IT

5G technology

bgraham — Fri, 11 Apr 2025 13:31:53 +0000

5G technology bgraham Fri, 11/04/2025 - 14:31

5G technology

Understanding your business IT needs (video)

dcomisso — Thu, 25 Nov 2021 12:19:10 +0000

Understanding your business IT needs (video) dcomisso Thu, 25/11/2021 - 12:19

Plan your business IT systems

In this guide:

Carry out a technology needs assessment

How to carry out a technology needs assessment and make IT purchases and decisions that 91�㽶��ɫ��Ƶ your business objectives.

A needs assessment is an organised way of determining gaps between where your business is and where you want it to be. It is typically the first step in any business improvement effort, and an integral part of any business systems planning.

What is a technology needs assessment?

A technology needs assessment is a systematic analysis of your business' IT needs. It's a way of looking at what technology, systems and processes you currently have and use, and what you might need in the future to 91�㽶��ɫ��Ƶ your business objectives and growth.

To avoid wasting time and money, and be able to make informed decisions, you should carry out a technology needs assessment before you make any IT purchases or changes in your business.

How to assess technology needs in your business?

The technology needs assessment process typically involves several steps. You should:

1. Gather relevant information

Audit your infrastructure, processes and current systems. Study your workflows and find out how employees use current technology and do their work. Carry out focus groups with relevant staff, or conduct surveys, interviews, etc to collect as much relevant information as you can. You can use many different business analysis tools for strategic planning.

2. Identify drivers for change

Review the strengths and weaknesses of existing IT systems and identify areas that are causing problems. Understand the reasons for change. For example, do you need new IT systems to satisfy new legislation, streamline processes for efficiency, meet customer needs or simply to remain competitive in the market?

3. Determine the requirements

Aim to identify all possible requirements. You can decide later which ones are critical, realistic and affordable. The key is to align IT with your overall business strategy. For example, if your objective is to improve customer service, do you need a new system to communicate with customers more effectively? If you're aiming to increase efficiencies, will the new system help you to simplify operations? If necessary, include your stakeholders in this process.

4. Consider your resources

If you establish a clear need for a new system, decide how much money and time you are willing or able to spend on it. Dedicate resources for the purchase, as well as the implementation of the system, staff training, change management, maintenance and 91�㽶��ɫ��Ƶ.

5. Review and prioritise results

If your resources are limited, you may need to prioritise your needs. Work out which system may deliver the most of your requirements for the least amount of money. Make sure to consider the alternatives - perhaps you can resolve your IT problems with adjustments in other areas of business.

Document the outcomes of your needs assessment, so that you can revisit them if necessary. Analyse the results and use them to develop an IT strategy for your business.

Help

Invest NI Helpline

Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

7 essential technology upgrades for your business

IT skills and 91�㽶��ɫ��Ƶ for your staff

Strategic planning for business growth

Content category

IT

Source URL
/content/carry-out-technology-needs-assessment

Links
Align IT with your business strategy

Find out why aligning your IT with your business priorities maximises the return on your IT investment.
Your information technology (IT) systems should effortlessly 91�㽶��ɫ��Ƶ your overall business goals and objectives. This alignment, however, is not always easy to achieve. Many businesses find that their IT systems are either too expensive to maintain, too cumbersome to use efficiently, or simply do not provide added business value.

What does it mean to align IT with business strategy?

Business-IT alignment simply describes a state where a business can use IT to achieve its objectives. In this state, IT is a valuable asset rather than a utility or an expense. The system functions across the business with optimal efficiency and is more likely to achieve a positive return on your IT investment.

Benefits of aligning IT with business strategy

Achieving business-IT alignment can help improve your business performance. It can also:

boost efficiencies and profitability

improve collaboration

enhance customer experience

improve supply chains

achieve greater return on technology investments

reduce the risks associated with business and technical change

How to align IT with business objectives?

