compliance checklist

In order to ensure that they are complying with the data protection principles, employers may wish to consider taking the following steps:

Investigate what personal information is currently held, for what purposes and by whom.
Review the way in which information is currently processed to assess whether it complies with the data protection principles.
Appoint someone to be the company's representative for the purposes of data protection.
If necessary, notify the Information Commissioner (notification).
Establish a policy and procedure or guidelines for handling personal information.
Consider whether consent is needed in order to process any personal information that the company holds, and if it is, how consent should be obtained.
Identify and mark sensitive information.
Ensure that the company has adequate arrangements to keep personal information secure (safeguarding information).
Ensure that a system is in place to dispose of outdated, inaccurate and irrelevant information (obsolete information).
Train all staff who process information on the requirements of the Data Protection Act.
Consider whether any information is sent outside the EEA, and if it is, whether consent is required to do so (information outside the EEA).
Consider putting in place a procedure for dealing with subject access requests (subject access rights).

information commissioner

The EEF Employment Guide is intended to provide general guidance only. It does not purport to be comprehensive or to give legal advice. Users should always seek specific legal advice before taking or refraining from any action. Information and documents on this website are prepared in accordance with the laws of England, Wales and Scotland. Users accessing from Northern Ireland should be aware that different laws and interpretations may be applicable to Northern Ireland.