Data Protection Day (28 January 2026) is an internationally recognised day and marks the anniversary of the opening to signature of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).
For the last 40 years, Convention 108 has contributed to the development of privacy and data protection in Europe and worldwide.
It is a timely reminder of the responsibility organisations must have to protect personal information.
Businesses handle some of the most sensitive personal data, including payroll, medical information, performance records, and disciplinary matters. This means employers must be proactive in protecting data, understanding legal requirements, and promoting a privacy culture across the organisation.
Legal Requirements and Company Policy
Businesses are legally required to comply with UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA) and its policies should emphasise that any personal data held in any form must be treated with sensitivity and privacy. While the business needs to keep certain information about employees, customers, and suppliers for commercial and legal reasons, it must also ensure personal data is processed fairly, securely, and only when necessary.
Data Protection Day is therefore an opportunity for you to review your practices and ensure they align with the law and best practice.
Key Responsibilities
A key requirement of a robust and practical Data Protection Policy is that the Data Protection Co-ordinator must be consulted before any significant new data processing activity is initiated. This includes having secure HR systems, automated decision-making (ADM) processes, Smart Data participation, or Digital Verification services. HR support and guidance should lead on this because new systems often involve collecting, storing, and sharing sensitive employee information.
The policy should specifically highlight ADM, stating that when fully automated processes make decisions that could have a legal or similarly significant effect on an individual, safeguards must be applied. Individuals should be informed when an automated decision is made about them, and they must have the right to request human intervention and challenge the decision. Organisations should ensure any automated recruitment screening, performance scoring, or predictive analytics tools are fair, transparent, and accountable.
Similarly, participation in government-approved Smart Data schemes or Digital Verification services must be voluntary unless required by law. Employees must receive clear information about the purpose and scope of data sharing, and appropriate technical safeguards must be in place, including secure APIs and authentication mechanisms.
Everyday Data Protection Matters
Beyond policy and legislation, Data Protection Day is a chance to reinforce practical data security habits. Businesses should ensure passwords are kept secure, computers are locked when unattended, and confidential documents are stored securely or disposed of safely. Policy and process should highlight the importance of a clear desk approach, secure disposal of paper waste, and encryption when personal data is taken offsite.
Employees must also be cautious when sharing personal information, particularly over the phone or via email. Identity checks should be carried out, and only limited information should be disclosed unless there is clear justification and permission.
Employee Rights and Data Retention
Businesses must also be prepared to respond to Subject Access Requests and requests for erasure. The policy should make it clear that individuals are entitled to know what personal data is held about them, why it is being held, and who it is shared with. The Data Protection Co-ordinator must assess any request for deletion in line with current ICO (Information Commissioners Office) guidance and business needs.
Data should only be retained for as long as necessary and there should be a regular review of retention schedules, delete data that is no longer required, and ensure secure disposal of both hard copy and electronic records.
Data Protection Day 2026 is a valuable opportunity for organisations to demonstrate leadership in privacy and compliance. Protecting personal data is not only a legal obligation but a core part of the trust relationship between employer and employee. By reviewing systems, reinforcing training, and ensuring policies are followed, you can help build a culture of privacy that benefits the entire organisation.
At THSP we can assist and support businesses with Data Protection Policies, guidance and training to ensure your organisation remains compliant in a changing world.