{"id":226,"date":"2025-01-20T14:05:22","date_gmt":"2025-01-20T14:05:22","guid":{"rendered":"https:\/\/suppliers.duchyofcornwall.org\/?page_id=226"},"modified":"2026-01-20T10:11:52","modified_gmt":"2026-01-20T10:11:52","slug":"data-security-gdpr-help-page","status":"publish","type":"page","link":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/data-security-gdpr-help-page\/","title":{"rendered":"Data Security GDPR help page"},"content":{"rendered":"\n<h4 class=\"wp-block-heading\" id=\"0-does-your-organisation-engage-with-suppliers-and-the-whole-supply-chain-to-encourage-robust-ways-of-working-in-line-with-your-own-values\"><strong>Help notes: DATA SECURITY &amp; DATA PROTECTION<\/strong><\/h4>\n\n\n\n<p>There are two questions to answer: one about data security and one about data protection (UK GDPR).<\/p>\n\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-a8995dce-fce5-4cc9-9c19-63d4950b41a8\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-a8995dce-fce5-4cc9-9c19-63d4950b41a8\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-a8995dce-fce5-4cc9-9c19-63d4950b41a8\"><strong>Do these questions apply to me? Is this a regulatory requirement?<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-a8995dce-fce5-4cc9-9c19-63d4950b41a8\">\n\n<p>GDPR regulation applies to any organisation that processes <a href=\"#personal-data\">personal data<\/a> of individuals, whatever the size of the business. That includes customer and employee information. <\/p>\n\n\n\n<p>Measures around protecting personal information are generally legal requirements and not complying with GDPR can lead to penalties around data mishandling. Measures around data security are an element of the GDPR and are also best practice for the protection of your organisation, employees, and supply chain. Encryption, firewalls and access controls ensure you can operate securely and maintain trust with your clients and other contacts. Even paper records should be kept secure.&nbsp;<\/p>\n\n\n\n<p>UK legal requirements around data security are mostly governed by the Data Protection Act 2018, which incorporates the GDPR. Others include the Computer Misuse Act 1990 and Fraud Act 2006. There are various criminal offences relating to data security in the UK which can apply to organisations, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>unlawful processing of personal data (including failing to obtain the necessary consent)&nbsp;<\/li>\n\n\n\n<li>failure to notify a data breach&nbsp;<\/li>\n\n\n\n<li>failure to protect data (typically inadequate security measures leading to a data breach)&nbsp;<\/li>\n\n\n\n<li>disclosing personal data without consent (especially for financial gain or other improper purposes)&nbsp;<\/li>\n\n\n\n<li>offences around unauthorised access to information, cyberattacks, and fraud&nbsp;<\/li>\n<\/ul>\n\n<\/div><\/div>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading has-accent-5-background-color has-background\"><strong>Does your organisation have a policy or plans in place to keep information secure, which are shared with staff?<\/strong><\/h4>\n\n\n\n<p><strong>Data security<\/strong> means protecting sensitive information from risks to your organisation like unauthorised access, breaches of regulations, and cyber-attacks.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-bffe116b-9fde-41f9-b8df-05e01743ee12\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-bffe116b-9fde-41f9-b8df-05e01743ee12\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-bffe116b-9fde-41f9-b8df-05e01743ee12\"><strong>What is a &#8216;Yes&#8217; for me?<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-bffe116b-9fde-41f9-b8df-05e01743ee12\">\n\n<p>Answer \u2018yes\u2019 if you can state that you have considered the principles of keeping data secure at your organisation, you have a policy that your organisation actively uses, and you could demonstrate this.