To align your IT strategies with corporate goals, you must:

know your business objectives and strategy

know your current IT capabilities and gaps

consider both priorities and investment within your IT strategy

Read about the key elements of strategic planning and find out how to carry out a technology needs assessment

If you are not sure where to start, focus on a few areas that may provide the greatest benefit. For example, you may want to:

look for areas of underperformance

engage with customers and suppliers to identify pain points

benchmark to see how your business compares to others

identify the key processes that matter most to your business (eg customer service, manufacturing systems, etc)

The next step is to decide what type of IT could make these systems work better. For example:

Could a customer relationship management system help you identify new opportunities?

Could enterprise resource planning help you control stock, cut waste, manage automated ordering and accounting?

Could your e-commerce website link to your back-office systems?

Could IT integration (eg of design and production systems) improve your manufacturing efficiency?

After you determine how IT can fit with your business priorities, you should develop an IT strategy. This is a long-term plan that defines how and why the business will use IT to achieve its business objectives.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

7 essential technology upgrades for your business

IT skills and 91�㽶��ɫ��Ƶ for your staff

Strategic planning for business growth

Content category

IT
Source URL
/content/align-it-your-business-strategy

Links
Develop an IT strategy

Discover the role of IT strategy in business and how to create an IT strategy that 91�㽶��ɫ��Ƶs your business objectives.
Technology is capable of disrupting industries and businesses. To succeed long-term, your IT systems - and your business - need to be able to develop and adapt to the changes around them. This is where a good IT strategy comes in.

What is an IT strategy?

Information technology (IT) strategy is a roadmap of a sort, helping you to align your IT projects with business priorities. It allows you to carefully plan for the long term and evaluate your IT needs and priorities before making an investment.

An IT strategy also helps you to:

plan for implementation of any new technology initiatives

keep control over the costs

mitigate the risk of IT failure and disruption to your business

How do you develop an IT strategy?

There are many approaches to developing an IT strategy for business. The main one involves a sequential process that gives you a detailed view of your IT requirements and a clear plan for meeting them.

Follow these simple steps to plan an IT strategy for your business:

Outline your business strategic goals and objectives.

Define the strategy's purpose, lifespan and stakeholders.

Review existing IT systems and infrastructure for gaps or inefficiencies.

Build an inventory and assess the life expectancy of your current technology.

Carry out a technology needs assessment and define priorities for the next 3-5 years.

Identify the technical capabilities you will need to 91�㽶��ɫ��Ƶ your business.

Allocate budget, resources and consider how to align IT with your business strategy.

Acknowledge your constraints and limitations - eg lack of skills or resources.

Define exactly how you will implement new IT systems within your business.

Set realistic timeframes and milestones for the technology projects.

Create a framework for managing the system.

Decide on key metrics and KPIs to monitor new technology over time.

Your IT strategy may need to change over time as challenges, opportunities and priorities shift. It's important that you review and adjust your IT strategic plan periodically.

Importance of having an IT strategy

An IT strategy, if done correctly, can drive growth and efficiency in your business. It can 91�㽶��ɫ��Ƶ your goals and your staff, ensuring that your technology investments deliver value for your business.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Strategic planning for business growth

7 essential technology upgrades for your business

Computer hardware for business

Content category

IT
Source URL
/content/develop-it-strategy

Links
Choose the right IT system for your business

Introduction to the different types of IT systems in business and tips to help you choose between them.
It is vital to take due care when choosing new business IT solutions. Some of the key things you will have to consider when choosing any IT product are:

functionality

compatibility

skills and 91�㽶��ɫ��Ƶ required

ability to scale up

integration

security

management and reporting capabilities

You may want to carry out a technology needs assessment to help you consider what your business needs are today, and what they might be in the future. Technology moves quickly, so it's worth getting a future-proof system and keeping up with the latest developments.

Types of IT systems in business

Most businesses have several information systems in place. For example:

executive 91�㽶��ɫ��Ƶ systems - typically involve data analysis and planning tools to help with strategic decision-making

management information systems - usually work with internal sources of information and help organise, evaluate, manage and present data in a readable form

decision 91�㽶��ɫ��Ƶ systems - typically rely on databases to produce 'what-if' type of analysis

knowledge management systems - help businesses create, share and manage information, often collaboratively

transaction processing systems - automate routine transactions, such as billing, payroll, stock control, etc

office automation systems - enable processing of data and information in a productive, efficient way

With all these systems, there are options to suit every kind of business.

