UK Data Protection Law
Data protection is an essential ingredient in modern business. Nearly all businesses will collect a certain amount of personal data about people, whether it relates to their employees, customers, business contacts, or others. Data protection law seeks to ensure that this data is handled properly, protecting individuals’ privacy.
The law governing data protection in the UK consists primarily of the Data Protection Act 2018 and the UK GDPR. The UK GDPR took effect at the start of 2021, as the Brexit transition period came to an end. For most SMEs operating in the UK, the UK GDPR is the go-to source for data protection law. It is the “general processing regime”, as described by the Information Commissioner’s Office (the “ICO”) which applies to most organisations, and which is covered here.
The ICO has a tool, available here , which can help you to determine which data protection regime applies to your organisation.
What is the UK GDPR?
The UK GDPR is the retained EU law version of the EU GDPR. The GDPR (or “General Data Protection Regulation”) came into effect on 25 May 2018 and applied throughout the European Union. It is retained in UK law, with some contextual modifications, by section 3 of the European Union (Withdrawal) Act 2018.
From a compliance perspective, there is generally little difference between the EU GDPR and the UK GDPR. The core terms, principles, rights, and obligations remain unchanged. In general terms, if you were compliant with the GDPR before the Brexit transition period ended, you should be in good shape under the UK GDPR.
Some Key Definitions
The UK GDPR includes many defined terms which apply to different areas of data protection. Some apply only in certain contexts, whereas others can be found everywhere.
- Personal Data is any information relating to an identified or identifiable natural person (known as a data subject). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- A Data Controller is the party who, alone or jointly with other parties, determines the purposes and means of the processing of personal data. In short, the controller is the decision-maker.
- A Data Processor is the party who processes personal data on a data controller’s behalf, on the data controller’s instructions.
- Processing refers to just about anything done with or to personal data. According to the UK GDPR, processing means any operation or set of operations which is performed on personal data or sets of personal data, by automated or manual means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Principles
Data protection under the UK GDPR is governed by seven core principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Lawful Use of Personal Data
Before collecting and processing personal data, you must identify a valid lawful basis under the UK GDPR which will allow you to do so. The following lawful bases are available:
- Consent – this means that the data subject has given their clear consent to your processing of their personal data for a specific purpose or purposes.
- Contract – processing personal data is permitted if it is necessary for a contract between you and the data subject, or because they have asked you to take certain specific steps pre-contract.
- Legal Obligation – this does not extend to contractual obligations (see above), but otherwise refers to processing that is necessary for compliance with the law.
- Vital Interests – this applies if the processing is necessary to protect someone’s life.
- Public Task – this means that the processing is necessary for the performance of a task in the public interest or for the performance of official functions, provided that the task or function has a clear basis in law.
- Legitimate Interests – this means that the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the personal data which overrides such interests. (NB: This doesn’t apply if you are a public authority processing personal data in the performance of official tasks).
If you are processing special category (formerly known as sensitive) personal data, you will need both a lawful basis and an additional special category condition found in Article 9 of the UK GDPR.
Likewise, if you are processing criminal offence data, in addition to a lawful basis, you will need either “official authority” or must satisfy a condition found in Article 10 of the UK GDPR.
Data Subject Rights
Individuals are given a range of important rights under the UK GDPR. These are explained more here.
The rights are as follows:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights relating to automated decision-making and profiling
Explore More About Data Protection
The following pages contain more information about different areas of data protection law and will introduce you to our range of document templates designed to assist you in your compliance:
- Data Protection Audits
- Data Protection Impact Assessments
- Data Protection Policies
- Data Retention
- Privacy Policies & Notices
- Data Subject Access Requests
- Data Subject Rights
- Data Breaches
- Sharing and Processing Personal Data