<\/p>\n\n<\/div><\/div>\n<\/div>\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-952d7b41-40a0-4736-8dc0-0f9f2ea05614\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-952d7b41-40a0-4736-8dc0-0f9f2ea05614\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-952d7b41-40a0-4736-8dc0-0f9f2ea05614\"><strong>Data Security: risks, and examples of measures<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-952d7b41-40a0-4736-8dc0-0f9f2ea05614\">\n\n<p>Data security measures typically include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Encryption&nbsp;<\/li>\n\n\n\n<li>Access controls&nbsp;<\/li>\n\n\n\n<li>Firewalls&nbsp;<\/li>\n\n\n\n<li>Audits&nbsp;<\/li>\n\n\n\n<li>Training&nbsp;<\/li>\n\n\n\n<li>Incident Response Plans&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Lack of data security measures can expose organisations to risks like:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unauthorised people getting access to your customer information, financial records, or Intellectual Property.&nbsp;<\/li>\n\n\n\n<li>Loss of trust from customers, and negative publicity or reputation damage&nbsp;<\/li>\n\n\n\n<li>Fines and penalties for breaching regulations, or failing audits, and legal costs&nbsp;<\/li>\n\n\n\n<li>Cyber attacks crashing systems or causing other business interruption and downtime&nbsp;<\/li>\n\n\n\n<li>Cyber attacks tricking employees into revealing sensitive information&nbsp;<\/li>\n\n\n\n<li>Identity theft&nbsp;<\/li>\n\n\n\n<li>Ransomware attacks (encrypting your data and demanding payment for its release)&nbsp;<\/li>\n\n\n\n<li>Putting your supply chain at risk&nbsp;<\/li>\n\n\n\n<li>Loss of competitive advantage from leaking of information&nbsp;<\/li>\n<\/ul>\n\n<\/div><\/div>\n<\/div>\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-7ff30340-ceac-42bc-9323-f77031a0eaeb\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-7ff30340-ceac-42bc-9323-f77031a0eaeb\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-7ff30340-ceac-42bc-9323-f77031a0eaeb\"><strong>Data Security: policy guidance for smaller organisations<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-7ff30340-ceac-42bc-9323-f77031a0eaeb\">\n\n<p>You could use this checklist as a simple way of creating a policy if you don\u2019t have one already. This is based on a \u2018<a href=\"https:\/\/www.ncsc.gov.uk\/cyberaware\/actionplan\" target=\"_blank\" rel=\"noreferrer noopener\">Cyber Action Plan<\/a>\u2019 produced by the UK National Cyber Security Centre; a simple survey which gives tips on increasing your data security.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Work email and social media passwords are different from all other passwords&nbsp;<\/li>\n\n\n\n<li>Strong passwords are used for work email&nbsp;<\/li>\n\n\n\n<li>2 step verification is enabled for important work accounts&nbsp;&nbsp;<\/li>\n\n\n\n<li>Backups are made to important work data&nbsp;&nbsp;<\/li>\n\n\n\n<li>Know how to access important information from your backup quickly&nbsp;<\/li>\n\n\n\n<li>Security features are enabled for all main work devices (e.g. screen autolock; PIN; passcode; findmydevice)&nbsp;<\/li>\n\n\n\n<li>Computer firewalls are turned on and antivirus enabled&nbsp;<\/li>\n\n\n\n<li>Latest updates are promptly installed on work devices&nbsp;<\/li>\n\n\n\n<li>New apps and software are only installed after checking the source&nbsp;<\/li>\n\n\n\n<li>Staff are aware of and trained in these measures<\/li>\n<\/ul>\n\n<\/div><\/div>\n<\/div>\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-8bee5dd9-d708-4671-8b4c-fa57f8d8cd6d\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-8bee5dd9-d708-4671-8b4c-fa57f8d8cd6d\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-8bee5dd9-d708-4671-8b4c-fa57f8d8cd6d\"><strong>Data Security: policy guidance for medium\/ large organisations<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-8bee5dd9-d708-4671-8b4c-fa57f8d8cd6d\">\n\n<p>Organisations of this size would usually have a formal written Data Security Policy, including measures around:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security in place (encryption, system security, access controls, firewalls etc)&nbsp;<\/li>\n\n\n\n<li>Audits&nbsp;<\/li>\n\n\n\n<li>Training&nbsp;&nbsp;<\/li>\n\n\n\n<li>Incident response plans&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Organisations are likely to have a person dedicated to managing the organisation\u2019s cyber security and responsible for their data security policy.