Bespoke systems

You can ask a solutions provider to build you a system tailored exactly to your needs. However, this can be expensive and smaller businesses often find that 'off-the-shelf' software may be more practical than trying to develop something bespoke.

Cloud systems

Cloud computing provides businesses with a way of managing data, hardware and software requirements by using resources on the internet that are stored 'in the cloud'. This makes them accessible from any computer or mobile device with an internet connection and web browser.

Linked systems

When you buy a new IT product, you may want to integrate it with your existing systems. For example, new accounting software with existing orders, purchasing and stock control systems. This allows you to continue using your existing tools alongside the new technology. However, compatibility issues are possible and you may need specialist 91�㽶��ɫ��Ƶ to set up the systems to meet your exact needs.

Networked systems

Networking your computers is almost always worthwhile. Networking allows you to share hardware, software and internet access. More importantly, it makes it easy for people to share information and work together. See more on computer networking.
Help

Invest NI Helpline

Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Choose an IT supplier for your business

Computer software for business

Choosing computer hardware for your business

Benefits of databases

Content category

IT
Source URL
/content/choose-right-it-system-your-business

Links
Implement new IT system within your business

Follow this process to help you embed and successfully implement new technology in your business.
Implementing new technology can be challenging. If not done correctly, it can create big problems for your business, causing delays, productivity losses and budget overruns.

Steps for successful systems implementation

Follow a well-tested information system implementation process to minimise disruption to your business. This process involves:

Communication

Staff need time to adapt to changes. Explain your reasons for the new system and the benefits you expect it to achieve, to get everyone's buy-in for the project.

Project kick-off

Good project management is key to ensuring that the implementation goes smoothly. Establish your project team, assign roles and responsibilities, and create and distribute a clear implementation plan.

System installation and configuration

Your IT supplier will typically install the system, but your in-house IT team (if you have one) may be involved. During installation, configure the system, set up the necessary outputs or reports (eg weekly sales reports, monthly debtor reports, etc), test them and have them ready to run.

Change management

Staff can struggle with change, get confused over new workloads or duties, or resist new technology. It is important to manage this carefully and follow best practices for change management.

Staff training

Your staff may need system-specific training to operate the new system. During their training, you may need cover for their regular tasks. You may also need 'top-up' training at a later stage to reinforce the initial sessions. You can run user acceptance tests as part of the training package.

User 91�㽶��ɫ��Ƶ

Staff using the new system will need ongoing 91�㽶��ɫ��Ƶ. You may choose an in-house helpdesk or an external solution. See IT skills and 91�㽶��ɫ��Ƶ for your staff.

Data migration

You may need to migrate data from your old system to the new one. Prepare this data as early as possible. Pay close attention to the format, content and volume, as all can cause issues with the new system. Depending on your project, you may want to keep two sets of data for a while (on an old and a new system), in case you run into any follow-up issues.

Contingency planning

IT system implementations don't always go according to plan. Prepare actions for possible scenarios of things going wrong to avoid disruptions. Learn about business continuity and crisis management.

Scheduling go-live

Plan to bring your new system live during a slow period for your business or, at the very least, take account of things like seasonality, staff leave, skill readiness, 91�㽶��ɫ��Ƶ available, etc. Make sure you have sufficient resources in place when you go live.

Monitoring risks during implementation

Work with the supplier during implementation, as well as when the system goes live to ensure that they quickly address any gaps and concerns.

Checking security

Evaluate any security concerns that a new system can cause. Carry out a security audit to check the system for weaknesses and, if necessary, consider encryption mechanisms to protect the system's data. Read more on cyber security for business.

Measuring outcomes and results

Set clear metrics to measure the success of the implementation. See how to measure performance and set targets.

To keep your IT project on track, evaluate the system carefully and carry out a technology needs assessment to help you choose the right IT system for your business.

