There are very few instances where data protection law says “you must do this”. Instead it uses language such as “appropriate”, meaning it is for businesses to decide what this means for them.

We understand that this can be frustrating but there is reason that the law is structured this way.


There is no “one size fits all”

Every business is different. This means that the data protection landscape of each business will also be different. For example:

  • the types of personal data it uses
  • how it uses that data
  • how much data it holds
  • who it passes it to.

This means that it is very difficult to set out a one-size fits all approach to data protection, which adequately protects personal data without going overboard.


Risk based approach

Data protection law exists to protect individuals from the risks posed by the use of their personal data by businesses. So an underlying theme of data protection law is risk.

Indeed the actions following a data breach depend on the risk to the individual – see “Data breaches aren’t to be feared?!”  for more information.

A key principle of data protection law is accountability – which means being able to demonstrate and justify your decisions. We would suggest that if a risk assessment forms a central part of your data protection programme then this should help to satisfy this requirement.

The start point for developing a data protection programme for your business is to carry out a data mapping exercise as this will help you understand the landscape of your business. See “Bloody Data Protection! Where do I start?”


You can then use the information gathered from that exercise to carry out a data protection risk assessment. For example:

  • “special category data” or sensitive personal data requires a higher level of protection due to the increased risk to individuals (includes data such as health, race, religious or political beliefs)
  • your data mapping exercise should give you a clear picture of if and how you process sensitive personal data
  • sensitive personal data should attract a higher risk score in your risk assessment than other types of personal data and potentially require a higher standard of technical and organisational measures.


This means that you will then be able to:

  • create a data protection programme which is appropriate and proportionate to your business and the personal data it processes
  • prioritise key risk areas
  • justify your approach.

We have strategic and operational DPO experience of delivering programmes so get in touch if you need help creating and/or implementing a data protection programme within your business. Contact Alison on or call 01202 729444.