Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Account
Profile information Account settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Get guidance About us
Account
Sign up Log in
Help
Help Contact us
Make documents
Easily make legal documents
See all documents
Popular business documents
Popular employment documents
Popular property documents
Popular family documents
Terms and conditions Privacy policy Non disclosure agreement Shareholders' agreement
Employment contract Health and safety policy Settlement agreement Consultancy agreement
Tenancy agreement Lodger agreement Eviction notice Declaration of trust
Affidavit Prenuptial agreement Last will and testament Power of attorney
Ask a lawyer
Get quick legal advice from a lawyer
Ask your question
Popular legal topics
Bespoke legal drafting Start a business Startup legal help Run an online business
Hire employees Manage employees Discipline employees Dismiss employees
Rent residential property Rent commercial property Manage rented property Tenant eviction service
Get divorced Apply for probate IR35 status determination advice Settlement agreement advice
Get guidance
Get reliable legal guidance
Read legal guides
Popular business guides
Popular employment guides
Popular property guides
Popular family guides
Make terms and conditions Run a private limited company Types of shares Ending a contract
Overpayment of wages Notice periods Summary dismissal Implied employment terms
Declaration of trusts Legal interests in property Section 21 notices Security of tenure
Affidavits Executing a will Changing your name Getting married
About us
Learn more about Rocket Lawyer
Contact us
Get more information
Pricing
Help
About us
Careers
  1. /gb/en
  2. Legal guides
  3. Data protection

Data protection

All businesses must properly handle the personal information given to them by individuals, eg their customers and employees. In the UK, the main legislation governing the collection, processing and distribution of personal data is the Data Protection Act 2018 (the DPA) which is enforced by the Information Commissioner's Office (ICO). The DPA is the legislation that implements the UK General Data Protection Regulations (the GDPR).
Make your Website privacy policy
Get started
Answer a few questions. We'll take care of the rest

For individuals: be aware of how information you give to others can be used. You have certain rights relating to data held about you, including:

  • the right to access your data and be informed about how your data is being processed
  • the right to have your data rectified if it's inaccurate or incomplete
  • the right to object to the processing, and
  • the right to have your data erased in certain circumstances

For business owners: if you handle personal information (and, let’s face it, you are always going to be handling personal information because as a business you have to keep records on your customers), you have a number of legal obligations to protect that information.

Personal data is information (whether held electronically or physically) relating to individuals only (ie not companies or other organisations) who can be personally identified from that data (on its own or with other data held). It includes:

  • names
  • addresses (including email addresses)
  • telephone numbers
  • dates of birth
  • job titles
  • online identifiers (eg IP addresses)

There is a further 'special category' of 'sensitive personal data' which includes information about:

  • racial or ethnic origin
  • political opinions
  • religious or similar beliefs
  • trade union membership
  • physical or mental health or condition
  • sexual life
  • biometrics (eg fingerprint data/facial images)
  • genetics

The DPA’s requirements are even stricter when it comes to sensitive personal data. Information about criminal convictions is treated separately and subject to even tighter controls.

'Processing' is any use of personal data (other than for personal reasons). It includes:

  • obtaining
  • recording
  • storing
  • organising
  • retrieving personal data

For further information, read Processing personal data.

Data subjects are natural persons from whom or about whom you collect information in connection with your business and its operations. For example, if you run an online business, you'll collect information about:

  • your customers, ie the people who buy your products
  • the people who work in the business, ie employees/consultants

You must make sure the information is:

  • processed fairly, lawfully and in a transparent manner
  • collected for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
  • accurate and kept up to date
  • kept in a form that enables identification of data subjects for no longer than is necessary
  • processed in a way that ensures it is appropriately secure
  • not transferred outside the UK without adequate protection

These are strict rules known as the 'data protection principles’. How they are interpreted and enforced depends upon the perceived risk of harm arising from failures. Therefore today, if you collect a person’s credit card details, you must keep that data safe and secure at all times and not send it unencrypted. The ICO has guidance on this topic.

Moreover, if you collect personal information, you are responsible for and must be able to demonstrate compliance with the law on data protection. This is referred to as 'accountability' in the legislation.

You must follow the rules on data protection in relation to information you retain about staff, customers and account holders. This applies when, for example, you:

You can find useful information about data protection and dealing with your staff on the government’s website and you can download the ICO’s advice for organisations.

From 25 May 2018, data controllers must pay the ICO a data protection fee, unless they are exempt. Details of how to go about this can be found on the ICO’s website.

You should nominate someone within your business to be responsible for ensuring data protection compliance. The Data Protection Officer (DPO) should become familiar with data protection requirements and audit the organisation’s data processing activities. The DPO should also consider drawing up a Data protection and data security policy and other guidance to make everyone within the organisation aware of the data protection requirements.

Where you collect personal data through a website, you should build into your website a Privacy policy which informs individuals about the proposed processing of their personal data.

The legislation imposes restrictions on the transfer of personal data outside the UK (known as 'third countries'). For more information, read International data transfers of personal data.

On 1 January 2021, the UK became a ‘third country’ (a country outside of the EU), for the purpose of personal data transfer outside the EU.

On 28 June 2021, the European Commission adopted an ‘adequacy decision’ in relation to the transfers of personal data from the EU and EEA to the UK. This brings an end to uncertainty over transfers of personal data to the UK.

This means that personal data transfers from the EU and EEA to the UK can be made without the need to put in place additional contractual paperwork, measures or assessments. The adequacy will be reviewed every 4 years (provided the UK continues to ensure an adequate level of data protection) and the Commission will intervene if necessary.

Businesses should ensure they are clear about transfers of personal data in their Privacy policies.

Make your Website privacy policy
Get started
Answer a few questions. We'll take care of the rest

Follow us

We use cookies to provide the best experience