The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Data protection by design and by default

Your policies and procedures foster a ‘data protection by design and by default’ approach across your organisation.

Ways to meet our expectations:

  • Where relevant, you consider policies and procedures across your organisation with data protection in mind.
  • You have policies and procedures to ensure data protection issues are considered when systems, services, products and business practices involving personal data are designed and implemented, and that personal data is protected by default.
  • Your organisation’s approach to implementing the data protection principles and safeguarding individuals’ rights, such as data minimisation, pseudonymisation and purpose limitation, is set out in policies and procedures.
  • The personal data of vulnerable groups, eg children, is given extra protection in policies and procedures.

Can you answer yes to the following questions?

  • Could your staff easily find policies on the intranet or equivalent shared area?
  • Are they aware of the main content?
  • Would we see any data protection awareness-raising materials available or on display around your office, such as posters?