This Data Protection Policy was approved by the Cambridge Enterprise Senior Management Team on 16 May 2018 and last reviewed on 21 May 2020.

Cambridge Enterprise Data Protection Policy

1. Purpose and Scope

1.1 The purpose of this policy is to ensure compliance with the General Data Protection Regulation (‘GDPR’) and related EU and national legislation (‘data protection law’[1])). Data protection law applies to the storing or handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’).

1.2 This policy applies to Cambridge Enterprise Ltd (‘Cambridge Enterprise’), as a single organisation (‘data controller’).

1.3 This policy applies to all staff except when acting in a private capacity. In this policy, the term ‘staff’ means anyone working in any context within Cambridge Enterprise at whatever level or grade and whether permanent, fixed term or temporary, including but not limited to employees, workers, trainees, interns, seconded staff, agency staff, agents, volunteers, and external members of committees.

1.4 This policy is not, and should not be confused with, a privacy notice[2]) (a statement informing data subjects how their personal data is used by Cambridge Enterprise).

1.5 This policy should be read in conjunction with the obligations in the following documents, which supplement this policy where applicable:

1.5.1  staff employment contracts and comparable documents (e.g. worker agreements), which impose confidentiality obligations in respect of information held by Cambridge Enterprise;

1.5.2  information security policies, procedures and terms and conditions, which concern the confidentiality, integrity and availability of Cambridge Enterprise information, and which include rules about acceptable use, breach reporting, IT monitoring, and the use of personal mobile devices[3];

1.5.3  the University’s record management policies and guidance, which govern the appropriate retention and destruction of Cambridge Enterprise information [4];

1.5.4  any other contractual obligations on Cambridge Enterprise or individual staff which impose confidentiality or data management obligations in respect of information held by Cambridge Enterprise, which may at times exceed the obligations of this and/or other policies in specific ways.

1.5.5  the Data Protection Policy of the University of Cambridge; as a wholly owned subsidiary of the University of Cambridge, Cambridge Enterprise staff will use specific services and facilities offered by the University

[1] See

[2] For which see

[3] Contact us to request a copy of these policies. See also and related web pages as Cambridge Enterprise is a service user of the University Information Services.

[4] See Records Management; see also or contact us to request a copy of the Cambridge Enterprise Retention Guidelines.


2. Policy Statement

2.1 Cambridge Enterprise is committed to complying with data protection law as part of everyday working practices.

2.2 All personal data collected and/or stored by Cambridge Enterprise is done so for the sole purposes of Cambridge Enterprise’s service provision or business (including its legitimate interests), and a data subject’s relationship with Cambridge Enterprise. Cambridge Enterprise ensures that it is transparent about its data processing activities and tells data subjects the reasons for processing their personal data, how it uses such data and the legal basis for processing, in its privacy notices. It will not process personal data of data subjects for other reasons. Where Cambridge Enterprise relies on its legitimate interests as the basis for processing data, it carries out an assessment to ensure that those interests are not overridden by the rights and freedoms of individual data subjects.

2.3 Where Cambridge Enterprise processes special categories of personal data to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data.

2.4 Complying with data protection law may be summarised as but is not limited to:

2.4.1  understanding, and applying as necessary, the principles relating to processing of personal data as set out in the GDPR when processing personal data: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security, integrity and confidentiality.

2.4.2  understanding, and fulfilling as necessary, the rights given to data subjects under data protection law: to be informed; access; rectification; erasure; restriction; data portability; and objection (including in relation to automated decision-making);

2.4.3  understanding, and implementing as necessary, Cambridge Enterprise’s accountability obligations under data protection law, including implementing appropriate data protection policies such as this data protection policy;

2.4.4  implementing data protection by design and default in projects, procurement and systems;

2.4.5  using appropriate contracts with third party data controllers and data processors;

2.4.6  holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data;

2.4.7  reporting certain personal data breaches to the Information Commissioner’s Office;

2.4.8  conducting Data Protection Impact Assessments where required; and

2.4.9  ensuring adequate levels of protection when transferring personal data outside the European Economic Area (‘EEA’).

[5] See Data Protection definitions below.

3. Roles and responsibilities

3.1 Cambridge Enterprise has a corporate responsibility as a data controller (or when acting as a joint data controller or a data processor) for:

3.1.1  Complying with data protection law and holding records demonstrating this;

3.1.2  Co-operating with the Information Commissioner’s Office (‘ICO’) as the UK regulator of data protection law; and

3.1.3  Responding to regulatory/court action and paying administrative levies and fines issued by the ICO.

3.2 The Cambridge Enterprise Senior Management Team is responsible for:

3.2.1  Reviewing (at least once every year until 25 May 2020 and once every five years thereafter) and approving this policy;

3.2.2  Assessing the overall risk profile and ensuring appropriate resources and processes are in place and implemented to enable compliance with data protection law.

3.3 The Deputy Director, as the named person within Cambridge Enterprise with responsibility for data protection compliance, is responsible for:

3.3.1  monitoring and auditing Cambridge Enterprise’s compliance with data protection law, especially its overall risk profile, and reporting when necessary to the Senior Management Team;

3.3.2  advising on all aspects of Cambridge Enterprise’s compliance with data protection law (including its use of Data Protection Impact Assessments), seeking advice from the University Information Compliance Office where necessary;

3.3.3  acting as Cambridge Enterprise’s standard point of contact with the ICO with regard to data protection law, including in the case of personal data breaches;

3.3.4  acting as an available point of contact for any complaints from data subjects;

3.3.5  handling data subject rights requests;

3.3.6  publishing and maintaining core privacy notices and other Cambridge Enterprise data protection documents;

3.3.7  managing and/or handling Data Protection Impact Assessments; and

3.3.8  ensuring all Cambridge Enterprise staff are aware of this policy as necessary;

3.3.9  ensuring that appropriate processes and training are implemented to enable compliance with data protection law; and

3.3.10  ensuring that appropriate processes are implemented to enable information assets containing personal data within Cambridge Enterprise to be included in the University’s Information Asset Register where appropriate.

