Profile information Account settings
Help Contact us
Sign up Log in
Help Contact us

Complying with the GDPR

The UK General Data Protection Regulation (GDPR) strengthens data protection across the UK by setting out a legal framework to protect personal data. The Data Protection Act 2018 (DPA) contains equivalent regulations and protections to the GDPR. UK based businesses that do not comply with the GDPR and DPA will be subject to significant fines.

The GDPR and the DPA apply to businesses that store or handle personal data (ie identifiable information relating to individuals). People handling personal data can either be 'data controllers' or 'data processors': 

  • the controller is the person who says how and why personal data is processed (eg a city council operating CCTV cameras). 

  • the processor is the person who acts on the controller’s behalf (eg IT services). 

For more information, read Processing personal data.

The GDPR primarily applies to businesses established in the UK but also applies to businesses based outside the UK that offer goods and services to UK residents. This means that businesses will have to comply with the GDPR regardless of where they store or handle data, as long as they are processing UK citizens’ personal data.

UK businesses will also need to comply with the EU GDPR where they are processing EU citizens’ personal data.

Businesses should ensure they are clear about transfers of personal data in their Privacy policies.

Adequacy decision

On 1 January 2021, the UK became a ‘third country’ (a country outside of the EU), for the purpose of personal data transfer outside the EU.

On 28 June 2021, the European Commission adopted an ‘adequacy decision’ in relation to the transfers of personal data from the EU and EEA to the UK. This brings an end to uncertainty over transfers of personal data to the UK.

This means that personal data transfers from the EU and EEA to the UK can be made without the need to put in place additional contractual paperwork, measures or assessments. The adequacy will be reviewed every 4 years (provided the UK continues to ensure an adequate level of data protection) and the Commission will intervene if necessary.

For more information on international data transfers, read International transfers of personal data.

The GDPR reinforces the established principles governing data protection. These principles include processing data lawfully, obtaining valid consent from individuals you are collecting data from, and making sure the rights of individuals are protected (ie the right to object to their data being processed). 

Lawful processing 

When collecting personal data, you must make sure the data is:

  • used fairly and lawfully

  • used for limited, specifically stated purposes

  • used in a way that is adequate, relevant and not excessive

  • kept for no longer than is necessary

  • kept safe and secure

  • not transferred outside the UK or European Economic Area (EEA) without adequate protection


Accountability is one of the data protection principles. Under the accountability principle, you are responsible for complying with the GDPR and need to ensure you demonstrate compliance with the GDPR.

To comply with the accountability principle, you need to put in place appropriate technical and organisational measures (eg adopting and implementing data protection policies, appointing a data protection officer and maintaining documentation of processing activities).


For consent to be valid, it must be:

  • freely given
  • limited to a specific purpose
  • informed and unambiguous

Consent must consist of clear affirmative action, therefore silence, pre-ticked boxes or inactivity don't constitute valid consent. In addition, consent to process 'sensitive personal data' or data that comes within the 'special categories of personal data' (ie information about racial origin, political opinions, religious beliefs, health, sexual orientation or criminal records) and consent to transfer personal data outside the UK or EU must be explicit

Individuals can also withdraw their consent at any time. It must also be as easy to withdraw consent as it was to give (eg if data subjects simply ticked a box to express their consent, they should be able to withdraw the consent as easily). 

Individuals' rights 

The GDPR provides additional rights for individuals, including:

  • the right to erasure (or 'right to be forgotten'): individuals have the right to ask companies holding data about them to erase that data upon request if there's no compelling reason to continue processing the data. 

  • the right to access data: data processors must comply with a request to access data without delay, and at the latest within one month of the request (this can be extended to two months if the request is too complex). However, you can refuse to respond to the request if it is manifestly unfounded or excessive.

  • the right to data portability: when data processing is carried out by automated means, individuals have the right to access their personal data in a machine-readable format (ie in a way that is portable and safe).

For more information, read Data protection requests.

Breach notification

All organisations must report data breaches to the relevant supervisory authority and if the breach is a high risk, to the affected individuals. Data breaches are breaches of security that lead for example to the destruction, loss, alteration or unauthorised disclosure of personal data. If feasible the breach must be reported within 72 hours.

For more information, see the Information Commissioner’s Office guidance.

The GDPR requires you not only to comply with data protection principles but also to demonstrate that you comply with them, through the implementation of specific policies and procedures. Follow these few steps to make sure your business complies with the law:

  • Evaluate whether the GDPR applies to your business.

  • Make sure you process data lawfully (ie that personal data is stored and handled responsibly and securely, and is not kept longer than necessary). This might involve applying suitable security measures. For example, if you own a mobile application, your developers should encrypt and secure any data that moves between your app and the server, in addition to adequate hashing of user passwords.

  • Review your existing process to obtain consent from data subjects and ensure consent is valid. You should keep some form of record of consent (ie how and when consent was given, and by whom).

  • Update/develop a clear Privacy policy in which you’ll indicate what personal data is being collected, the purpose for collection, and how individuals can access data.

  • Consider how you will deal with individuals' requests relating to their personal data (eg data deletion requests or data access requests).

  • Ensure you offer a proper process for individuals to withdraw consent at any time and notify them of their right to do so.

  • Appoint a Data Protection Officer within your business to be responsible for ensuring data protection compliance.

  • Prepare for the new data breach reporting requirements. You may need to appoint a specific person or set up a dedicated unit within your business to deal with data breaches.

Individuals or businesses that do not comply with data protection law will be subject to a fine of up to 4% of their total global annual turnover or £17.5 million, whichever is higher. Supervisory authorities will also have a wide range of powers, including the power to audit businesses, issue warnings and give temporary or permanent bans on data processing.

We use cookies to provide the best experience