Here are some of the questions we see most often, regarding topics such as data protection roles, subject access requests (SARs), and privacy obligations. If you need any further guidance, you can always contact us for help.
A Record of Processing Activities (ROPA) documents how your organisation collects, uses, stores and shares personal data. It is a key accountability requirement under UK GDPR, and is introduced by Article 30.
There are slightly different requirements for ‘controllers’ and ‘processors’, however, regardless of your role, the ROPA should be a ‘living’ document – it requires routine maintenance to ensure it is up to date.
A well maintained ROPA offers many benefits beyond compliance, and can support general data management, individual rights request, retention and destruction policies etc.
Most organisations processing personal data should maintain a ROPA. It provides evidence of compliance and supports broader governance activities such as DPIAs, audits and regulatory inspections.
The UK GDPR specifically says:
The obligations shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
A Data Protection Impact Assessment (DPIA), is essentially a risk assessment. They are mandatory in some circumstances, under Article 35 of the UK GDPR.
When processing is likely to result in a high risk to your data subjects then, prior to the processing, you should complete a DPIA.
Broadly speaking, unless you carry out a DPIA, you are unaware of the risks – so it is good practice to complete a DPIA for any new processing activities, specifically those using new technology/softwares/systems.
We will talk to individuals within your organisation to determine what the knowledge level is like as well as examining key documents. Information will be collated and an Audit Report will be prepared that outlines where compliance is being met, where it is not, and what actions can be taken to improve the compliance position.
If you’re interested in understanding your data protection compliance, DPAS can conduct an audit for you.
A Data Protection Officer (DPO) is responsible for monitoring compliance, advising on data protection obligations and acting as a point of contact with regulators and individuals.
Some organisations are mandated by law to appoint a Data Protection Officer, for example – public authorities or bodies, except for courts acting in their judicial capacity.
Additionally, if your core activities consist of processing which require regular and systematic monitoring of data subjects on a large scale, or the core activity consist of processing large quantities of special category or criminal offence data, then you must appoint a DPO.
Other organisations with complex processing, large amounts of data, and especially those operating in multi-national jurisdictions can choose to appoint a Data Protection Officer.
You should have in place a comprehensive suite of policies, as this is what individuals will refer to should they need information. This can include (but is not limited to) a:
Yes. Many organisations appoint an outsourced DPO to access specialist expertise while maintaining independence and avoiding the cost of a full-time appointment. The DPO, by law, should report to the highest level of management, so outsourcing can often be more cost-effective than employing a full-time senior member of staff.
You can read more about our DPO services here.
An international transfer occurs when personal data is transferred outside the UK. Organisations must ensure appropriate safeguards are in place before making such transfers. In the UK, any country outside of the UK is referred to as a ‘third country’ and this means that the transfer of personal data is restricted.
There are several transfer mechanisms that you can rely on, the most common are;
There are further options available, such as Binding Corporate Rules, but most commonly organisations rely on adequacy or a IDTA.
A Transfer Risk Assessment helps organisations evaluate whether personal data transferred internationally will receive adequate protection in the destination country, a TRA is necessary when transferring data by any mechanism aside from adequacy.
The DSPT is a mandatory annual assessment for many organisations that access NHS systems, process NHS patient information or provide services into the health and care sector.
If your organisation accesses NHS systems, handles NHS patient information or works within the NHS supply chain, DSPT compliance may be required.
There are a number of steps you should take immediately once you experience a data breach:
No. Only breaches that are likely to result in a risk to individuals’ rights and freedoms generally require notification. However, all breaches should be recorded internally.
No. Only breaches that result in a high risk to individuals’ rights and freedoms require notification to individuals. However, all breaches should be recorded internally and you will need to assess carefully in each instance whether this threshold has been met.
Breaches should be assessed on a case-by-case basis, and there is no one size fits all rule. To assess whether a breach is notifiable, you should consider:
A Subject Access Request (SAR) is a request made by an individual (‘data subject’) to access the personal data your organisation holds about them. Under UK GDPR, individuals have the right to obtain a copy of their personal data and information about how it is processed. This comes under Article 15 of the UK GDPR.
There are slightly different requirements for ‘controllers’ and ‘processors’, however, regardless of your role, the ROPA should be a ‘living’ document – it requires routine maintenance to ensure it is up to date.
A well maintained ROPA offers many benefits beyond compliance, and can support general data management, individual rights request, retention and destruction policies etc.
When a Subject Access Request is received, organisations should:
A structured SAR process helps organisations meet regulatory requirements and avoid unnecessary delays.
Organisations generally have one calendar month to respond to a Subject Access Request. In some circumstances, this can be extended by up to two additional months if the request is particularly complex. If the request is deemed complex you must inform the requestor that you will be applying an extension and provide the new deadline.