Potential pitfalls of new IT system implementation

System implementations are often derailed because businesses:

fail to plan the project realistically

underestimate timescales to analyse, design, plan, test and execute the change

manage the project poorly

fail to 91�㽶��ɫ��Ƶ staff with training or change acceptance

drag out the project and overspend

fail to define roles and responsibilities of providers, stakeholders and key staff

Help with IT system implementation

Few businesses have enough expertise to implement new IT systems on their own. Suppliers of IT solutions can give advice, although they are likely to favour the solutions that they provide. In many cases, they can customise their solution to meet your particular needs. Alternatively, you can use an independent consultant to help you review, choose and implement an IT solution.
Help

Invest NI Helpline

Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Choose an IT supplier for your business

Content category

IT
Source URL
/content/implement-new-it-system-within-your-business

Links
Integrate your back-office systems

Link your back-office and online systems together to improve efficiency and increase customer satisfaction.
Linking your back-office and online systems together improves efficiency and could ultimately lead to greater customer satisfaction and cost savings.

What are back-office systems?

Back-office systems run all your business administration processes, such as accounts and customer relationship management. They are typically an automated set of processes run by a piece of software on your computer. A back-office system, using an accounting package or database, will:

record all sales transactions

record all purchases

update inventory records accordingly

generate all appropriate paperwork - ie invoices and receipts

Many back-office systems can also link into courier systems for printing shipping labels or producing reports that are invaluable in monitoring business performance and predicting future trends.

What is integration in IT?

In practical terms, system integration means connecting different IT systems together. For example, linking your online e-commerce system with your back-office accounts and database systems, so that when a customer places an order online, your web store and back office deal with the sale as one.

The online system accepts the order and then relays all this information back to the customer, while the back office records the transaction, adjusts inventory levels, generates an invoice and fulfils the order. See more on customer relationship management.

Benefits of system integration

Advantages of IT system integration include:

greatly improved customer service

faster response times

enhanced capacity - automation allows you to handle larger volumes of business

reduced costs in the medium and long term

improved accuracy - fewer chances for error with two systems accessing the same data

better use of staff time

Integration solutions

The three main options for achieving integration are:

purchasing off-the-shelf software that includes built-in back-office functionality

employing a specialist software firm to create an interface between your systems

using an application or cloud computing service provider

When looking for software solutions, make sure they 91�㽶��ɫ��Ƶ open standards such as XML (Extensible Mark-up Language). You may also want to choose a flexible solution. For example, one that 91�㽶��ɫ��Ƶs multi-currencies, as this can help you move into new markets more easily.

It is important to determine your requirements correctly and thoroughly. See how to carry out a technology needs assessment.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Choose an IT supplier for your business

Computer software for business

Fulfilling online orders

Accounting software

Content category

IT
Source URL
/content/integrate-your-back-office-systems

Links
Checklist for planning and integrating IT systems

Things to consider when assessing your IT system needs, planning and executing a systems integration project.
Upgrading your IT systems can improve communications and allow people to work together more efficiently. However, you should plan carefully before you start to make sure that your new system will fit your needs.

The checklist below has some quick and simple tips to help you achieve this. To choose and implement an IT system, you should:

identify your key processes

identify any bottlenecks in your current system

find out your customers' and suppliers' requirements

understand the different technical options

seek independent expert advice if necessary

assess costs and benefits of different options

consider limitations, such as your employees' IT skills and your budget

prepare a thorough brief for your potential suppliers

plan for contingency, especially if you are tied to one particular a supplier

formulate a clear agreement with suppliers on what the solution will achieve

check if the deal includes ongoing 91�㽶��ɫ��Ƶ from the suppliers

decide if you prefer gradual implementation or a 'big bang'

create a realistic budget, including resources for training

set a realistic timetable, including time for testing

allow for unexpected costs and delays

plan how you will involve employees and overcome resistance to change

manage the project and track progress from beginning to end

If you'd like to learn more about the different processes involved in choosing and implementing an information technology system, detailed guidance is given on other pages in this guide.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Measure performance and set targets

Best practice in business

Choose an IT supplier for your business

Content category

IT
Source URL
/content/checklist-planning-and-integrating-it-systems

Links
Benefits of information systems in business

Understand the ways in which IT can help boost efficiency, productivity and profit margins in your business.
Even the simplest use of technology can dramatically improve your business' productivity and efficiency. Arguably, the greatest benefit of information systems is their ability to give users the information they need to carry out tasks efficiently.

