Data Management Policy

Template

This is an example policy. Please ensure you update this policy template so that it’s
suitable for your organisation.

DATE: ……….
Introduction
<Organisation> needs to gather and use certain information about individuals. This can
include clients, contacts, employees and other people the organisation has a relationship
with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to
meet the organisation's data protection standards and to comply with the law.
This data management policy ensures <Organisation>:
 complies with data protection law and follows good practice
 protects the rights of clients, staff and partners
 is transparent about how it stores and processes individuals’ data
 protects itself from the risks of a data breach

Data protection law

The UK General Data Protection Regulation (GDPR) applies in the UK. It outlines that
personal data must be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Collected for specified, explicit and legitimate purposes and not further processed in
a manner that is incompatible with those purposes. Further processing for archiving
purposes in the public interest, scientific or historical research or statistical
purposes shall not be considered to be incompatible with the initial purposes.
3. Adequate, relevant and limited to what’s necessary in relation to the purposes for
which they’re processed.
4. Accurate and, where necessary, kept up to date.
5. Protected – every reasonable step must be taken to ensure that personal data
that’s inaccurate, having regard to the purposes for which they’re processed, is
erased or rectified without delay.
6. Kept in a form that permits identification of data subjects for no longer than is
necessary, and for the purposes for which the personal data is processed
(personal).
7. Stored for longer periods. For example, the personal data will be processed solely
for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes. This will also be subject to implementation of the
appropriate technical and organisational measures required by UK GDPR in order
to safeguard the rights and freedoms of individuals.
8. Processed in a manner that ensures appropriate security of personal data. This
includes protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures.
DATE: ……….
 9. Managed by a controller responsible for, and be able to demonstrate, compliance
with the principles.

People and responsibilities

Everyone at <Organisation> contributes to compliance with UK GDPR. Key decision-
makers must understand the requirements and accountability of the organisation to
prioritise and support the implementation of compliance.
You should set out here the key areas of responsibility which must be assigned, so that
there is clarity about who in the
organisation is responsible for leading on compliance with the regulations, what training
is required by whom, and how policy and procedural information is disseminated within
the team. These responsibilities should include (but are not necessarily limited to):
1. Keeping senior management and the board updated about data protection issues,
risks and responsibilities.
2. Documenting, maintaining and developing the organisation’s data protection policy
and related procedures, in line with agreed schedule.
3. Embedding ongoing privacy measures into policies and day-to-day activities,
throughout the organisation. The policies themselves will stand as proof of
compliance.
4. Sharing the policy across the organisation, and arranging training and advice for
staff.
5. Dealing with subject access requests, deletion requests and queries from clients,
stakeholders and data subjects about data protection related matters.
6. Checking and approving contracts or agreements with third parties that may handle
the organisation's sensitive data.
7. Ensuring all systems, services and equipment used for storing data meet
acceptable security standards.
8. Performing regular checks and scans to ensure security hardware and software are
functioning properly.
9. Evaluating any third party services the company is considering using to store or
process data, to ensure their compliance with obligations under the regulations.
10. Developing privacy notices to reflect a lawful basis for fair processing, ensuring that
intended uses are clearly articulated. This will also ensure that data subjects
understand how they can give or withdraw consent, or exercise their rights in
relation to the company's use of their data.

DATE: ……….
 11. Ensuring that audience development, marketing, fundraising and all other initiatives
involving processing personal information and/or contacting individuals abide by the
UK GDPR principles.

Data Protection Officer (DPO), the person responsible for fulfilling the tasks of the DPO in
respect of <Organisation>, is <employee name, employee job title>.
Under UK GDPR organisations in certain circumstances are required to appoint a DPO.
However, regardless of whether the UK GDPR requires a DPO, you must ensure that your
organisation has sufficient staff and skills to carry out your requirements under the UK
GDPR.
Best practice dictates that, regardless of individual circumstances, organisations should
appoint a named individual as DPO to lead on ensuring that data protection requirements
are met. The minimum tasks of the DPO are to:
 inform and advise the organisation and its employees about their obligations to
comply with UK GDPR and other data protection laws
 monitor compliance with UK GDPR and other data protection laws – including
managing internal data protection activities, advising on data protection impact
assessments, training staff and conducting internal audits
 be the first point of contact for supervisory authorities and for individuals whose
data is processed (employees, clients)

Scope of personal information to be processed

In this section you should detail:
1. The scope of the data you process, including whether you process:
 names of individuals
 postal addresses of individuals
 email addresses
 telephone numbers
 online identifiers
 any other information relating to individuals

2. Where the data is collected from and stored.

3. Details of how you have made consideration to ensure that the data is accurate. For
example, what measures you have in place to check.
accuracy/duplication/completeness of data. Also, how you ensure the data is
relevant to the purpose, not excessive, up-to-date (what measures you have in
place to clean and update records) and not kept for longer than is necessary.
4. When and how relevant data will be checked against industry suppression files,
such as the:
DATE: ……….
  telephone preference service
 mailing preference service
 fundraising preference service
5. Details of any sensitive special categories of personal information that it’s
necessary for <Organisation> to process. Describe the enhanced measures that
are set in place to protect this information, and respect the rights and freedoms of
the individuals to whom it relates.

Uses and conditions for processing

Here, document the various specific types of processing that you carry out, which should
include the:
 intended purpose for that processing
 data to be processed
 the lawful basis for processing
 plan for how these conditions for processing are supported
Expand and add to the fields in the following table as required to give appropriate level of
detail.
Outcome/Use Processing required Data to be processed Conditions for processing
Evidence for lawful basis

Consent
In cases where you rely on consent as the lawful condition for processing, you should be
able to demonstrate and describe how you have reviewed your processes and systems to
make sure that consent is freely and unambiguously given for specific purposes, and that
you can evidence an affirmative action on the part of the data subject to have indicated
consent, and such that data subjects can reasonably understand who is using their
personal information, what information, and for what purposes, and using which
communications channels. Do your practises and systems incorporate a suitable audit trail
which would enable you to demonstrate how and when consent was obtained, upon
request? Do your practices and systems communicate an individual’s right to withdraw
consent at any time, and do your processes and systems support the functionality to do
so?
Where ‘soft opt-in’ is used in as the lawful basis for processing for electronic
communications (email/SMS/automated-telephone) contact, you should record the
notification statement detailing the intended use of personal information given at the point
of collecting personal information during the course of sale or negotiation for sale which
gave the client the opportunity to opt out, and also how subsequently notify the client of
their right to unsubscribe with every following communication.
Where ‘legitimate interest’ is the lawful condition for processing, evidence should be given
of the process by which the rights and freedoms of the individual have been weighed
against the interests of the company, and how consideration/mitigation of the outcomes of
DATE: ……….
the process have been made. How has the individual been informed of this processing,
and what information have they been given to help them exercise their rights?

Privacy Impact Assessments

Privacy Impact Assessments (PIAs) or also known as Data Protection Impact
Assessments (DPIAs) form an integral part of taking a privacy by design and best practice
approach.
There are certain circumstances where organisations must conduct PIAs. They are a tool
which can help organisations identify the most effective way to comply with their data
protection obligations and meet individuals’ expectations of privacy, and protect against the
risk of harm through use or misuse of personal information.
An effective DPIA will allow organisations to identify and fix problems at an early stage,
reducing the associated costs and damage to reputation which might otherwise occur.
PIAs undertaken by your company may be detailed here, or else referenced here and
presented as an appendix to this data management policy document. The DPIA should
contain:
 a description of the processing operations and the purposes – including, where
applicable, the legitimate interests pursued by the controller
 an assessment of the necessity and proportionality of the processing in relation to
the purpose
 an assessment of the risks to individuals
 the measures in place to address risk, including security and to demonstrate that
you comply
 a DPIA can address more than one project

