Data Protection Policy

Cambridge Enterprise Data Protection Policy

1.      Purpose and scope

1.1 The purpose of this policy is to ensure compliance with the General Data Protection Regulation (‘GDPR’) and related EU and national legislation (‘data protection law’[1]). Data protection law applies to the storing or handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’).

1.2 This policy applies to Cambridge Enterprise Ltd (‘CE’), as a single organisation (‘data controller’).

1.3 This policy applies to all staff except when acting in a private capacity. In this policy, the term ‘staff’ means anyone working in any context within CE at whatever level or grade and whether permanent, fixed term or temporary, including but not limited to employees, workers, trainees, interns, seconded staff, agency staff, agents, volunteers, and external members of committees.

1.4 This policy is not, and should not be confused with, a privacy notice[2] (a statement informing data subjects how their personal data is used by CE).

1.5 This policy should be read in conjunction with the obligations in the following documents, which supplement this policy where applicable:

1.5.1  staff employment contracts and comparable documents (e.g. worker agreements), which impose confidentiality obligations in respect of information held by CE;

1.5.2  information security policies, procedures and terms and conditions, which concern the confidentiality, integrity and availability of CE information, and which include rules about acceptable use, breach reporting, IT monitoring, and the use of personal mobile devices[3];

1.5.3  The University’s record management policies and guidance, which govern the appropriate retention and destruction of CE information[4];

1.5.4  any other contractual obligations on CE or individual staff which impose confidentiality or data management obligations in respect of information held by CE, which may at times exceed the obligations of this and/or other policies in specific ways.

1.5.5  the Data Protection Policy of the University of Cambridge; as a wholly owned subsidiary of the University of Cambridge, CE staff will use specific services and facilities offered by the University.

2.      Policy statement

2.1 CE is committed to complying with data protection law as part of everyday working practices.

2.2 All personal data collected and/or stored by CE is done so for the sole purposes of CE’s service provision or business (including its legitimate interests), and a data subject’s relationship with CE. CE ensures that it is transparent about its data processing activities and tells data subjects the reasons for processing their personal data, how it uses such data and the legal basis for processing, in its privacy notices. It will not process personal data of data subjects for other reasons. Where CE relies on its legitimate interests as the basis for processing data, it carries out an assessment to ensure that those interests are not overridden by the rights and freedoms of individual data subjects.

2.3 Where CE processes special categories of personal data[5] to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data.

2.4 Complying with data protection law may be summarised as but is not limited to:

2.4.1  understanding, and applying as necessary, the principles relating to processing of personal data as set out in the GDPR when processing personal data: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security, integrity and confidentiality.

2.4.2  understanding, and fulfilling as necessary, the rights given to data subjects under data protection law: to be informed; access; rectification; erasure; restriction; data portability; and objection (including in relation to automated decision-making).;

2.4.3  understanding, and implementing as necessary, CE’s accountability obligations under data protection law, including implementing appropriate data protection policies such as this data protection policy;

2.4.4  implementing data protection by design and default in projects, procurement and systems;

2.4.5  using appropriate contracts with third party data controllers and data processors;

2.4.6  holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data;

2.4.7  reporting certain personal data breaches to the Information Commissioner’s Office;

2.4.8  conducting Data Protection Impact Assessments where required; and

2.4.9  ensuring adequate levels of protection when transferring personal data outside the European Economic Area (‘EEA’).

3.      Roles and responsibilities

3.1 CE has a corporate responsibility as a data controller (or when acting as a joint data controller or a data processor) for:

3.1.1  complying with data protection law and holding records demonstrating this;

3.1.2  cooperating with the Information Commissioner’s Office (‘ICO’) as the UK regulator of data protection law; and

3.1.3  responding to regulatory/court action and paying administrative levies and fines issued by the ICO.

3.2 The CE Senior Management Team is responsible for:

3.2.1  reviewing (at least once every year until 25 May 2020 and once every five years thereafter) and approving this policy;

3.2.2  assessing the overall risk profile and ensuring appropriate resources and processes are in place and implemented to enable compliance with data protection law.

3.3 The Deputy Director, as the named person within CE with responsibility for data protection compliance, is responsible for:

3.3.1  monitoring and auditing CE’s compliance with data protection law, especially its overall risk profile, and reporting when necessary to the Senior Management Team;

3.3.2  advising on all aspects of CE’s compliance with data protection law (including its use of Data Protection Impact Assessments), seeking advice from the University Information Compliance Office where necessary;

3.3.3  acting as CE’s standard point of contact with the ICO with regard to data protection law, including in the case of personal data breaches;

3.3.4  acting as an available point of contact for any complaints from data subjects;

3.3.5  handling data subject rights requests;

3.3.6  publishing and maintaining core privacy notices and other CE data protection documents;

3.3.7  managing and/or handling Data Protection Impact Assessments; and

3.3.8  ensuring all CE staff are aware of this policy as necessary;

3.3.9  ensuring that appropriate processes and training are implemented to enable compliance with data protection law; and

3.3.10  ensuring that appropriate processes are implemented to enable information assets containing personal data within CE to be included in the University’s Information Asset Register where appropriate.