3.4 Individual staff, in order to enable Cambridge Enterprise to comply with data protection law, are responsible for:

3.4.1  completing relevant data protection training;

3.4.2  following relevant advice, guidance and tools/methods provided to staff, regardless of whether access to and processing of personal data is through Cambridge Enterprise-owned and managed systems, University-owned and managed systems, or through their own or a third party’s systems and devices;

3.4.3  when processing personal data on behalf of Cambridge Enterprise, only using it as necessary for their contractual duties and/or other Cambridge Enterprise roles and not disclosing it unnecessarily or inappropriately;

3.4.4  recognising, reporting internally, and co-operating with any remedial work arising from personal data breaches, including following the procedure set out in the Personal Data Breach Policy;

3.4.5 recognising, reporting internally, and co-operating with the fulfilment of data subject rights requests, including following the procedure set out in the Subject Access Request Policy;

3.4.6  ensuring compliance with Cambridge Enterprise’s Data Retention policy, deleting and removing data in accordance with the policy; and

3.4.7  on leaving Cambridge Enterprise ensuring that all data housekeeping requirements are fulfilled, only deleting, copying or removing personal data as agreed with their Head of Team and as appropriate.

3.5 Non-observance of the responsibilities in paragraph 3.4 may result in disciplinary action.

3.6 The roles and responsibilities in paragraphs 3.1 to 3.5 do not waive any personal liability for individual criminal offences for the wilful misuse of personal data under data protection law.[6]

[6] These criminal offences include: unlawfully obtaining, disclosing or retaining personal data; recklessly re-identifying de-identified personal data without the data controller’s consent; deliberately altering or deleting personal data to prevent disclosure in accordance with data subject access rights; forcing a data subject to exercise their access rights; and knowingly giving false statements to the ICO.

4. Personal Data Breach

4.1 The GDPR requires data controllers like Cambridge Enterprise to notify any personal data breach to the applicable regulator and, in certain instances, the data subject.

4.2 We have put in place procedures to deal with any suspected breach of personal data and will notify data subjects or any applicable regulator where we are legally required to do so.

4.3 If you know or suspect that a personal data breach has occurred, do not attempt to investigate the matter yourself. Following the Personal Data Breach Policy, immediately contact the Deputy Director designated as the key point of contact for personal data breaches (as set out at paragraph 3 of this data protection policy). You should preserve all evidence relating to the potential breach of personal data breach.

5. Data subjects' rights and requests

5.1 Data subjects have rights when it comes to how we handle their personal data. These include rights to:

a) withdraw consent to processing at any time (provided that consent is the lawful basis on which processing is being carried out);

b) receive certain information about the data controller’s processing activities;

c) request access to their personal data that we hold;

d) prevent our use of their personal data for direct marketing purposes;

e) ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;

f) restrict processing in specific circumstances;

g) challenge processing which has been justified on the basis of our legitimate interests or in the public interest;

h) request a copy of an agreement under which personal data is transferred outside of the EEA;

i) object to decisions based solely on automated processing, including profiling;

j) prevent processing that is likely to cause damage or distress to the data subject or anyone else;

k) be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;

l) make a complaint to the supervisory authority;

m) in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format; and

n) you must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing personal data without proper authorisation).

5.2 All employees must immediately forward any Data Subject request received to the Deputy Director designated as the key point of contact for data subject access requests (as set out at paragraph 3 of this data protection policy) and comply with the company’s Data Subject Access Request Policy.

6. Sharing personal data

6.1 Generally we do not share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.

6.2 You should only share the personal data we hold with third parties, such as our service providers, if:

6.3 they have a need to know the information for the purposes of providing the contracted services;

6.4 sharing the personal data complies with the privacy notice provided to the data subject and, if required, the data subject’s valid consent has been obtained;

6.5 the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;

6.6 the transfer complies with any applicable cross-border transfer restrictions; and

6.7 a fully executed written contract that contains GDPR-approved third party clauses has been obtained.

7. Contact

Contact details for data protection purposes are outlined in Section 3 above.

Cambridge Enterprise Limited, University of Cambridge

Hauser Forum, 3 Charles Babbage Road, Cambridge CB3 0GT


Data Protection Definitions

'Personal data'

‘Personal data’ is any information that relates to a living individual who can be identified from that information, in particular by reference to:

  • an identifier such as a name, an identification number, location data or an online identifier (such as an IP address); or
  • factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

‘Special categories of personal data’

‘Special categories of personal data’ means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data and biometric data.

Personal data about (alleged or proven) criminal convictions and offences are not technically defined as special category personal data but are afforded similar protections.

The processing of special category personal data requires another legal basis to be identified.  There are numerous legal bases, set out both in Article 9 of the UK GDPR and in Schedule 1 to the DPA 2018.


‘Processing personal data’

‘Processing personal data’ refers to any operations performed on personal data (whether those operations are automated or not). Common types of personal data processing include (but are not limited to) collecting, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing, disseminating and destroying data.

‘Data Subject’

‘Data Subject’ refers to a person who lives in the EU, who GDPR defines as ‘identified or identifiable natural person[s]’.

‘Data Controller’

‘Data Controller’ is a company/organisation that collects people’s personal data and makes decisions about what to do with it. Data Controllers must comply with applicable data privacy legislation.