Skip to main content

FREE UK DELIVERY ON ALL ORDERS

Shop Now
Menu

Data Protection Act 2018-2026 Policy

1. Purpose

This policy outlines the principles and procedures for ensuring compliance with the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). It establishes how personal data is collected, processed, stored, and disposed of to protect the rights and privacy of individuals.


2. Scope

This policy applies to all employees, contractors, volunteers, and third parties who handle personal data on behalf of the organisation. It covers all personal data processed in any format, including electronic, paper, and verbal records.


3. Definitions

Personal Data:

Any information relating to an identified or identifiable individual.

Special Category Data:

Sensitive personal data requiring additional protection, such as health, racial or ethnic origin, political opinions, or biometric data.

Data Subject:

The individual whose personal data is being processed.

Data Controller:

The organisation responsible for determining the purpose and means of processing personal data.

Data Processor:

A third party that processes personal data on behalf of the data controller.

Processing:

Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.


4. Data Protection Principles

All personal data must be processed in accordance with the following principles:

Lawfulness, Fairness, and Transparency:

Data must be processed lawfully, fairly, and in a transparent manner.

Purpose Limitation:

Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

Data Minimisation:

Only data necessary for the intended purpose should be collected and processed.

Accuracy:

Personal data must be accurate and kept up to date.

Storage Limitation:

Data must not be kept longer than necessary.

Integrity and Confidentiality:

Data must be processed securely to protect against unauthorised or unlawful processing, loss, destruction, or damage.


Accountability:

The organisation must be able to demonstrate compliance with these principles.


5. Lawful Bases for Processing

Personal data must only be processed when one or more of the following lawful bases apply:

Consent has been obtained from the data subject.Processing is necessary for the performance of a contract.Processing is required to comply with a legal obligation.Processing is necessary to protect vital interests.Processing is carried out in the public interest or under official authority.Processing is necessary for legitimate interests pursued by the organisation, except where overridden by the rights of the data subject.


6. Rights of Data Subjects

Individuals have the following rights under the DPA 2018:

Right to be informed about data collection and use.Right of access to their personal data.Right to rectification of inaccurate or incomplete data.Right to erasure (“right to be forgotten”).Right to restrict processing.Right to data portability.Right to object to processing.Rights related to automated decision-making and profiling.


7. Data Security

Appropriate technical and organisational measures must be implemented to ensure data security, including:

Encryption and password protection for digital data.Secure storage and restricted access for physical records.Regular data backups and secure disposal of obsolete data.Staff training on data protection and information security.


8. Data Breach Management

Any suspected or actual data breach must be reported immediately to the Data Protection Officer (DPO). The DPO will:

Assess the severity and impact of the breach.Notify the Information Commissioner’s Office (ICO) within 72 hours if required.Inform affected individuals where there is a high risk to their rights and freedoms.Maintain a record of all data breaches and corrective actions taken.


9. Data Retention and Disposal

Personal data must be retained only for as long as necessary to fulfil its purpose or comply with legal obligations. Once no longer required, data must be securely deleted, shredded, or anonymised.


10. Roles and Responsibilities

Data Protection Officer (DPO):

Oversees compliance, provides guidance, and acts as the contact point for the ICO.


Managers:

Ensure staff within their teams comply with this policy.


Employees and Contractors:

Handle personal data responsibly and report any breaches or concerns immediately.


11. Training and Awareness

All staff must complete mandatory data protection training upon induction and at regular intervals. Ongoing awareness campaigns will reinforce best practices and compliance responsibilities.


12. Monitoring and Review

This policy will be reviewed annually or following significant changes in legislation or organisational structure. Updates will be communicated to all staff.


13. Related Documents

Information Security PolicyData Retention SchedulePrivacy NoticeData Breach Response Procedure


"© 2023-2025 allatbargainsuk. All rights reserved."


{FREE UK SHIPPING ON ALL ORDERS}

Terms & ConditionsPrivacy PolicyDelivery InformationReturn PolicyAbout UsCookie settingsReport abuse
Powered by Lightspeed