The ICO exists to empower you through information.

Demonstrate how you comply

Share

Pages

Format

You cannot apply the journalism exemption to the requirement to demonstrate how you comply. However, if you meet the criteria to apply the exemption, you no longer have to comply with the specific requirement to consult us if a Data Protection Impact Assessment (DPIA) reveals a high risk you cannot mitigate (See Apply the journalism exemption).

What does the legislation say?

2.1 You must be able to demonstrate how you comply with the data protection principles. This is a key principle of data protection law which you cannot apply the journalism exemption to.

2.2 To be able to demonstrate how you comply, you must implement appropriate and proportionate data protection measures and update them when you need to.

2.3 To decide what measures are appropriate and proportionate, you must consider:

  • what personal information you are using;
  • what you plan to do with it and why;
  • the wider context, including the special public interest in protecting freedom of expression and information; and
  • the risk of harm (see 2.3 in Reference notes).

2.4 You must integrate data protection into any system, service, product, policy or process you design that involves personal information. 

2.5 Where proportionate, you must put in place data protection policies to make sure that all the personal information you use is in line with data protection law and complies with its key principles.

2.6 You must have a Data Protection Officer (DPO), if legally required (see 2.6 in Reference notes).

2.7 If you have 250 or more employees, you must keep specific records about your use of personal information. This includes records about any use of special category or criminal offence data (see Use personal information lawfully). There is a limited exemption for smaller organisations (see 2.7 in Reference notes).

2.8 You must do a DPIA if there is likely to be a high risk (see 2.8 in Reference notes). For example, this is more likely if you are using special category or criminal offence information or using intrusive methods such as covert surveillance (see Use personal information lawfully and Use personal information fairly).

2.9 However, you do not necessarily need to do a DPIA for individual stories. Your DPIA can generally cover the high-risk ways you may use personal information for journalism. For example, particularly intrusive techniques, such as surveillance or subterfuge, that you may use for investigative journalism (see Use personal information fairly).

What is a DPIA?

A DPIA is a form of risk assessment. The UK GDPR says that as a minimum it must describe:

  • how you plan to use personal information and why;
  • whether it is necessary and proportionate to use it; and
  • how you plan to manage the risks.

How do we comply?

Managing risk

2.10 The principle to demonstrate how you comply is very flexible, with few strict rules. It allows you to use your discretion about how best to comply with data protection law while also enabling journalism. 

2.11 What measures are appropriate and proportionate is based largely on risk. Generally, the greater the risk of harm to people, the more you should do to protect personal information. 

2.12 You should consider risks that can be significant, such as discrimination, financial loss, damage to reputation or loss of confidentiality. However, much of the day-to-day work of journalists will not be high risk.

2.13 When there is a high risk, you do not necessarily need to do a DPIA for individual stories. Your DPIA can generally cover the different ways you use personal information for journalism and types of information likely to pose higher risks, such as special category and criminal offence data (see Use personal information lawfully).

Implementing data protection measures

2.14 There is no one-size fits all approach. You should consider how best to implement data protection measures within your organisation, so they are effective whilst still enabling journalism.

2.15 You do not need to have standalone policies or processes that are dedicated to data protection. For example, data protection can form part of your existing editorial and legal processes.

2.16 Whatever approach you take, it should cover all the personal information you use and:

  • encourage good data protection practice;
  • be clear about who is responsible for complying;
  • give staff appropriate training; and
  • practice good records management.

Demonstrating how you comply

2.17 Based on the risk, you should be able to give a clear and practical explanation of the steps you take to comply and, where appropriate and proportionate, be able to show how you comply.

 

Reference notes

These reference notes support the Data protection and journalism code of practice (the code) but are not part of the statutory code itself.

 

2.1 The journalism exemption

Even if you apply the journalism exemption to one of the data protection principles, this only means that you are not required to comply with the principle in the circumstances of the particular case. You must still to be able to demonstrate in general how you comply with the principle.

When you use the journalism exemption, you must be able to demonstrate that you comply with the relevant criteria (see Apply the journalism exemption).

2.3 Wider context and harm

Wider context

Examples of the wider context include:

  • the size of your organisation;
  • its overall structure;
  • the resources available to you; and
  • your ways of working.

