An introduction to GDPR and data protection

A business must comply with the Data Protection Act 2018 and the UK GDPR.

This page describes the main features of data protection and how the rules may impact your business.

Data protection

Data protection in the UK is governed by the retained EU law version of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The Information Commissioner’s Office is the independent public body responsible for upholding information rights in the public interest, and the law is there to ensure that data processing is lawful, fair and transparent, but some have argued the current system requires draconian levels of compliance.

Data protection law is currently under reform, since the Government published its consultation in September 2021 on proposals to reform the UK’s data protection regime, to reduce the burdens on businesses and deliver better outcomes for people. This will hopefully be promising news to those who have had any previous experience with the levels of data protection compliance and the number of hoops that must be jumped through in order to satisfy such required compliance.

Important terms in the UK GDPR

Personal data: any information relating to a data subject. A data subject is the identified, or identifiable, person to whom the personal data relates. Personal data includes, among other things, personal details, financial details and contractual details (for example, goods and services provided to a data subject).

Processing: widely defined in the UK GDPR and covers, among other things, collecting, recording, storage, use and erasure or destruction of data. Just having the name of an identifiable individual on a database will amount to processing personal data.

Controller: a person (including a company) who determines the purposes and means of processing personal data. Most obligations under the UK GDPR fall on controllers.

Processor: a person who processes personal data on behalf of the controller. The UK GDPR introduces specific and separate duties for processors.

Key principles

The key principles apply to both controllers and processors. These can be summarised as:

  • Lawfulness, fairness and transparency. The controller must only process personal data on the basis of one or more of the rules set out in Article 6 of the UK GDPR. Certain special categories of personal data have very high thresholds for lawful processing, such as religious beliefs or sexual orientation.
  • Purpose limitation. Personal data must only be collected for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
  • Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy. Personal data must be accurate and, where necessary, kept up to date.
  • Storage limitation. Personal data must not be kept in a form which permits data subjects to be identified for longer than is necessary for the purposes for which the data is processed.
  • Integrity and confidentiality. Personal data must be processed in a way that appropriately ensures its security. Controllers and processors must use appropriate technical or organisational security measures to ensure this.
  • The controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.

Primary obligations of controllers and processors

The following obligations apply to controllers and processors:

  • To enter into a contract when appointing a processor to impose obligations on the processor including relating to data security and confidentiality
  • Appoint a data protection officer in certain circumstances (such as where data relating to criminal convictions is processed)
  • Maintain records of data processing operations as specified by the UK GDPR
  • Implement appropriate technical and organisational measures to ensure a level of data security that is appropriate to the risks represented by the processing and nature of the personal data

The following obligations apply only to controllers:

  • Conduct a data protection impact assessment before actioning any processing that presents a specific risks to data subjects by virtue of its nature, scope or purpose
  • Implement appropriate technical and organisational measures to ensure compliance with data protection principles when processing personal data
  • Notify personal data breaches to the Information Commissioner and, in some cases, the data subject when required
  • Comply with data subject rights, including subject access, data portability and the right to be forgotten

The following obligations apply only to processors:

  • Notify data security breaches to the controller


It is important to ensure that your business and you or your team have the necessary policies and procedures in place and keep sufficient records as required by law.

The Information Commissioner’s Office has published a guide called “The data protection fee: A guide for controllers” which is helpful to understand the different fee tiers that are required to be paid and the information that needs to be provided when paying a fee.

Additional methods to ensure compliance are to conduct a data protection audit, have a written data protection policy available to employees and staff and, if required, appointing a data protection officer.

If you would like any further information or assistance to ensure your compliance with data protection please contact a member of our Commercial and Privacy & Data teams.

Sign up for legal insights

We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.  

Sign up