3.4 Individual staff, in order to enable CE to comply with data protection law, are responsible for:

3.4.1  completing relevant data protection training;

3.4.2  following relevant advice, guidance and tools/methods provided to staff, regardless of whether access to and processing of personal data is through CE-owned and managed systems, University-owned and managed systems, or through their own or a third party’s systems and devices;

3.4.3  when processing personal data on behalf of CE, only using it as necessary for their contractual duties and/or other CE roles and not disclosing it unnecessarily or inappropriately;

3.4.4  recognising, reporting internally, and cooperating with any remedial work arising from personal data breaches, including following the procedure set out in the Personal Data Breach Policy;

3.4.5  recognising, reporting internally, and cooperating with the fulfilment of data subject rights requests, including following the procedure set out in the Subject Access Request Policy;

3.4.6  ensuring compliance with CE’s Data Retention policy, deleting and removing data in accordance with the policy; and

3.4.7  on leaving CE ensuring that all data housekeeping requirements are fulfilled, only deleting, copying or removing personal data as agreed with their Head of Team and as appropriate.

3.5 Non-observance of the responsibilities in paragraph 3.4 may result in disciplinary action.

3.6 The roles and responsibilities in paragraphs 3.1 to 3.5 do not waive any personal liability for individual criminal offences for the wilful misuse of personal data under data protection law.[6]

4.      Personal Data Breach

4.1 The GDPR requires data controllers like CE to notify any personal data breach to the applicable regulator and, in certain instances, the data subject.

4.2 We have put in place procedures to deal with any suspected breach of personal data and will notify data subjects or any applicable regulator where we are legally required to do so.

4.3 If you know or suspect that a personal data breach has occurred, do not attempt to investigate the matter yourself. Following the Personal Data Breach Policy, immediately contact the Deputy Director designated as the key point of contact for personal data breaches (as set out at paragraph 3 of this data protection policy). You should preserve all evidence relating to the potential breach of personal data breach.

5.      Data subject’s rights and requests

5.1 Data subjects have rights when it comes to how we handle their personal data. These include rights to:

a) withdraw consent to processing at any time (provided that consent is the lawful basis on which processing is being carried out);

b) receive certain information about the data controller’s processing activities;

c) request access to their personal data that we hold;

d) prevent our use of their personal data for direct marketing purposes;

e) ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;

f) restrict processing in specific circumstances;

g) challenge processing which has been justified on the basis of our legitimate interests or in the public interest;

h) request a copy of an agreement under which personal data is transferred outside of the EEA;

i) object to decisions based solely on automated processing, including profiling;

j) prevent processing that is likely to cause damage or distress to the data subject or anyone else;

k) be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;

l) make a complaint to the supervisory authority;

m) in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format; and

n) You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing personal data without proper authorisation).

5.2 All employees must immediately forward any Data Subject request received to the Deputy Director designated as the key point of contact for data subject access requests (as set out at paragraph 3 of this data protection policy) and comply with the company’s Data Subject Access Request Policy.

6.      Sharing personal data

6.1 Generally we do not share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.

6.2 You should only share the personal data we hold with third parties, such as our service providers, if:

6.3 they have a need to know the information for the purposes of providing the contracted services;

6.4 sharing the personal data complies with the privacy notice provided to the data subject and, if required, the data subject’s valid consent has been obtained;

6.5 the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;

6.6 the transfer complies with any applicable cross-border transfer restrictions; and

6.7 a fully executed written contract that contains GDPR-approved third party clauses has been obtained.

7.      Contact

Contact details for data protection purposes are published on our website [7].


Appendix One

Data Protection – Definitions

‘Personal data’ is any information that relates to a living individual who can be identified from that information, in particular by reference to:

  • an identifier such as a name, an identification number, location data or an online identifier (such as an IP address); or
  • factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

‘Special categories of personal data’ means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.  GDPR specifies that special categories of personal data should be treated with particular care due to its sensitive nature.

‘Processing personal data’ refers to any operations performed on personal data (whether those operations are automated or not). Common types of personal data processing include (but are not limited to) collecting, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing, disseminating and destroying data.

‘Data Subject’ refers to a person who lives in the EU, who GDPR defines as ‘identified or identifiable natural person[s]’.

‘Data Controller’ is a company/organisation that collects people’s personal data and makes decisions about what to do with it.  Data Controllers must comply with applicable data privacy legislation.

[1] See

[2] For which see

[3] See and related webpages as CE is a service user of the University Information Services.

[4] See and contact to request a copy of the CE Retention Guidelines

[5] See Appendix One for definition

[6] These criminal offences include: unlawfully obtaining, disclosing or retaining personal data; recklessly re-identifying de-identified personal data without the data controller’s consent; deliberately altering or deleting personal data to prevent disclosure in accordance with data subject access rights; forcing a data subject to exercise their access rights; and knowingly giving false statements to the ICO.