Profile information Member settings
Sign up Sign in

Data protection for businesses

Comply with data protection laws when processing personal data


Data protection for businesses FAQs

  • How to protect data as a business

    In the UK, the main legislation governing the collection, processing and distribution of personal data is the Data Protection Act 2018 (the DPA) which is enforced by the Information Commissioner's Office (ICO). The DPA is the legislation that implements the UK General Data Protection Regulations (the GDPR). Businesses that process personal data are subject to a number of legal obligations to protect that data.

  • What is personal data?

    Personal data is information relating to individuals who can be personally identified from that data (on its own or with other data held). Personal data can be held electronically or physically and includes names, addresses (including email addresses), dates of birth and online identifiers (eg IP addresses).

    There is a further 'special category' of 'sensitive personal data' which is awarded greater protection under the law and includes information about racial or ethnic origin, sexual life and physical or mental health or condition.

    Criminal offence data (ie personal data relating to criminal convictions and offences or related security measures) is treated separately to personal data and special category special data but is subject to even tighter controls.

    For more information, read Data protection.

  • When can personal data be processed?

    Businesses will only be able to process personal data if they have a lawful basis for processing the data. There are six grounds for the lawful processing of personal data, which include (but are not limited to) data subject (ie the individual the data relates to) having consented to the processing, the processing being necessary for the performance of a contract and the processing being necessary for the organisation’s or a third party’s legitimate interests.

    For more information on these grounds, read Processing personal data.

  • When can special category sensitive data be processed?

    A business can only process special category sensitive data if, in addition to having a lawful basis for processing, it can demonstrate that it meets a so-called ‘condition for processing’. These conditions for processing include (but are not limited to) where the processing relates to personal data that has been made public by the data subject, the processing is necessary for reasons of substantial public interest and the processing is necessary for health or social care purposes. The condition for processing (in addition to the lawful basis for processing) needs to be recorded in a Data protection impact assessment (DPIA).

    For more information on these conditions for processing, read Compliance for DPIAs.

  • When can criminal offence data be processed?

    A business can only process criminal offence data if, in addition to having a lawful basis for processing, it is either processing the data under the control of official authority or is authorised to process the data under UK law.

    Processing under the control of official authority means that the business has the authority to process criminal offence data under the law, and is able to pinpoint specific legislation that provides them with such authority. For example, the courts have specific official authority to process criminal offence data.

    Businesses are authorised to process the data under UK law if they can meet one of the 28 conditions in the DPA, which include (but are not limited to) processing criminal offence data for reason of fraud prevention, suspicion of terrorist financing or money laundering and insurance. For more information, read Criminal offence data for DPIAs.

    The condition for processing (in addition to the lawful basis for processing) needs to be recorded in a DPIA.

  • What is a DPIA?

    A DPIA is a process designed to help organisations (often known as ‘data controllers’) identify and minimise the data protection risks of a project. It’s an essential component of an organisation’s accountability obligation under the GDPR and helps organisations assess and demonstrate how they comply with their data protection obligations

    A DPIA needs to be completed where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. A ‘risk’ is the potential for any significant physical, material or non-material harm to individuals. To determine whether a risk is ‘high risk’, the likelihood and severity of any potential harm to individuals need to be considered.

    Read Data protection impact assessments for more information.

  • What is a legitimate interest assessment?

    A Legitimate interest assessment (LIA) is needed when a business is processing personal data on the basis of legitimate interest. An LIA is used to identify the legitimate interest in question, the benefits of processing the personal data and whether such processing is necessary. For more information, read Legitimate interest assessments.

  • What is an appropriate policy document?

    An Appropriate policy document (APD) is a document outlining the business’ compliance measures and retention policies for special category sensitive data and criminal offence data. When a business processes special category sensitive data or criminal offence data they may need to have such an APD in place, depending on the conditions for processing relied on. For more information, read Appropriate policy documents.

  • How does data protection apply to staff?

    Businesses must follow the legal rules on data protection in relation to any data they process in relation to staff members. Failure to comply with data protection laws in relation to staff could automatically breach other duties employers owe them (eg a serious breach of data protection could amount to a breach of contract as a result of failure in the duty to maintain trust and confidence).

    Employers should inform staff about the types of data they may collect about them and what they do with it in an Employee privacy notice or a Consultant privacy notice for consultants.

    Employers should consider putting in place a Data protection and data security policy to follow a set process that gives confidence to employees and help avoid any potential claims. Where any data processing of staff data is likely to result in a high risk to individuals (eg denial of work opportunities), employers must conduct a DPIA.

    For more information, read Data protection and employees.

  • Can personal data be transferred overseas?

    Transfers of personal data to recipients outside the UK (ie a 'third country') is prohibited under data protection laws unless certain safeguards are put in place. This affects all businesses that engage in international transfers (eg cloud-based services). Such businesses need to implement lawful data transfer mechanisms (such as standard contractual clauses) in order to be compliant. Read International transfers of personal data for more information.

  • What is a data processing agreement?

    A Data processing agreement (DPA) is an agreement between a data controller (eg a company) and a data processor (eg a third-party service provider). A DPA regulates any personal data processing conducted for business purposes. Having a DPA in place helps data controllers ensure that any processors they use have implemented appropriate technical and organisational measures in order to meet the requirements of the GDPR, and protect the rights of the data subjects. For more information, read Data processing agreements.

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Legal guides

  1. Data retention and document destruction
    10 min read
  2. Data mining and data scraping
    5 min read
  3. Data protection and children
    7 min read
  4. How to make a business GDPR-compliant checklist
    4 min read
  5. General Data Protection Regulation (GDPR) FAQs
    4 min read
  6. Data protection impact assessments
    4 min read
  7. Compliance for DPIAs
    7 min read
  8. Substantial public interest for DPIAs
    9 min read
  9. Criminal offence data for DPIAs
    9 min read
  10. Legitimate interest assessments
    7 min read
  11. Data protection principles
    7 min read
  12. Appropriate policy documents
    5 min read
  13. Standard contractual clauses
    5 min read
  14. Data processing agreements
    4 min read
  15. EU representatives
    4 min read
  16. Data protection officers (DPOs)
    7 min read
  17. Managing staff health data
    9 min read
  18. Information security and cyber security
    7 min read
  19. Freedom of information requests
    5 min read
  20. Complying with the GDPR
    6 min read
  21. Data protection requests
    6 min read
  22. Processing personal data
    3 min read
  23. Data protection
    7 min read
  24. Data protection and employees
    3 min read
  25. Consent for GDPR
    4 min read
  26. Vaccinations in the workplace
    6 min read
  27. How to record the Coronavirus (COVID-19) vaccination status of staff
    8 min read
  28. Data protection for Test and Trace and Coronavirus (COVID-19) mitigation
    10 min read

Looking for something else?