&nbsp;&nbsp;<\/p>\n\n\n\n<p>You could use the following resources to help create a policy if you don\u2019t have one already.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2019<a href=\"https:\/\/www.ncsc.gov.uk\/collection\/10-steps\" target=\"_blank\" rel=\"noreferrer noopener\">10 Steps to Cyber Security\u2019<\/a> from the National Cyber Security Centre is advice aimed at medium to large organisations that have someone dedicated to managing the organisation&#8217;s cyber security.&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/www.ncsc.gov.uk\/collection\/cyber-assessment-framework\/introduction-to-caf\" target=\"_blank\" rel=\"noreferrer noopener\">Cyber Assessment Framework<\/a> from the National Cyber Security Centre&nbsp;<\/li>\n\n\n\n<li>Other links from the NCSC\u2019s <a href=\"https:\/\/www.gov.uk\/government\/collections\/cyber-security-guidance-for-business\" target=\"_blank\" rel=\"noreferrer noopener\">Cyber security guidance for business<\/a>&nbsp;<\/li>\n<\/ul>\n\n<\/div><\/div>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading has-accent-5-background-color has-background\"><strong>Does your organisation have a policy or plans in place to handle personal information in line with GDPR, which are shared with staff?<\/strong><\/h4>\n\n\n\n<p><strong>GDPR<\/strong> (General Data Protection Regulation) is about handling a specific type of information, namely personal information about individuals (like people\u2019s names, phone numbers, addresses, credit card details or IP addresses). It is about protecting people\u2019s privacy rights.&nbsp;<\/p>\n\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-529888ec-c4d1-4088-b8b1-b50fe732e839\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-529888ec-c4d1-4088-b8b1-b50fe732e839\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-529888ec-c4d1-4088-b8b1-b50fe732e839\"><strong>What is a &#8216;Yes&#8217; for me?<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-529888ec-c4d1-4088-b8b1-b50fe732e839\">\n\n<p>Answer \u2018yes\u2019 if you can state that you have thought about the principles of legally handling personal information in your organisation, you have a policy that your organisation actively uses, and you could demonstrate this.&nbsp;<\/p>\n\n<\/div><\/div>\n<\/div>\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-7a9e89d0-64f2-4245-b7b1-99e39fa2d234\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-7a9e89d0-64f2-4245-b7b1-99e39fa2d234\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-7a9e89d0-64f2-4245-b7b1-99e39fa2d234\"><strong>GDPR: policy guidance for smaller organisations<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-7a9e89d0-64f2-4245-b7b1-99e39fa2d234\">\n\n<p>As a small business, you\u2019ll generally handle a far smaller volume of data than a large business. Even though the volume may be less, you still need to have the necessary procedures in place to be able to protect individuals\u2019 data and to deal with their requests, as per the requirements of UK GDPR.&nbsp;<\/p>\n\n\n\n<p><a href=\"#personal-data\">Personal information<\/a> you hold is most likely to be records of customers, staff, prospective customers (leads) and suppliers.&nbsp;<\/p>\n\n\n\n<p>You could use this checklist to think about considerations around personal data protection, based on official guidance from <a href=\"https:\/\/www.gov.uk\/data-protection-your-business\" target=\"_blank\" rel=\"noreferrer noopener\">government<\/a> , the <a href=\"https:\/\/ico.org.uk\/for-organisations\/advice-for-small-organisations\/\" target=\"_blank\" rel=\"noreferrer noopener\">Information Commissioners Office (ICO)<\/a> and the <a href=\"https:\/\/www.fsb.org.uk\/resources-page\/gdpr-for-small-businesses-how-to-stay-compliant.html\" target=\"_blank\" rel=\"noreferrer noopener\">Federation for Small Businesses (FSB)<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Personal information is kept secure (see data security above)&nbsp;<\/li>\n\n\n\n<li>Personal information is kept accurate and up to date&nbsp;<\/li>\n\n\n\n<li>Personal information is only kept for as long