Data protection

What is data protection?

Data protection refers to the process of protecting sensitive information (ie personal data) that an organisation (eg business) holds from damage, unauthorised access, loss and misuse. 

In the UK, the main legislation governing the collection, processing, and distribution of personal data is the Data Protection Act 2018 (DPA), which is enforced by the Information Commissioner's Office (ICO). The DPA is the legislation that implements the UK General Data Protection Regulations (GDPR).

Why is data protection important?

In an increasingly data-driven world, the protection of data, especially personal data, is crucial. Data protection laws prescribe the proper and fair use of everyone's data, and failure to comply with these laws can result in serious consequences (eg fines). 

While the specific reasons why data protection is important differ for private individuals and organisations, data protection is always essential for preserving individual rights, fostering trust, and maintaining control over personal information.

How is data protection relevant for individuals?

For individuals, data protection laws provide security, as they help prevent identity theft, unauthorised access to personal information, and potential misuse of sensitive data. Data protection laws also provide individuals with control over their information, empowering them to know how their data is handled and giving them the right to object to certain processing activities. 

Individuals should be aware of how their information can and cannot be used. This includes understanding their rights relating to their data, including:

• the right to access their data and to be informed about how their data is being processed (eg collected and used)

• the right to have data corrected if it's inaccurate or incomplete

• the right to object to the processing of personal data, and

• the right to have data erased in certain circumstances

For more information, read Data protection requests. For a full list of all data protection rights, see the ICO's guidance on data protection rights.

How is data protection relevant for organisations?

Any organisation that handles personal information has various legal obligations that must be met. These obligations enable an organisation to protect the information that it collects from others to uphold their data protection rights. In reality, most organisations handle personal data just by, for example, keeping records of their customers, members, and/or employees.

What is personal data?

Personal data is information (held electronically or physically) relating to individuals (ie not businesses or other organisations) who can be personally identified from that data (on its own or with other data held). Personal data includes (not is not limited to):

• names

• addresses (including email addresses)

• telephone numbers

• dates of birth

• job titles

• online identifiers (eg IP addresses)

Personal data can only be processed if an organisation can establish a lawful basis for doing so (more on this below).

What is special category sensitive personal data?

There is a further 'special category of sensitive personal data' (often simply referred to as 'special category' or ‘sensitive’ personal data), which includes information about:

• racial or ethnic origin

• political opinions

• religious or similar beliefs

• trade union membership

• physical or mental health conditions

• sexual life

• biometrics (eg fingerprint data and facial images) used for identification purposes

• genetics

Sensitive personal data is subject to stricter data protection obligations. This means that organisations must often meet one of the ‘further conditions for processing’ in order to legally process special category personal data. 

Personal data can also include information about criminal offences (including convictions). This is subject to even tighter data protection controls.

What is processing?

Processing refers to any use of personal data that isn’t for personal reasons. The processing of personal data includes (but is not limited to) collecting, recording and storing it. This means that processing includes activities as simple as recording a customer’s name and address for a delivery or an employee’s name and address on their HR file. 

For more detailed information, read Processing personal data.

Who are data subjects?

Data subjects are natural persons (ie humans, not businesses) to whom personal data relates. They are the people from whom or about whom an organisation collects information in connection with its operations. For example, a business may collect information about data subjects including:

• its customers (ie the people who buy the business’s products)

• the people who work in the business (ie employees and consultants)

When an organisation processes personal data, it is the data subjects whose rights must be upheld.

What are my obligations if I collect personal data?

The GDPR imposes obligations on organisations that process personal data, based on the seven key data protection principles. Organisations must make sure that personal information is:

• processed fairly, lawfully and in a transparent manner

• collected for specified, explicit and legitimate purposes (ie the purpose limitation principle)

• adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (ie the data minimisation principle) 

• accurate and kept up to date

• kept in a form which enables identification of data subjects for no longer than is necessary (ie the storage limitation principle)

• processed in a way that ensures it is appropriately secure. This involves ensuring that it is processed with integrity and confidentiality

• processed by organisations who are responsible for and able to demonstrate compliance with data protection law, for example by keeping track of their practices in data protection documents (ie the storage accountability principle)

How the data protection principles are interpreted and enforced depends on the perceived risks of the harm that could arise from data protection failures. For example, for businesses that collect credit card details, keeping data ‘appropriately secure’ may involve keeping that data safe and secure at all times and not sending it unencrypted. 

For more information, read Data protection principles.

Can personal data be transferred overseas?

Data protection legislation imposes restrictions on the transfer of personal data from the UK to destinations outside of the UK (known as 'third countries'). Transfers are generally not allowed unless one of the permitted safeguards (eg standard contractual clauses (SCCs)) or an ‘adequacy regulation’ is in place. 

For more information, read International data transfers of personal data.

How do organisations comply with their data protection obligations?

Organisations must follow the rules on data protection in relation to information they retain about staff, customers, and account holders. This applies when, for example, they:

• recruit employees

• retain records about employees

• need to access employees’ emails or computers

• market their goods and/or services to customers

• use a form of security (such as CCTV in the workplace)

An organisation can nominate someone within the organisation to be responsible for day-to-day data protection compliance. This person is known as a ‘data protection officer’ (or ‘DPO’) and should: 

• become familiar with data protection requirements

• audit the organisation’s data processing activities

• consider making a Data protection and data security policy and other guidance (eg an Employee privacy notice) for staff members, to make everyone aware of the organisation’s data protection requirements and their responsibilities regarding them

An organisation that collects personal data through a website should make a Privacy policy and publish it on its website to inform individuals about the proposed data processing.

A data controller (ie the party that makes core decisions about how particular personal data is processed) must pay the ICO a data protection fee unless they are exempt. Details about the fee can be found in the ICO’s guidance on the data protection fee. 

For more information, read Complying with the GDPR and Data protection and employees, and follow our How to make a business GDPR compliant checklist. You can also download the ICO’s advice for organisations. If you need specific data protection advice for your business, consider making use of our Data protection advice service.

How did Brexit impact data protection in the UK?

On 1 January 2021, the UK became a ‘third country’ (ie a country outside of the European Union (EU)) for the purposes of personal data transfers from the EU.

On 28 June 2021, the European Commission adopted an adequacy decision in relation to transfers of personal data from the EU and European Economic Area (EEA) to the UK. This means that personal data transfers from the EU and EEA to the UK can be made without additional contractual paperwork, measures, or assessments (ie safeguards) needing to be put in place. The adequacy will be reviewed every 4 years and, provided the UK continues to ensure an adequate level of data protection, will likely be renewed. The European Commission will intervene if necessary. The UK has been granted a six-month extension on the initial adequacy decision, meaning that it will remain in place until at least 27 December 2025.

Businesses should ensure they are clear about any transfers of personal data they undertake in their Privacy policies.

For more information, read Data protection for businesses and General Data Protection Regulation (GDPR) FAQs. 

If you have any questions or concerns about data protection, do not hesitate to Ask a lawyer. If you need specific data protection advice, consider using our Data protection advice service.