Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Account
Profile information Account settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Get guidance About us
Account
Sign up Log in
Help
Help Contact us
Make documents
Easily make legal documents
See all documents
Popular business documents
Popular employment documents
Popular property documents
Popular family documents
Terms and conditions Privacy policy Non disclosure agreement Shareholders' agreement
Employment contract Health and safety policy Settlement agreement Consultancy agreement
Tenancy agreement Lodger agreement Eviction notice Declaration of trust
Affidavit Prenuptial agreement Last will and testament Power of attorney
Ask a lawyer
Get quick legal advice from a lawyer
Ask your question
Popular legal topics
Bespoke legal drafting Start a business Startup legal help Run an online business
Hire employees Manage employees Discipline employees Dismiss employees
Rent residential property Rent commercial property Manage rented property Tenant eviction service
Get divorced Apply for probate IR35 status determination advice Settlement agreement advice
Get guidance
Get reliable legal guidance
Read legal guides
Popular business guides
Popular employment guides
Popular property guides
Popular family guides
Make terms and conditions Run a private limited company Types of shares Ending a contract
Overpayment of wages Notice periods Summary dismissal Implied employment terms
Declaration of trusts Legal interests in property Section 21 notices Security of tenure
Affidavits Executing a will Changing your name Getting married
About us
Learn more about Rocket Lawyer
Contact us
Get more information
Pricing
Help
About us
Careers
  1. /gb/en
  2. Legal guides
  3. Data protection for businesses

Data protection for businesses

Comply with data protection laws when processing personal data

Maximum characters allowed: 600
Lauren Delin
Lauren Delin
Solicitor

Essential Documents for Data Protection:

In the UK, the main legislation governing the collection, processing and distribution of personal data is the Data Protection Act 2018 (the DPA) which is enforced by the Information Commissioner's Office (ICO). The DPA is the legislation that implements the UK General Data Protection Regulations (the GDPR). Businesses that process personal data are subject to a number of legal obligations to protect that data.

Personal data is information relating to individuals who can be personally identified from that data (on its own or with other data held). Personal data can be held electronically or physically and includes names, addresses (including email addresses), dates of birth and online identifiers (eg IP addresses).

There is a further 'special category' of 'sensitive personal data' which is awarded greater protection under the law and includes information about racial or ethnic origin, sexual life and physical or mental health or condition.

Criminal offence data (ie personal data relating to criminal convictions and offences or related security measures) is treated separately to personal data and special category special data but is subject to even tighter controls.

For more information, read Data protection.

Data processing is any use of personal data other than for personal reasons. This includes obtaining, recording and storing personal data. This means that businesses need to follow the rules on data protection in relation to information they retain about staff, customers and account holders. 

Those who process personal data will either be data controllers (ie those who decide the purpose for the processing of personal data, and the means to achieve this) or data processors (ie those who carry out the instructions of the data controller in the processing of personal data). Read Processing personal data for more information.

Businesses will only be able to process personal data if they have a lawful basis for processing the data. There are six grounds for the lawful processing of personal data, which include (but are not limited to) data subject (ie the individual the data relates to) having consented to the processing, the processing being necessary for the performance of a contract and the processing being necessary for the organisation’s or a third party’s legitimate interests.

For more information on these grounds, read Processing personal data.

A business can only process special category sensitive data if, in addition to having a lawful basis for processing, it can demonstrate that it meets a so-called ‘condition for processing’. These conditions for processing include (but are not limited to) where the processing relates to personal data that has been made public by the data subject, the processing is necessary for reasons of substantial public interest and the processing is necessary for health or social care purposes. The condition for processing (in addition to the lawful basis for processing) needs to be recorded in a Data protection impact assessment (DPIA).

For more information on these conditions for processing, read Compliance for DPIAs.

A business can only process criminal offence data if, in addition to having a lawful basis for processing, it is either processing the data under the control of official authority or is authorised to process the data under UK law.

Processing under the control of official authority means that the business has the authority to process criminal offence data under the law, and is able to pinpoint specific legislation that provides them with such authority. For example, the courts have specific official authority to process criminal offence data.

Businesses are authorised to process the data under UK law if they can meet one of the 28 conditions in the DPA, which include (but are not limited to) processing criminal offence data for reason of fraud prevention, suspicion of terrorist financing or money laundering and insurance. For more information, read Criminal offence data for DPIAs.

The condition for processing (in addition to the lawful basis for processing) needs to be recorded in a DPIA.

A DPIA is a process designed to help organisations (often known as ‘data controllers’) identify and minimise the data protection risks of a project. It’s an essential component of an organisation’s accountability obligation under the GDPR and helps organisations assess and demonstrate how they comply with their data protection obligations

A DPIA needs to be completed where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. A ‘risk’ is the potential for any significant physical, material or non-material harm to individuals. To determine whether a risk is ‘high risk’, the likelihood and severity of any potential harm to individuals need to be considered.

Read Data protection impact assessments for more information.

A Legitimate interest assessment (LIA) is needed where a business is processing personal data on the basis of legitimate interest. An LIA is used to identify the legitimate interest in question, the benefits of processing the personal data and whether such processing is necessary. For more information, read Legitimate interest assessments.

An Appropriate policy document (APD) is a document outlining the business’ compliance measures and retention policies for special category sensitive data and criminal offence data. When a business processes special category sensitive data or criminal offence data they may need to have such an APD in place, depending on the conditions for processing relied on. For more information, read Appropriate policy documents.

Businesses must follow the legal rules on data protection in relation to any data they process in relation to staff members. Failure to comply with data protection laws in relation to staff could automatically breach other duties employers owe them (eg a serious breach of data protection could amount to a breach of contract as a result of failure in the duty to maintain trust and confidence).

Employers should inform staff about the types of data they may collect about them and what they do with it in an Employee privacy notice or a Consultant privacy notice for consultants.

Employers should consider putting in place a Data protection and data security policy to follow a set process that gives confidence to employees and help avoid any potential claims. Where any data processing of staff data is likely to result in a high risk to individuals (eg denial of work opportunities), employers must conduct a DPIA.

For more information, read Data protection and employees.

Transfers of personal data to recipients outside the UK (ie a 'third country') is prohibited under data protection laws unless certain safeguards are put in place. This affects all businesses that engage in international transfers (eg cloud-based services). Such businesses need to implement lawful data transfer mechanisms (such as standard contractual clauses) in order to be compliant. Read International transfers of personal data for more information.

A Data processing agreement (DPA) is an agreement between a data controller (eg a company) and a data processor (eg a third-party service provider). A DPA regulates any personal data processing conducted for business purposes. Having a DPA in place helps data controllers ensure that any processors they use have implemented appropriate technical and organisational measures in order to meet the requirements of the GDPR, and protect the rights of the data subjects. For more information, read Data processing agreements.

Follow us

We use cookies to provide the best experience