Importance of information systems

IT systems can produce:

custom data to help with a specific task or decision-making

custom format (eg list, chart, etc) which can be tailored to the user's need

real-time data, particularly useful where fast action is needed (eg mechanical fault)

archived data, particularly useful for reports, analysis and business planning

Other advantages of information systems

Technology systems can also benefit a business by enabling:

operational efficiencies

cost reductions

supply of information to decision-makers

better customer service

continuous availability of the systems

growth in communication capabilities and methods

To maximise the benefits of your IT system, you have to fully utilise all its features and functions. For example, you can:

Use instant messaging, emails, voice and video calls, and even chatbot technology to improve communication with customers and suppliers. This could save you time, money and effort, allowing you to react quickly to new work.

Integrate your back-office systems to reduce administrative costs. For example, you can link your online e-commerce shop front with stock control and accounting systems to streamline your processes.

Use labelling products with unique numbers and scannable barcodes to boost your efficiency, and improve your stock control and supply chain management.

Use different solutions, such as customer relationship management systems or mobile technology, to improve levels of customer service. These may help you record, organise and plan contact with customers, access customer details on the go and view customer interactions.

It is important to weigh up the benefits of new IT systems against the costs and potential challenges. One way to ensure that your new system delivers value is to align IT with your business strategy.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Benefits of intranets and extranets

Benefits of email and the internet

7 essential technology upgrades for your business

Content category

IT
Source URL
/content/benefits-information-systems-business

Links
Understanding your business IT needs (video)

This short video tutorial explains some key considerations when assessing the IT needs of your business.

IT can play an essential role in any business. But first, you need to know the aims of your business to see how IT can help. Then, you will be able to choose the right IT system and make the most of it.

Watch this short video tutorial to understand the key considerations when assessing the IT needs of your business.

Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

7 essential technology upgrades for your business

IT skills and 91�㽶��ɫ��Ƶ for your staff

Content category

IT

Source URL
/content/understanding-your-business-it-needs-video

Links

Using your mobile in EU and EEA countries

dcomisso — Fri, 23 Jul 2021 12:17:34 +0000

Using your mobile in EU and EEA countries dcomisso Fri, 23/07/2021 - 13:17

Using your mobile in EU and EEA countries

Comply with the Children's code to protect children's privacy online

dcomisso — Mon, 22 Mar 2021 16:33:00 +0000

Comply with the Children's code to protect children's privacy online dcomisso Mon, 22/03/2021 - 16:33

Comply with the Children's code to protect children's privacy online

Does the GDPR still apply to the UK?

dcomisso — Tue, 02 Mar 2021 15:47:07 +0000

Does the GDPR still apply to the UK? dcomisso Tue, 02/03/2021 - 15:47

UK General Data Protection Regulation (UK GDPR)

In this guide:

Does the GDPR still apply to the UK?

The EU GDPR no longer applies to UK businesses, unless they operate in, offer goods and services to, or monitor the behaviour of, individuals in the EEA.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:
directly to you:
if you operate in the European Economic Area (EEA)
offer goods or services to individuals in the EEA
monitor the behaviour of individuals in the EEA
to any organisations in Europe who send you data
If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.
Data collected before the end of the transition period
Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'.
What is the UK GDPR?
The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:
offering goods or services to individuals in the UK, or
monitoring the behaviour of individuals taking place in the UK
If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.
The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.
This guide does not constitute legal advice and is provided for general information purposes only.
Actions

ICO guide to the UK GDPR

Data protection self-assessment

Data protection: small business and sole traders checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/does-gdpr-still-apply-uk

Links
Who does the UK GDPR apply to?