as you need it and then shredded or deleted&nbsp;<\/li>\n\n\n\n<li>If and when someone\u2019s personal data is collected, they are informed (e.g. via a <a href=\"https:\/\/ico.org.uk\/for-organisations\/advice-for-small-organisations\/create-your-own-privacy-notice\" target=\"_blank\" rel=\"noreferrer noopener\">privacy notice<\/a>):&nbsp;\n<ul class=\"wp-block-list\">\n<li>who you are and how you\u2019ll use their information, including if it\u2019s being shared with other organisations&nbsp;<\/li>\n\n\n\n<li>that they have the right to:&nbsp;\n<ul class=\"wp-block-list\">\n<li>request any information you hold about them and correct it if it\u2019s wrong&nbsp;<\/li>\n\n\n\n<li>request their data is deleted&nbsp;<\/li>\n\n\n\n<li>request their data is not used for certain purposes&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If you have staff, that <a href=\"https:\/\/www.gov.uk\/data-protection-your-business\/recruitment-managing-staff-records\" target=\"_blank\" rel=\"noreferrer noopener\">guidance<\/a> around staff recruitment, staff records, and monitoring staff at work, is followed&nbsp;&nbsp;<\/li>\n\n\n\n<li>If you use CCTV, that <a href=\"https:\/\/www.gov.uk\/data-protection-your-business\/using-cctv\" target=\"_blank\" rel=\"noreferrer noopener\">guidance<\/a> is followed&nbsp;<\/li>\n\n\n\n<li>Generally, organisations need to keep the Information Commissioner\u2019s Office informed about how they use personal information, and pay a fee. Check <a href=\"https:\/\/www.gov.uk\/data-protection-register-notify-ico-personal-data\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a> whether this applies to you.&nbsp;<\/li>\n<\/ul>\n\n<\/div><\/div>\n<\/div>\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-35b6107f-c8c1-496f-b21d-e73706532cb0\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-35b6107f-c8c1-496f-b21d-e73706532cb0\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-35b6107f-c8c1-496f-b21d-e73706532cb0\"><strong>GDPR: policy guidance for medium\/ large organisations<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-35b6107f-c8c1-496f-b21d-e73706532cb0\">\n\n<p>Organisations of this size generally have a policy relating to Data Protection and related privacy notices.&nbsp;<\/p>\n\n\n\n<p>&nbsp;They are likely to have a person dedicated to managing the organisation\u2019s data protection compliance and responsible for their data-related policies. A policy should entail measures around the <a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/data-protection-principles\/a-guide-to-the-data-protection-principles\/\" target=\"_blank\" rel=\"noreferrer noopener\">Data Protection principles<\/a> . These cover the following general areas:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data Protection Rights: Ensuring individuals\u2019 rights regarding their personal data, such as the right to access, correct, delete, and transfer their data.&nbsp;<\/li>\n\n\n\n<li>Lawful Processing: Processing personal data only when there is a valid legal basis, such as consent, contract necessity, or legitimate interest.&nbsp;<\/li>\n\n\n\n<li>Transparency: Clearly informing individuals about how their data is collected, used, and shared, typically through a privacy policy.&nbsp;<\/li>\n\n\n\n<li>Data Minimization: Collecting only the data that is necessary for a specific purpose and not retaining it longer than needed.&nbsp;<\/li>\n\n\n\n<li>Security Measures: Implementing appropriate technical and organizational measures to protect personal data from breaches and unauthorized access.&nbsp;<\/li>\n\n\n\n<li>Data Protection Impact Assessments (DPIAs): Conducting assessments to identify and mitigate risks associated with data processing activities.&nbsp;<\/li>\n\n\n\n<li>Notification of Breaches: Informing authorities and affected individuals promptly in case of a data breach.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The <a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/accountability-and-governance\/accountability-framework\/policies-and-procedures\/\" target=\"_blank\" rel=\"noreferrer noopener\">Information Commissioner\u2019s Office<\/a> provides further guidance.