Always required

• We understand what ‘personal data’ and ‘processing’ of personal data are.
• We understand the concepts of ‘data controller’ and ‘data processor’.
• We know what personal data we process.
• We only handle people’s data in ways they would reasonably expect.
• We only collect the personal data we actually need for our specified purposes.
• We have identified an appropriate lawful basis (or bases) for our processing.
• We are transparent about what we do and we include details of our purposes in our privacy information for individuals.
• We keep our personal data accurate.
• We delete personal data that is no longer required.
• We respond to an individual’s data protection request, such as requesting a copy of the personal data or stopping direct marketing.
• We keep our personal data secure and confidential.

Required depending on your organisation

• We have data processing agreements in place for all the data processors we use.
• We notify individuals when we take decisions that affect them based solely on automatic means, and we are ready to reconsider such decisions on a different basis.
• If we plan to use personal data for a new purpose, we check that it is compatible with our original purpose or we get specific consent for the new purpose.
• As best practice, we have a policy that specifies how long we keep each type of personal data we process.
• We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
• We are aware whether we need safeguards in place if we or our data processors transfer personal data abroad.