Data Protection in the UK
GDPR - General Data Protection Regulation
Data protection is about ensuring people can trust you to use their
data fairly and responsibly.
If you collect information about individuals for any reason other than
your own personal, family or household purposes, you need to comply.
The UK data protection regime is set out in the DPA 2018, along with
the GDPR (which also forms part of UK law). It takes a flexible,
risk-based approach which puts the onus on you to think about and justify how and why you use data.
What is data protection?
Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.
It’s also about removing unnecessary barriers to trade and co-operation. It exists in part because of international treaties for common standards that enable the free flow of data across borders. The UK has been actively involved in developing these standards.
Data protection is essential to innovation. Good practice in data protection is vital to ensure public trust in, engagement with and support for innovative uses of data in both the public and private sectors.
The UK data protection regime is set out in the DPA 2018 and the GDPR (which also forms part of UK law).
Does it apply to me?
Yes, if you have information about people for any business or other non-household purpose. The law applies to any ‘processing of personal data’, and will catch most businesses and organisations, whatever their size.
You will not need to comply if you only use the information for your own personal, family or household purposes – eg personal social media activity, private letters and emails, or use of your own household gadgets.
What is ‘personal data’?
In short, personal data means information about a particular living individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public official or member of the public.
It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
It doesn’t cover truly anonymous information – but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.
It only includes paper records if you plan to put them on a computer (or other digital device) or file them in an organised way. If you are a public authority, all paper records are technically included – but you will be exempt from most of the usual data protection rules for unfiled papers and notes.
What is a ‘controller’?
A controller is the person that decides how and why to collect and use the data. This will usually be an organisation, but can be an individual (eg a sole trader). If you are an employee acting on behalf of your employer, the employer would be the controller. The controller must make sure that the processing of that data complies with data protection law.
In this guide, we generally use the term ‘organisation’ or ‘you’ to mean the controller.
What is a ‘data subject’?
This is the technical term for the individual whom particular personal data is about. In this guide we generally use the term ‘individuals’ instead.