A Subject Access Request (SAR) is one of the most common data protection requests employers receive. Employees frequently make these requests during workplace disputes, disciplinary procedures, grievances or employment tribunal claims. Understanding how to respond properly is essential. Organisations that fail to comply with UK data protection law may face significant fines, reprimands and enforcement … Continue reading How to respond to a Subject Access Request from an Employee
Category: Data Protection
Expert guidance on UK data protection law for employers. Clear, practical advice on GDPR compliance, privacy policies, and other documents.
What is a DPIA? Where the DPIA rules come from (UK GDPR, DPA 2018, WP29/EDPB, ICO) When is a DPIA required? (Article 35) Examples of high-risk processing (WP29 & ICO) When a DPIA is not required Who is responsible? (Controller, DPO, Processor, Data subjects) What a DPIA must include (Article 35(7)) When to consult the … Continue reading Do you legally need to conduct a Data Protection Impact Assessment (DPIA)?
Every UK business that collects or uses personal data needs a privacy policy under the UK GDPR and the Data Protection Act 2018. Personal data doesn't include commercial information, but if your customers are companies, the individuals behind those companies may still be providing you with personal data. This guide explains, in plain English, what … Continue reading What should be in your privacy policy?
Last updated: 13 August 2025 On this page 1) What is data sharing? 2) The ICO’s 2021 Data Sharing Code of Practice 3) Professional guidance & voluntary industry codes 4) Key GDPR principles for sharing 5) Main risks for controllers in data sharing 6) Controller vs Processor (and why it matters) 7) Lawful bases for … Continue reading Sharing personal data with third parties? Here’s what you need to know