Harm

The harm to people’s rights and freedoms can vary in degree and type. In line with damages, as described in Article 82 of the UK GDPR, harms can include:

  • Physical harm (physical injury or other harms to physical health);
  • Material harm (harms that are more easily monetised such as financial harm) or
  • Non-material harm (less tangible harms, such as emotional or mental distress).

This means that harm can arise from actual damage or more intangible harms, including any significant economic or social disadvantage. Of course, harms may fall into more than one of these categories.

There may also be a harmful impact on wider society. For example, loss of public trust in journalism and the vital public interest role it serves in a democratic society.

2.4 Integrating data protection

Integrating data protection into your normal, day-to-day practices is sometimes called taking a “data protection by design and by default” approach.

This includes:

  • implementing the data protection principles effectively;
  • protecting individual rights; and
  • using only the personal information that you need.
2.5 Proportionate data protection policies

It is more likely to be proportionate to have data protection policies in environments where there is significant delegation from the top and where decisions are often made at pace, such as news environments.

What your policies cover and their level of detail will vary depending on what you think is proportionate.

For example, a policy (either standalone or part of another policy) could help people understand how to use the journalism exemption, which might include:

  • what the special purposes exemption does;
  • when to apply it;
  • how to apply it; and
  • the roles and responsibilities people have when using it.
2.6 Data Protection Officer

Under the UK GDPR, you must appoint a DPO if:

  • you are a public authority or body (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of people (for example, online behaviour tracking); or
  • your core activities consist of large scale use of special category or criminal offence data.

This applies to most large organisations. If you are not sure, you can use our interactive tool below to help you decide.

2.7 Limited exemptions for smaller organisations

Smaller organisations with fewer than 250 employees only need to record when they use personal information in ways that:

  • are not just occasional;
  • could result in a risk to people’s rights and freedoms; or
  • involve using special category or criminal offence data.
2.8 Data Protection Impact Assessments (DPIA)

You must always do a DPIA when you use personal information in ways specified by the UK GDPR which are deemed to be high risk. These are:

  • Systematic and extensive use of personal information using automated means with significant effects (eg profiling).
  • Large scale use of special category or criminal offence data.
  • Systematic monitoring of a publicly accessible area on a large scale.

You must also do a DPIA if the way you want to use personal information is on the list we have produced under Article 35(3) of the UK GDPR. There are also European guidelines with some criteria to help you identify other uses of personal information that are likely to result in a high risk (see further reading below)

As well as doing a DPIA when there is likely to be a high risk, you could also do a DPIA for any other major project involving personal information.

If you are not sure whether to do a DPIA, you can use our screening test in the Further reading below.

2.11 Assessing risk

Assessing the risk involves considering how likely it is that using personal information will cause harm and how severe any harm could be.

2.12 Significant risks

Examples of other significant risks include:

  • stopping people from accessing their rights or controlling their personal information;
  • using sensitive types of personal information known as special category data or criminal offence data;
  • physical harm;
  • using personal information of people who are more at risk of harm, especially children; or
  • using a large amount of personal information affecting a large number of people.
2.14 Approach to implementing data protection measures

Governance is often the name given to the framework of measures organisations use to comply with data protection and hold people to account appropriately.

There are lots of different ways of doing this but you could consider adapting our Accountability framework (see below). This indicates the main building blocks of an effective governance system or privacy management programme.

Smaller organisations are more likely to benefit from a smaller scale approach, using our dedicated resources below.

2.16 Training and awareness raising

Data protection training includes induction and refresher training, tailored appropriately to someone’s role.

For example, ways to raise awareness of data protection include:

  • creating quick-reference guides;
  • running internal campaigns; or
  • drawing attention to important information through your usual internal communication channels.
Key legal provisions
  • UK GDPR article 5, paragraph 2 – the accountability principle
  • UK GDPR article 24 – responsibility of the controller
  • UK GDPR article 25 – data protection by design and by default
  • UK GDPR article 28 – processor requirements
  • UK GDPR article 30 – records of processing activities
  • UK GDPR articles 35 and 36 – data protection impact assessment and prior consultation
  • UK GDPR articles 37, 38, 39 – data protection officers
Further reading

UK GDPR guidance and resources: Accountability and governance

ICO Accountability Framework

SME web hub – advice for all small organisations

Do I need a DPO? Interactive tool

Examples of processing ‘likely to result in a high risk’

DPIA template

DPIA screening checklist