Search

How can we help?

Icon

UK data protection: Important basics

We live in a data-rich world.

In our fast-developing technological era, we find ourselves swimming in a sea of data. From personal information shared on social media to sensitive business records stored in the cloud, data surrounds us. Sometimes, data protection can seem like unhelpful red tape. At other times, it is critical to cultivating a trustworthy reputation. Either way, organisations face data protection challenges in various spheres, including employment and commercial practice.

As the digital tide rises, understanding data protection terms becomes essential for everyone – whether you are an individual, a business owner, or a tech enthusiast.

Below are key concepts to keep you grounded as we navigate an evolving and complex field.

Personal data

Personal data is not just a string of characters, and the definition is not limited to the obvious.  Personal data means any information relating to an identified or identifiable natural person (the ‘data subject’). A person can be identified directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier, or they may be identified by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.  It is a fairly wide definition.

Types of personal data that are considered particularly sensitive are known as special category data and are governed by different rules. Examples are health records, racial or ethnic origin, religious beliefs, sexual orientation and biometric data. This is increasingly relevant as many organisations seek to understand and reflect their stakeholders’ diversity and grapple with new levels of health disclosures.

Data subject

Imagine a spotlight on centre stage – the data subject steps into it. They are the individuals whose data we handle. Whether you are a marketer analysing consumer behaviour or a HR manager managing employee records, data subjects are at the heart of it all.

Processing

Data processors process personal data on behalf of the controller. They may process personal data in a variety of ways, including collecting, organising, analysing and sharing it. A lawful basis is needed to carry out processing activities, and different rationales apply in different circumstances.

Data controller and data processor

These key terms are used to describe the two main parties who will be processing an individual’s personal data. For a detailed explanation of data controllers and data processors, check out our article.

As the digital tide rises, understanding data protection terms becomes essential for everyone – whether you are an individual, a business owner, or a tech enthusiast.

Individual rights

Data subjects have several specific rights – the most popular being the data subject access request (“DSAR”), where individuals may ask for information about how their data has been processed, and for access to, and copies of, their personal data held by an organisation.

Data subjects have a right to be provided with information about data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Other rights include the right to rectification, erasure, and to object to and/or restrict processing. These are all routes for individuals to raise concerns about the retention of their data, and the appropriateness and accuracy of its processing.

The right to data portability is a relatively obscure right designed to allow individuals to request that their data is in a structured, machine-readable format to move it elsewhere.

Security

Data protection and cyber security go together, so comprehensive security audits and regular internal training should be on the agenda. This is particularly the case as workplaces become more dispersed and multiple platforms, technologies and devices are used.

But data breaches are not always the result of sophisticated attacks – often human error is just as culpable. It is important that breach processes are clear, so issues can be escalated and resolved and any reporting to the regulator or data subjects can be actioned within the required deadlines.

Sharing and transfers

Data sharing is necessary in many contexts – increasingly so, as organisations outsource various functions to specialist providers and work collaboratively to tackle global issues.

Compliance with data regulations should enhance trust in those commercial relationships. However, on a practical level, navigating different regulatory expectations can be problematic.

International data transfers are restricted. There are additional rules – ranging from how the comparable standards in the importers’ jurisdiction are assessed and evidenced, to the risk assessments, agreements, and obligations necessary to maintain the required levels of data protection. The applicable regimes will depend on the jurisdictions involved.

Key data protection laws

The UK GDPR retains the EU GDPR standards but operates as domestic law, and it sits alongside the amended Data Protection Act 2018. While the principles, rights and obligations remain the same, there are implications for data transfers between the UK and the European Economic Area.

If you have any questions, please contact our data protection lawyers, who would be happy to help.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

About this article

Read, listen and watch our latest insights

Pub
  • 09 July 2026
  • Litigation and dispute resolution

The Arbitration Act 2025 – Factsheet

This factsheet outlines the major reforms and key developments introduced by the Arbitration Act 2025, including updates on summary disposal, jurisdictional challenges, emergency arbitrators, arbitrator disclosure duties, and governing law in arbitration proceedings.

art
  • 09 July 2026
  • Immigration

Right to Work Checks are changing from 1 October 2026: Is your business ready?

The Home Office’s new rules, effective 1 October 2026, will overhaul right to work checks and raise the risk of civil penalties for UK businesses.

art
  • 08 July 2026
  • Privacy and Data Protection

ICO prosecutes employee under the Data Protection Act for forwarding client data to his personal email address

The issue of employees taking confidential business information or personal data when moving to a new employer remains a significant concern for businesses.

Pub
  • 07 July 2026
  • Litigation and dispute resolution

Accelerating arbitration: Expedited procedures and key changes in the new ICC Rules – Episode 2

In episode 2, Jack Hobbs (Clarkslegal) and Christopher Howitt (Three Stone) explore how the latest expedited and highly expedited procedures under the ICC Arbitration Rules 2026 are transforming the landscape of dispute resolution.

art
  • 07 July 2026
  • Employment

6 month unfair dismissal rights: What employers need to know

Under the new Employment Rights Act 2025 the minimum period of service required to qualify to bring a statutory claim for unfair dismissal has been reduced from 2 full years to 6 months from 1 January 2027 onwards.  

art
  • 02 July 2026
  • Litigation and dispute resolution

Litigation and Artificial Intelligence: Where are we now?

In the recent case of Cork and another v Smith, the High Court publicly admonished a law firm and two of its solicitors after they had produced and submitted two AI-generated letters to the court containing misleading and false information in relation to a block transfer application made under Rule 12.37 of the Insolvency (England and Wales) Rules 2016.