&nbsp;&nbsp;&nbsp;<\/p>\n\n<\/div><\/div>\n<\/div>\n\n<div class=\"wp-block-ub-content-toggle\" id=\"ub-content-toggle-2b6bc04a-9be9-49a6-96a4-5191517eaea4\" data-mobilecollapse=\"false\" data-desktopcollapse=\"true\">\n<div class=\"wp-block-ub-content-toggle-accordion\" id=\"ub-content-toggle-panel-block-\">\n                <div class=\"wp-block-ub-content-toggle-accordion-title-wrap\"\" aria-controls=\"ub-content-toggle-panel-0-2b6bc04a-9be9-49a6-96a4-5191517eaea4\" tabindex=\"0\">\n                    <p class=\"wp-block-ub-content-toggle-accordion-title ub-content-toggle-title-2b6bc04a-9be9-49a6-96a4-5191517eaea4\"><strong>Examples of processing personal data of individuals<\/strong><\/p><div class=\"wp-block-ub-content-toggle-accordion-toggle-wrap right\"><span class=\"wp-block-ub-content-toggle-accordion-state-indicator wp-block-ub-chevron-down\"><\/span>\n                    <\/div><\/div><div role=\"region\" aria-expanded=\"false\" class=\"wp-block-ub-content-toggle-accordion-content-wrap ub-hide\" id=\"ub-content-toggle-panel-0-2b6bc04a-9be9-49a6-96a4-5191517eaea4\">\n\n<p id=\"personal-data\">The Data Protection Act 2018 and UK GDPR apply to <em>any organisation that processes personal data of individuals<\/em>, whatever the size of the business. That includes customer and employee information.&nbsp;&nbsp;<\/p>\n\n\n\n<p>For example, it will apply when you:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collect personal information from clients, customers, or suppliers (e.g., names, addresses, email addresses, phone numbers, or payment details).&nbsp;<\/li>\n\n\n\n<li>Process any personal data electronically (e.g., on a computer, smartphone, or online platform), or on paper.&nbsp;<\/li>\n\n\n\n<li>Store personal information, either digitally or in physical form.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>You are likely to do these if you:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>keep customers\u2019 addresses on file&nbsp;<\/li>\n\n\n\n<li>recruit staff&nbsp;<\/li>\n\n\n\n<li>manage staff records, record staff working hours&nbsp;<\/li>\n\n\n\n<li>market your products or services&nbsp;<\/li>\n\n\n\n<li>use CCTV&nbsp;<\/li>\n\n\n\n<li>give delivery information to a delivery company&nbsp;<\/li>\n\n\n\n<li>Use email to email individuals&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Individuals whose personal data you hold (data subjects) have certain rights in relation to their data. &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The right to be informed&nbsp;<\/li>\n\n\n\n<li>The right of access&nbsp;<\/li>\n\n\n\n<li>The right to rectification&nbsp;<\/li>\n\n\n\n<li>The right to erasure&nbsp;<\/li>\n\n\n\n<li>The right to restrict processing&nbsp;<\/li>\n\n\n\n<li>The right to data portability&nbsp;<\/li>\n\n\n\n<li>The right to object&nbsp;<\/li>\n\n\n\n<li>Rights in relation to automated decision-making and profiling<\/li>\n<\/ul>\n\n<\/div><\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Help notes: DATA SECURITY &amp; DATA PROTECTION There are two questions to answer: one about data security and one about data protection (UK GDPR). Does your organisation have a policy or plans in place to keep information secure, which are shared with staff? Data security means protecting sensitive information from risks to your organisation like [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-no-title","meta":{"ub_ctt_via":"","footnotes":""},"class_list":["post-226","page","type-page","status-publish","hentry"],"featured_image_src":null,"_links":{"self":[{"href":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/wp-json\/wp\/v2\/pages\/226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/wp-json\/wp\/v2\/comments?post=226"}],"version-history":[{"count":21,"href":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/wp-json\/wp\/v2\/pages\/226\/revisions"}],"predecessor-version":[{"id":996,"href":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/wp-json\/wp\/v2\/pages\/226\/revisions\/996"}],"wp:attachment":[{"href":"https:\/\/suppliers.duchyofcornwall.org\/index.php\/wp-json\/wp\/v2\/media?parent=226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}