Data Sharing
In this section provide details of any/all third party organisations that you intend to share
personal information with.
Where consent is the basis for sharing, describe how <Organisation> has obtained and
recorded the necessary specific and clear permissions for sharing data with named third
parties, for specifically defined uses, and in specified communications channels.
Where other lawful conditions for processing are relied upon for data sharing, these should
also be described.
Details should be given as to when data sharing agreements, describing and ensuring the
arrangements concerning the collection of the necessary permissions, defining the scope
of the personal data to be shared – along with the meta-data that will enable the receiving
party to be able to create an audit trail, sufficient to enable them to respond to any
challenge as to why an individual’s data has been processed, or to facilitate a data subject
access request, and which details the security measures that will be put in place to protect
DATE: ……….
the data in transit, and which establishes the shared understanding of the receiving
organisations’ obligations as a data controller with responsibility for all aspects of the
regulation as data controllers of the new copy of the data which is being shared with them.

Security measures
Here, describe the measures that are in place to protect the personal information that you
store from breach.
Details should be documented here of the technical infrastructure considerations and
measures put in place to leverage technology to require or ensure compliance, such as
restricting and protecting access to the data to those people for whom it is necessary to
perform the processing - such as measures like security software and firewalls, encryption,
the use of secure Virtual Private Networks (VPN), log-in restricted access and two step
authentications, etc.
The procedural and organisational policy measures, such as protocols for safe transfer of
data in transit, and protocols for password management, and data back-up should also be
detailed.
Describe also the measures in place to enable your organisation to know if a data breach
has taken place and what measures are in place to ensure that reporting of any breaches
is reported to the ICO within the required timescales. You should also articulate the
measures you have in place to ensure that any data to be deleted, is deleted securely and
without further risk of breach.

Automated processing
Provide details of any automated processing or decision-making undertaken by your
organisation, including profiling.
You should describe:
 the lawful condition for that processing
 what the outcomes are
 how you have weighed the outcomes of that processing against the rights and
freedoms of the individuals
This is in a case where such processing leads to a significant legal or other effect on the
individual.
The process of weighing the organisation’s interest against the rights of the individual
should always be transparently demonstrated. Privacy statements should include details of
any automated processing. This includes details of any third party profiling tools or
datasets that are used to add information that will build a profile of individuals. Privacy
statements should also detail the outcomes of this processing, together with details of how
individuals can exercise their right not to be subjected to such.

DATE: ……….
Subject access requests
All individuals who are the subject of data held by your organisation are entitled to:
 ask what information the company holds about them and why
 ask how to gain access to it
 be informed how to keep it up to date
 be informed how the company is meeting its data protection obligations
Details should be given here of the process that <Organisation> will use to fulfil subject
access requests and how individuals are notified of this process.

The right to be forgotten

In certain circumstances, subjects have the right to be deleted from your database.
Describe your organisation’s policy and process for evaluating this right, and how you
would comply technically with those cases where you will carry out the individual’s right to
be forgotten – what would be deleted and what data would be retained anonymously.

Privacy notices
<Organisation> aims to ensure that individuals are aware that their data is being
processed, and that they understand:
 who is processing their data
 what data is involved
 the purpose for processing that data
 the outcomes of data processing
 how to exercise their rights
The company has a privacy statement, setting out how data relating to these individuals is
used by the company.
Detail here where and how the privacy statement can be viewed by individuals.

Ongoing documentation of measures to ensure compliance

Meeting the obligations of the UK GDPR to ensure compliance will be an ongoing process.
<Organisation> details here the ongoing measures implemented to:
 maintain documentation/evidence of the privacy measures implemented and
records of compliance
 regularly test the privacy measures implemented and maintain records of the testing
and outcomes
 use the results of testing, other audits, or metrics to demonstrate both existing and
continuous compliance improvement efforts
 keep records showing training of employees on privacy and data protection matters

DATE: ……….
Exceptions
Exceptions to the guiding principles in this policy must be documented and formally
approved by the <role> and <organisation>.

Policy exceptions must describe:

 the nature of the exception

 a reasonable explanation for why the policy exception is required
 any risks created by the policy exception
 evidence of approval by all appropriate parties

Review of this document: annually by <role>.

Next review date: <date month year>.

DATE: ……….