Data protection

For individuals

Be aware of how information you give to others can and can’t be used. You have certain rights relating to data held about you, including:

• the right to access your data and be informed about how your data is being processed

• the right to have your data rectified if it's inaccurate or incomplete

• the right to object to the processing of your data, and

• the right to have your data erased in certain circumstances

For a full list of your data protection rights, see the ICO’s guidance.

For businesses and other organisations

Any organisation (eg a business) that handles personal information has various legal obligations that must be met. These enable them to protect the information that they collect from others, to uphold their data protection rights. In reality, most businesses handle personal data as they will have to keep records of their customers and employees. 

Personal data is information (held electronically or physically) relating to individuals (ie not companies or other organisations) who can be personally identified from that data (on its own or with other data held). It includes:

• names

• addresses (including email addresses)

• telephone numbers

• dates of birth

• job titles

• online identifiers (eg IP addresses)

There is a further 'special category' of 'sensitive personal data' which includes information about:

• racial or ethnic origin

• political opinions

• religious or similar beliefs

• trade union membership

• physical or mental health conditions

• sexual life

• biometrics (eg fingerprint data and facial images)

• genetics

The DPA’s requirements are even stricter when it comes to sensitive personal data. This means that organisations must often meet one of the further ‘conditions for processing’ in order to legally use special category personal data. 

Information about criminal offences (including convictions) is treated separately and is subject to even tighter controls.

'Processing' is any use of personal data that isn’t for personal reasons. The processing of personal data includes (but is not limited to) collecting, recording and retaining it. This means that it includes activities as simple as recording a customer’s name and address for a delivery. For more information, read Processing personal data.

Data subjects are natural persons (ie humans, not companies) from whom or about whom you collect information in connection with your organisation and its operations. For example, if you run an online business, you'll collect information about data subjects including:

• your customers (ie the people who buy your products)

• the people who work in your business (ie employees and consultants)

When you’re processing personal data, it’s data subjects whose rights you must uphold.

The GDPR imposes obligations on organisations that process personal data, based on the seven key ‘data protection principles’. Organisations must make sure that personal information is:

• processed fairly, lawfully and in a transparent manner

• collected for specified, explicit and legitimate purposes (ie ‘purpose limitation’)

• adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (ie ‘data minimisation’) 

• accurate and kept up to date

• kept in a form which enables identification of data subjects for no longer than is necessary (ie ‘storage limitation’)

• processed in a way that ensures it is appropriately secure. This involves ensuring that it is processed with integrity and confidentiality

• processed by organisations who are responsible for and able to demonstrate compliance with the law on data protection, for example by keeping track of their practices in data protection documents. This is known as the ‘accountability principle’

Organisations also have an obligation to ensure that data is not transferred outside the UK without adequate protection.

How the data protection principles are interpreted and enforced depends upon the perceived risk of the harms that could arise from data protection failures. For example, keeping data ‘appropriately secure’ may involve, if you collect a person’s credit card details, keeping that data safe and secure at all times and not sending it unencrypted. 

For more information, read Data protection principles.

You must follow the rules on data protection in relation to information you retain about staff, customers, and account holders. This applies when, for example, you:

• recruit employees

• retain records about your employees

• need to access employees’ emails or computers

• market your goods and/or services to customers

• use a form of security (such as CCTV)

For more information, read Data protection and employees and How to make a business GDPR-compliant checklist. You can also download the ICO’s advice for organisations. If you need specific data protection advice for your business, consider making use of our Data protection advice service.

You can nominate someone within your organisation to be responsible for ensuring data protection compliance. This ‘Data Protection Officer’ (or ‘DPO’) should become familiar with data protection requirements and should audit the organisation’s data processing activities. The DPO should also consider making a Data protection and data security policy and other guidance for your staff, to make everyone within the organisation aware of the data protection requirements and their responsibilities regarding them. For more information, read Data protection officers.

If you collect personal data through a website, you should make a Privacy policy and publish it on your website, to inform individuals about your proposed processing of their personal data.

Data controllers (ie individuals or businesses who make the core decisions about how personal data is processed) must pay the ICO a data protection fee, unless they are exempt. Details about the fee can be found on the ICO’s website. 

For more information, read Complying with the GDPR.

Data protection legislation imposes restrictions on the transfer of personal data from the UK to destinations outside of the UK (to 'third countries'). Transfers are generally not allowed unless one of the permitted safeguards or an ‘adequacy regulation’ is in place. For more information, read International data transfers of personal data.

On 1 January 2021, the UK became a ‘third country’ (ie a country outside of the European Union (EU)) for the purposes of personal data transfers from the EU.

On 28 June 2021, the European Commission adopted an ‘adequacy decision’ in relation to the transfers of personal data from the EU and European Economic Area (EEA) to the UK. This brought an end to uncertainty over transfers of personal data to the UK.

The adequacy decision means that personal data transfers from the EU and EEA to the UK can be made without additional contractual paperwork, measures, or assessments (ie safeguards) needing to be put in place. The adequacy will be reviewed every 4 years and, provided the UK continues to ensure an adequate level of data protection, renewed. The European Commission will intervene if necessary.

Businesses should ensure they are clear about any transfers of personal data they undertake in their Privacy policies.

For more information, read Data protection for businesses and General Data Protection Regulation (GDPR) FAQs.