How can we help?


UK data protection: Important basics

We live in a data-rich world.

Sometimes, data protection can seem like unhelpful red tape. At other times, it is critical to cultivating a trustworthy reputation. Either way, organisations face data protection challenges in various spheres – including employment and commercial practice.

Below are key concepts to keep you grounded as we navigate an evolving and complex field.


Different data protection regimes may overlap. Post-Brexit, the UK GDPR is the main regulatory framework for UK organisations – but EU GDPR may still apply, depending on the location of data subjects, and other circumstances.


Personal data is increasingly widespread. The definition is not limited to the obvious – it encompasses anything that can identify an individual, even indirectly.

Types of personal data that are considered particularly sensitive are governed by different rules – and known as special category data. This is increasingly relevant as many organisations seek to understand and reflect their stakeholders’ diversity, and grapple with new levels of health disclosures.

Data mapping is vital to providing adequate protection – what, where, whose and why are all necessary questions to help see the full picture.


These are essentially the guard-rails of data protection compliance – keeping them in mind is a fundamental step towards creating a culture that respects the ethos of data protection.

The principles are lawfulness, fairness, and transparency; purpose limitation, data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

Together, they require an approach to data protection that seeks to promote and protect privacy – a less is more mindset, where data processing is restricted to identified purposes that are clearly communicated and based on specific legal justifications, and data retention is limited and secure.

Lawful processing

Following on from a clear understanding of the types of data involved, a lawful basis is needed to carry out processing activities. Different rationales apply in different circumstances.


Data subjects have several specific rights – the most popular being the subject access request, i.e., where individuals can ask for information about how their data has been processed, and for access to, or copies of, the data involved.

Privacy notices are a result of another key right – the right to be provided with information about data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Other rights include the right to rectification, erasure and to object to and/or restrict processing – which are all routes for individuals to raise concerns about the retention of their data, and the appropriateness and accuracy of its processing.

The right to data portability is a relatively obscure right designed to allow individuals to move their data between organisations freely.

As the prevalence of AI increases, another lesser-known right is gaining prominence – the right to object to automated decision-making.

Post-Brexit, the UK GDPR is the main regulatory framework for UK organisations – but EU GDPR may still apply, depending on the location of data subjects, and other circumstances.


Data protection and cyber security go together, so comprehensive security audits and regular internal training should be on the agenda. This is particularly the case as workplaces become more dispersed and multiple platforms, technologies and devices are used.

But data breaches are not always the result of sophisticated attacks – often human error is just as culpable. It is important that breach processes are clear, so issues can be escalated and resolved and any reporting to the regulator or data subjects can be actioned within the required deadlines.

Sharing and transfers

Data sharing is necessary in many contexts – increasingly so, as organisations outsource various functions to specialist providers and work collaboratively to tackle global issues.

Compliance with data regulations should enhance trust in those commercial relationships. However, on a practical level, navigating different regulatory expectations can be problematic.

International data transfers are restricted. There are additional rules – ranging from how the comparable standards in the importers’ jurisdiction are assessed and evidenced, to the risk assessments, agreements, and obligations necessary to maintain the required levels of data protection. The applicable regimes will depend on the jurisdictions involved.

UK developments

The UK government has signalled its interest in developing a new direction for data protection – with an emphasis on supporting innovation, and perhaps an intention to depart from the GDPR in some respects.

However, our alignment to the EU’s position remains an important factor for securing the free flow of data between the EEA and UK and may curb any drastic departures from the existing regime.

Nevertheless, as ways of working continue to evolve, and data becomes increasing embedded across society, we can expect to see more consultations and guidance from the government and the ICO to try to shape and regulate the emerging trends.

About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 05 March 2024
  • Privacy and Data Protection

How do I protect my business in the event of a personal data breach?

Don’t let your business fall victim to personal data breaches. Join Louise Keenan and Rebecca Dowle, for a quick overview of how to protect your business.

  • 05 March 2024
  • Privacy and Data Protection

AI Podcast: AI and Intellectual Property

In the second of our three-part ‘AI Podcast’ series, Jacob Montague and Lucy Densham Brown, will be exploring how artificial intelligence (AI) interacts with intellectual property rights (IP rights).

  • 04 March 2024
  • Corporate and M&A

Treasury Shares – An Opportunity to be Treasured

Under section 658 of the Companies Act 2006 (‘CA 2006’), there is a general rule against companies acquiring and owning their own shares.

  • 28 February 2024
  • Commercial Real Estate

Hidden risks in serviced office agreements

This is usually a fully furnished and equipped office space that is managed by a facility management company and made available for short-term or long-term rentals to businesses, varying from one week to a year, or even longer.

  • 27 February 2024
  • Employment

Changing Attitudes to Menopause

We have set out some answers to the frequently asked questions that employers ask when considering how to support a menopausal employee.

  • 22 February 2024
  • Employment

Time to take the heat off menopausal women

On 22 February 2024, the EHRC released guidance and resources for employers designed to help employers understand their legal obligations in relation to supporting workers experiencing menopausal symptoms.