Complexity is determined by a variety of factors, the ICO quotes that the following can be considered:
A request is not deemed as being complex just because it involves a large amount of information. If you have particularly large amounts of data, you may wish to review retention periods, and destruction policies.
If you decide a request is complex you should always keep a record of your decision and the reasoning behind it.
Yes. If there is reasonable doubt about the identity of the requester, organisations may request additional information to verify identity before releasing personal data. This doesn’t always need to be a copy of ID, you may be able to satisfy yourself that the requestor is who they say they are by other means.
A Subject Access Request (SAR) entitles the individual to a copy of their own personal data – this means the data you collate will often include information that should not be released, and therefore would be redacted from the documentation. Common examples include:
There are lots more exemptions available, however, they apply in specific situations, and you should document your decision to rely on them carefully.
In most circumstances, no. A fee can only be charged where a request is manifestly unfounded, excessive, or where additional copies of information are requested.
You should perform a ‘reasonable and proportionate’ search. Generally speaking you should search all the systems/softwares/databases where the data is accessible. Most modern software have search functionality built in, like email providers, HR systems, shared drives etc.
Yes. Employees have the same rights as any other individual under UK GDPR and can request access to personal data held about them whether they are currently employed, or even an ex employee.
Yes. Emails containing personal data about the requester may fall within the scope of a SAR and should be considered during searches. You often will not know whether the information contained within emails is personal data until it is collated and reviewed.
Potentially, yes. As with emails, if this information is processed by the organisation, and potentially includes personal data relating to the requestor, then these instant messages would need to be included in your search.
Failure to respond within statutory timescales may result in complaints to the Information Commissioner’s Office (ICO) and potential regulatory scrutiny.
Yes. CCTV footage containing identifiable individuals may be in scope of a Subject Access Request, provided the requester can be identified from the footage.
Potentially, yes. However, organisations should assess data protection risks before entering personal, confidential, or sensitive information into AI tools. You should bear in mind that enterprise-grade platforms can provide much stricter environments than general public tools, which can have your data returned to the AI tool creators or wider audiences.
Yes. While AI systems are not regulated by the UK GDPR, if an AI system handles, reads, or processes personal data at any time, UK GDPR requirements apply. This includes lawful basis, transparency, accountability, and security obligations.
Yes. If the tool makes solely automated decisions with legal or significant effects, the GDPR requires you to provide meaningful information about the logic and consequences to ensure individuals can understand their rights. Remember that even when humans are meaningfully involved, the core principles of fairness and transparency still apply where personal data is processed.
In many cases, yes. The ICO identifies AI and automated processing as areas that may present higher risks to individuals and therefore require a DPIA. It is good practice to carry out a DPIA for new systems, or uses of personal data, so you are aware of the potential risks – that way you can ensure you have measures in place to protect your data subjects.
This depends on the organisation’s risk assessment, policies, system choice and even contractual arrangements. Personal data should not be entered into AI systems without understanding how the information will be processed by the system or software itself. We would always advise against using personal data in AI technology that you have not completed a DPIA for. Many enterprise-grade systems will provide contractual assurance that your data will not be used for other purposes such as training, whereas public systems may not.
Data protection risks are often quantified by the potential harm to data subjects, whilst you may also have some commercial risks, it is important to consider how your processing will impact the individuals whose data may be used.
Common risks include:
The inner workings of many AI technologies are obscured (sometimes deliberately for intellectual property reasons, sometimes due to the learning systems being so complex). This means that there can be a lack of understanding on how the AI actually works, even from developers. If you can’t understand how the AI functions, you won’t accurately be able to explain to data subjects how their personal data is being processed, which can in turn lead to issues with upholding transparency.
AI hallucinations occur when a Large Language Model (LLM) (usually a generative AI chatbot) creates outputs that are incorrect or misleading. This is usually due to factors such as training data bias/inaccuracy and model complexity. When thinking about hallucinations from a data protection perspective, it is important that the risk of hallucinations has been considered for any processing of personal data.
Potentially. Many AI providers process information outside the UK, meaning organisations may need to assess international transfer requirements and safeguards, this is most prevalent when the country that the information is processed in is outside of the UK or EU.
AI technology should be treated the same as ‘usual’ systems and software.
Good practice includes:
Individuals have rights relating to solely automated decisions that produce legal or similarly significant effects. Organisations should understand these requirements before implementing AI-driven decision making. Ultimately, data subjects have the right to meaningful human intervention (i.e., have the decision reviewed by a human with the authority to make decisions) – you should consider this when implementing AI technology.
AI should be deployed within an appropriate governance framework that addresses data protection obligations, including; technical and organisational security measures, transparency, individual rights, and accountability.
If you need any support with your data protection obligations, get in touch with our expert team.
Either email us at info@dataprivacyadvisory.com, call us on 0203 3013384, or click below to fill in a contact form.
