The ICO exists to empower you through information.

Why is this important?

Policies and procedures provide clarity and consistency, by communicating what people need to do and why. Policies can also communicate goals, values and a positive tone. Data protection law specifically requires you to put in place data protection policies where proportionate. What you have policies for and their level of detail varies, but effective data protection policies and procedures can help your organisation to take the practical steps to comply with your legal obligations.

At a glance - What we expect from you

Direction and support

Your organisation’s policies and procedures provide your staff with enough direction to understand their roles and responsibilities regarding data protection and information governance.

Ways to meet our expectations:

  • The policy framework stems from strategic business planning for data protection and information governance, which the highest level of management endorses.
  • Policies cover data protection, records management and information security.
  • You make operational procedures, guidance and manuals readily available to support data protection policies and provide direction to operational staff.
  • Policies and procedures clearly outline roles and responsibilities.

Have you considered the effectiveness of your accountability measures?

  • Do staff know where to find relevant policies and are they easy to find?
  • Could your staff explain their role and responsibilities and how the policies and procedures help them?

Review and approval

You have a review and approval process in place to make sure that policies and procedures are consistent and effective.

Ways to meet our expectations:

  • All policies and procedures follow an agreed format and style.
  • An appropriately senior staff member reviews and approves all new and existing policies and procedures.
  • Existing policies and procedures are reviewed in line with documented review dates, are up-to-date and fit for purpose.
  • You update policies and procedures without undue delay when they require changes, eg because of operational change, court or regulatory decisions or changes in regulatory guidance.
  • All policies, procedures and guidelines show document control information, including version number, owner, review date and change history.

Have you considered the effectiveness of your accountability measures?

  • Is the highest level of management aware of the strategic business plan for information governance?
  • Are policies consistent?
  • Is the approval process appropriate?

Staff awareness

Staff are fully aware of the data protection and information governance policies and procedures that are relevant to their role.

Ways to meet our expectations:

  • Your staff read and understand the policies and procedures, including why they are important to implement and comply with.
  • You tell staff about updated policies and procedures.
  • You make policies and procedures readily available for all staff on your organisation’s intranet site (or equivalent shared area) or provide them in other formats.
  • Guidelines, posters or publications help to emphasise key messages and raise staff awareness of policies and procedures.

Have you considered the effectiveness of your accountability measures?

  • Could your staff easily find policies on the intranet or equivalent shared area?
  • Are they aware of the main content?
  • Would we see any data protection awareness-raising materials available or on display around your office, such as posters?

Data protection by design and by default

Your policies and procedures foster a ‘data protection by design and by default’ approach across your organisation.

Ways to meet our expectations:

  • Where relevant, you consider policies and procedures across your organisation with data protection in mind.
  • You have policies and procedures to ensure data protection issues are considered when systems, services, products and business practices involving personal data are designed and implemented, and that personal data is protected by default.
  • Your organisation’s approach to implementing the data protection principles and safeguarding individuals’ rights, such as data minimisation, pseudonymisation and purpose limitation, is set out in policies and procedures.
  • The personal data of vulnerable groups, eg children, is given extra protection in policies and procedures.

Have you considered the effectiveness of your accountability measures?

  • Do staff consider data protection for all relevant policies and do they understand why it’s important?
  • Are staff aware of the requirement to consider data protection when any new system, product or business practice involving personal data is designed and implemented?

Further reading

ICO guidance:

Further resources:

External guidance: