018 Schedule 2 are applied only where lawful and documented.

7. DPIAs

A Data Protection Impact Assessment is conducted for any new processing likely to result in a high risk, following the ICO DPIA template adapted by [Company Name].

8. Personal data breaches

Suspected breaches are reported to [DPO Email] immediately. The DPO assesses ICO notification within 72 hours and uses the [Company Name] breach register to track containment and lessons learned.

9. Suppliers and processors

[Company Name] only engages processors offering sufficient guarantees of UK GDPR compliance. Article 28 contracts are in place and reviewed periodically.

10. International transfers

Transfers outside the UK rely on adequacy regulations, the UK Addendum to the SCCs, the IDTA, or another approved transfer mechanism — supported by a documented Transfer Risk Assessment.

11. Review

Reviewed at least annually and after material change.

Approved by: [Company Owner] Effective date: [Effective Date] Next review: [Review Date]