Foxley Kingham

Foxley Kingham Medical


1: Data controller or data processor?

Which are you? A data controller decides how and why you process data. A data processor is only responsible for processing data on behalf of a controller. This distinction will affect the information you need to record and it’s possible to be both. For example, you are a data controller for your employees as you hold their data and decide how and why to process it to comply with employment legislation, as well as functions such as payroll, even if outsourced. Foxley Kingham will be a data processor when we process your business payroll. 

Find out more here.

2: Carry out a data audit

You must be aware of what data is held, on whom, and for what purpose, and ensure you document the information as required by law. This kind of data audit can be time-consuming, however, the Information Commissioners Office (ICO) has some templates which can be helpful. 

Find out more here.

3: Record the legal basis

Every process should have a legal basis; a legal requirement, a contract, a legitimate interest, or the individuals consent. Other reasons are vital interest (to protect someone’s life) or a public interest task. Once chosen the legal basis should not be changed, so it is important to get it right. 

Find out more here.

4: Record retention policies

Personal data should be kept for no longer than is necessary for the purpose for which it is processed. Establish what that is, ensure you can justify that period, and create a record deletion policy as appropriate. 

5: Assess if there are any high-risk areas

If you have any high-risk areas (where the processing is likely to result in a high risk to the rights and freedoms of individuals, such as large scale processing of sensitive data, CCTV monitoring, data profiling) you will need to do a Data Protection Impact Assessment and may need appoint a Data Protection Officer. 

Find out more here. 

6: Check on consents

If you are relying on consent as your legal basis for some of your processing activities, for example marketing mailings or emails, ensure that there is a clear audit trail. You need to be able to evidence who, when, how and what was told to people. Consents will now need positive opt-in, and separate consents required for each purpose. If they are currently not up to scratch, put new ones in place. 

Find out more here.

7: Create or update privacy notices

Individuals must be informed what personal data is being held on them, why and for how long, along with their rights. You should draft a policy in accordance with the ICO requirements in plain language and decide if you need to send it to individuals, or have it available for viewing on your website. 

Find out more here.

8: Check your data security

Look for weak points in your systems that could be vulnerable to a data breach. Consider and document what security measures will be in place for cybersecurity policy and risk, mobile and home working, removable media, access controls and malware protection. Put mitigation measures in place. 

Find out more here.

9: Draft internal policies

Make sure you have appropriate policies in place so that staff know how to deal with a situation should it arise, and understand what they can and cannot do with personal data. Think through how you would deal with a data breach, or an individual rights (access/rectification/erasure etc.) request. 

Find out more here.

10: Train staff

Ensure all staff are trained and aware of the policies to ensure compliance and minimise risks of a data breach.

More information can be found on the ICO website: