DATA PROTECTION FAQS

Looking for advice?

Here are some of the questions we see most often, regarding topics such as data protection roles, subject access requests (SARs), and privacy obligations. If you need any further guidance, you can always contact us for help.

DATA PROTECTION COMPLIANCE FAQs

A Record of Processing Activities (ROPA) documents how your organisation collects, uses, stores and shares personal data. It is a key accountability requirement under UK GDPR, and is introduced by Article 30. 

There are slightly different requirements for ‘controllers’ and ‘processors’, however, regardless of your role, the ROPA should be a ‘living’ document – it requires routine maintenance to ensure it is up to date. 

A well maintained ROPA offers many benefits beyond compliance, and can support general data management, individual rights request, retention and destruction policies etc.

Most organisations processing personal data should maintain a ROPA. It provides evidence of compliance and supports broader governance activities such as DPIAs, audits and regulatory inspections.

The UK GDPR specifically says: 

The obligations shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

A Data Protection Impact Assessment (DPIA), is essentially a risk assessment. They are mandatory in some circumstances, under Article 35 of the UK GDPR.

When processing is likely to result in a high risk to your data subjects then, prior to the processing, you should complete a DPIA. 

Broadly speaking, unless you carry out a DPIA, you are unaware of the risks – so it is good practice to complete a DPIA for any new processing activities, specifically those using new technology/softwares/systems.

We will talk to individuals within your organisation to determine what the knowledge level is like as well as examining key documents. Information will be collated and an Audit Report will be prepared that outlines where compliance is being met, where it is not, and what actions can be taken to improve the compliance position. 

If you’re interested in understanding your data protection compliance, DPAS can conduct an audit for you.

A Data Protection Officer (DPO) is responsible for monitoring compliance, advising on data protection obligations and acting as a point of contact with regulators and individuals.

Some organisations are mandated by law to appoint a Data Protection Officer, for example – public authorities or bodies, except for courts acting in their judicial capacity. 

Additionally, if your core activities consist of processing which require regular and systematic monitoring of data subjects on a large scale, or the core activity consist of processing large quantities of special category or criminal offence data, then you must appoint a DPO.

Other organisations with complex processing, large amounts of data, and especially those operating in multi-national jurisdictions can choose to appoint a Data Protection Officer.

You should have in place a comprehensive suite of policies, as this is what individuals will refer to should they need information. This can include (but is not limited to) a:

  • Data Protection Policy
  • Data Breach Policy
  • Individual Rights Policy
  • Subject Access Request Policy
  • Acceptable Use Policy
  • Bring Your Own Device/Working From Home Policy
  • DPIA Policy and Procedure
  • Information Security Policy
  • Records Management Policy 
  • Retention Policy

Yes. Many organisations appoint an outsourced DPO to access specialist expertise while maintaining independence and avoiding the cost of a full-time appointment. The DPO, by law, should report to the highest level of management, so outsourcing can often be more cost-effective than employing a full-time senior member of staff.

You can read more about our DPO services here.

An international transfer occurs when personal data is transferred outside the UK. Organisations must ensure appropriate safeguards are in place before making such transfers. In the UK, any country outside of the UK is referred to as a ‘third country’ and this means that the transfer of personal data is restricted. 

There are several transfer mechanisms that you can rely on, the most common are;

  • Adequacy – these are countries that have been deemed as having adequate regimes in place, if you are transferring to an adequate country you do not need to take any additional steps. 
  • International Data Transfer Agreements (IDTA) – this is the UK specific templated contract that supports transferring data to a third country (non-adequate). You must also complete a ‘Transfer Risk Assessment (TRA)’.

There are further options available, such as Binding Corporate Rules, but most commonly organisations rely on adequacy or a IDTA.

A Transfer Risk Assessment helps organisations evaluate whether personal data transferred internationally will receive adequate protection in the destination country, a TRA is necessary when transferring data by any mechanism aside from adequacy.

The DSPT is a mandatory annual assessment for many organisations that access NHS systems, process NHS patient information or provide services into the health and care sector.

If your organisation accesses NHS systems, handles NHS patient information or works within the NHS supply chain, DSPT compliance may be required.

There are a number of steps you should take immediately once you experience a data breach:

  • Implement measures to mitigate the effects of the breach where possible.
  • Conduct an investigation to establish the cause of the breach, the data subjects and data affected. 
  • Assess whether the breach is notifiable to the ICO and data subjects.
  • Introduce measures, where applicable, to prevent a breach of the same nature occurring in the future.

No. Only breaches that are likely to result in a risk to individuals’ rights and freedoms generally require notification. However, all breaches should be recorded internally.

No. Only breaches that result in a high risk to individuals’ rights and freedoms require notification to individuals. However, all breaches should be recorded internally and you will need to assess carefully in each instance whether this threshold has been met.

Breaches should be assessed on a case-by-case basis, and there is no one size fits all rule. To assess whether a breach is notifiable, you should consider:

  • The personal data that is subject to the data breach – is there any data that is generally considered ‘high risk’? Think about things such as health data, religious beliefs, data relating to sex life, financial data such as card details, National Insurance Numbers, and passport copies. 
  • The individuals affected – are there any children or vulnerable persons?
  • What harm could this cause individuals?

SUBJECT ACCESS REQUEST FAQs

A Subject Access Request (SAR) is a request made by an individual (‘data subject’) to access the personal data your organisation holds about them. Under UK GDPR, individuals have the right to obtain a copy of their personal data and information about how it is processed. This comes under Article 15 of the UK GDPR.

There are slightly different requirements for ‘controllers’ and ‘processors’, however, regardless of your role, the ROPA should be a ‘living’ document – it requires routine maintenance to ensure it is up to date. 

A well maintained ROPA offers many benefits beyond compliance, and can support general data management, individual rights request, retention and destruction policies etc.

When a Subject Access Request is received, organisations should:

  • Acknowledge the request – always respond to confirm receipt.
  • Record the request on an internal log.
  • Verify the requester’s identity where appropriate – this may mean you need to ask for ID.
  • Clarify – you may need to clarify exactly what the data subject is asking for, but this isn’t always essential. 
  • Identify relevant information held across systems – you must perform a reasonable and proportionate search.
  • Review the data – you must review the data to ensure you are only releasing the data relevant to the requestor, this means you should redact other people’s personal data, and sometimes can apply ‘exemptions’ – these apply in specific circumstances.
  • Respond within one calendar month – the statutory deadline is ‘one calendar month’, you can extend this by two further months if the request is ‘complex’.

A structured SAR process helps organisations meet regulatory requirements and avoid unnecessary delays.

Organisations generally have one calendar month to respond to a Subject Access Request. In some circumstances, this can be extended by up to two additional months if the request is particularly complex. If the request is deemed complex you must inform the requestor that you will be applying an extension and provide the new deadline.

Complexity is determined by a variety of factors, the ICO quotes that the following can be considered: 

  • Technical difficulties in retrieving the information – for example if the data is electronically archived. 
  • The request includes large volumes of particularly sensitive information.
  • There are potential issues around disclosing information about a child to a legal guardian. 
  • If you have to perform any specialist work in redacting information or communicating in an accessible way.

 

A request is not deemed as being complex just because it involves a large amount of information. If you have particularly large amounts of data, you may wish to review retention periods, and destruction policies. 

 

If you decide a request is complex you should always keep a record of your decision and the reasoning behind it.

Yes. If there is reasonable doubt about the identity of the requester, organisations may request additional information to verify identity before releasing personal data. This doesn’t always need to be a copy of ID, you may be able to satisfy yourself that the requestor is who they say they are by other means.

A Subject Access Request (SAR) entitles the individual to a copy of their own personal data – this means the data you collate will often include information that should not be released, and therefore would be redacted from the documentation. Common examples include:

  • Third-party personal data (personal data that relates to somebody else)
  • Legally privileged information (this is an exemption that applies specifically where a legal professional provides legal advice)

There are lots more exemptions available, however, they apply in specific situations, and you should document your decision to rely on them carefully.

In most circumstances, no. A fee can only be charged where a request is manifestly unfounded, excessive, or where additional copies of information are requested.

You should perform a ‘reasonable and proportionate’ search. Generally speaking you should search all the systems/softwares/databases where the data is accessible. Most modern software have search functionality built in, like email providers, HR systems, shared drives etc.

Yes. Employees have the same rights as any other individual under UK GDPR and can request access to personal data held about them whether they are currently employed, or even an ex employee.

Yes. Emails containing personal data about the requester may fall within the scope of a SAR and should be considered during searches. You often will not know whether the information contained within emails is personal data until it is collated and reviewed. 

Potentially, yes. As with emails, if this information is processed by the organisation, and potentially includes personal data relating to the requestor, then these instant messages would need to be included in your search.

Failure to respond within statutory timescales may result in complaints to the Information Commissioner’s Office (ICO) and potential regulatory scrutiny.

Yes. CCTV footage containing identifiable individuals may be in scope of a Subject Access Request, provided the requester can be identified from the footage.

AI AND DATA PROTECTION FAQs

Potentially, yes. However, organisations should assess data protection risks before entering personal, confidential, or sensitive information into AI tools. You should bear in mind that enterprise-grade platforms can provide much stricter environments than general public tools, which can have your data returned to the AI tool creators or wider audiences.

Yes. While AI systems are not regulated by the UK GDPR, if an AI system handles, reads, or processes personal data at any time, UK GDPR requirements apply. This includes lawful basis, transparency, accountability, and security obligations.

Yes. If the tool makes solely automated decisions with legal or significant effects, the GDPR requires you to provide meaningful information about the logic and consequences to ensure individuals can understand their rights. Remember that even when humans are meaningfully involved, the core principles of fairness and transparency still apply where personal data is processed.

In many cases, yes. The ICO identifies AI and automated processing as areas that may present higher risks to individuals and therefore require a DPIA. It is good practice to carry out a DPIA for new systems, or uses of personal data, so you are aware of the potential risks – that way you can ensure you have measures in place to protect your data subjects.

This depends on the organisation’s risk assessment, policies, system choice and even contractual arrangements. Personal data should not be entered into AI systems without understanding how the information will be processed by the system or software itself. We would always advise against using personal data in AI technology that you have not completed a DPIA for. Many enterprise-grade systems will provide contractual assurance that your data will not be used for other purposes such as training, whereas public systems may not.

Data protection risks are often quantified by the potential harm to data subjects, whilst you may also have some commercial risks, it is important to consider how your processing will impact the individuals whose data may be used. 

Common risks include:

  • Unauthorised disclosure of personal data.
  • Excessive data collection.
  • Lack of transparency (the ‘black box’ problem)
  • Inability to fulfil Individual rights requests
  • Inaccurate outputs (hallucinations).
  • Automated decision-making concerns, including bias. 
  • International data transfers, it is important to understand where AI technology is hosted.

The inner workings of many AI technologies are obscured (sometimes deliberately for intellectual property reasons, sometimes due to the learning systems being so complex). This means that there can be a lack of understanding on how the AI actually works, even from developers. If you can’t understand how the AI functions, you won’t accurately be able to explain to data subjects how their personal data is being processed, which can in turn lead to issues with upholding transparency.

AI hallucinations occur when a Large Language Model (LLM) (usually a generative AI chatbot) creates outputs that are incorrect or misleading. This is usually due to factors such as training data bias/inaccuracy and model complexity. When thinking about hallucinations from a data protection perspective, it is important that the risk of hallucinations has been considered for any processing of personal data.

Potentially. Many AI providers process information outside the UK, meaning organisations may need to assess international transfer requirements and safeguards, this is most prevalent when the country that the information is processed in is outside of the UK or EU. 

AI technology should be treated the same as ‘usual’ systems and software. 

Good practice includes:

  • AI governance policies that highlight what is and isn’t allowed, and put guardrails in place to ensure the sensible use of AI technology.
  • DPIAs, this is key to understanding the potential risks, and therefore being able to mitigate them. 
  • Staff training, make sure your team understands the basics of how the technology works, this also means they are more likely to notice any errors, and act appropriately.
  • Supplier due diligence, ensure you treat AI technology just as you would onboarding and other suppliers, ensure you follow appropriate steps to ensure the information security, and supply chain risks. 
  • Security reviews, continual monitoring is important, not just checking when you implement the technology. Many softwares and systems evolve over time, new features are activated, and additional options may become available, ensuring you have a monitoring process means you won’t miss any of these changes.
  • Clear acceptable use guidance, be clear to your workforce what is expected, consider publishing a list of technology that is permitted, and a list identifying those that are black listed, this sets clear guidelines and supports the team in decision making.

Individuals have rights relating to solely automated decisions that produce legal or similarly significant effects. Organisations should understand these requirements before implementing AI-driven decision making. Ultimately, data subjects have the right to meaningful human intervention (i.e., have the decision reviewed by a human with the authority to make decisions) – you should consider this when implementing AI technology.

AI should be deployed within an appropriate governance framework that addresses data protection obligations, including; technical and organisational security measures, transparency, individual rights, and accountability.

If you need any support with your data protection obligations, get in touch with our expert team.

Either email us at info@dataprivacyadvisory.com, call us on 0203 3013384, or click below to fill in a contact form.