Understand the difference between data controllers and processors, and how the UK GDPR applies to each group.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.
The UK GDPR does not apply to the personal data processed:
by competent authorities for law enforcement purposes
for the purposes of safeguarding national security or defence
in the course of a purely personal or household activity, with no connection to a professional or commercial activity
What is the difference between data controllers and data processors?
Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:
data controllers decide why and how they process personal data
data processors hold or process data on behalf of a data controller
You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.
How to determine if you are a processor or a controller
Whether you are a controller or processor depends on who determines:
the purposes for which the data is being processed
the means of processing
If you determine the purposes and the means of processing, you will be the controller.
If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.
GDPR obligations on data processors
Under the UK GDPR, processing refers to any type of handling of personal data, including:
obtaining, recording or keeping data (electronically or in hard copy)
organising or altering the data
retrieving, consulting or using the data
disclosing the data to a third party (including publication)
erasing or destroying the data
If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.
GDPR obligations on data controllers
If you are a controller, you will have the highest level of compliance responsibility. This means:
you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
you are responsible for the compliance of your processors
you will be liable for a breach of any of these obligations
you must pay the data protection fee, unless you are exempt
Data protection fee
Under the Data Protection (Charges and Information) Regulations 2018, organisations that handle personal information electronically, such as people's names and addresses, must register with the ICO and pay an annual data protection fee, unless exempt.
Whether you need to pay the fee depends on how your organisation uses personal information for work purposes. For example, if you store personal information on a computer or phone, you must check if the fee applies. If you use CCTV or dashcams, you will likely need to pay.
The cost of your data protection fee depends on your size and turnover. For those with 10 or fewer employees, the fee is currently £40 per year. It's important to pay if you need to, to avoid a fine.
You can use the ICO's online self-assessment to pay or check if you're exempt. It will guide you through some questions about how your organisation uses data to determine whether you need to pay.
Find out more about the data protection fee.
Exemptions from UK GDPR
In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:
crime, law and public protection
regulation, parliament and the judiciary
journalism, research and archiving
health, social work, education and child abuse
finance, management and negotiations
references and exams
Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.
If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

ICO fee assessment tool

Data protection self-assessment

Contracts and liabilities between controllers and processors

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/who-does-uk-gdpr-apply

Links
What is considered personal data under the UK GDPR?

Find out what constitutes personal data under the UK GDPR, and if your processing activities need to comply with the UK regulation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.
What is personal data?
Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:
name
date of birth
identification numbers
bank details
addresses, including email addresses
other location data, such as an IP address
online identifiers
Other factors, or a combination of factors, may also identify an individual. For example:
information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains
If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.
Sensitive personal data
Personal data may also include special categories of personal data, such as:
data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
data on criminal conviction and offences
These are considered to be more sensitive and you may only process them in more limited circumstances.
Does your data relate to an individual?
For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:
the content of the data - is it directly about the individual or their activities
the purpose you will process the data for
the results of (or effects on) the individual from processing the data
It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.
The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).
In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.
How long can you keep personal data?
The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.
Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.
The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:
for the least amount of time that you can
in accordance with the requirements of your business
stored securely while it is in your possession
until it reaches the appointed deletion time
See more on accountability under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO guide on special category data

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/what-considered-personal-data-under-uk-gdpr

Links
Data protection principles under the UK GDPR

Key UK GDPR principles include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.
1. Lawfulness, fairness and transparency principle
To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:
identify valid grounds for collecting or using personal data - known as the lawful basis
ensure that your use of data doesn't breach any other laws
use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
be clear, open and honest with people about how you will use their personal data
2. Purpose limitation principle
To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:
be clear about what your purposes for processing are from the start
record your purposes as part of your documentation obligations
inform individuals about your purposes to comply with transparency obligations
ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent
3. Data minimisation principle
To comply with the third principle, you must ensure that the personal data you are processing is:
adequate - sufficient to properly fulfil your stated purpose
relevant - has a rational link to that purpose
limited to what is necessary - you do not hold more than you need for that purpose
4. Accuracy principle
The accuracy principle requires you to take all reasonable steps to:
ensure the personal data you hold or process is not incorrect or misleading
ensure that the source and status of personal data are clear
consider any challenges to the accuracy of information
consider if it is necessary to periodically update the information
5. Storage limitation principle
To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:
think about - and be able to justify - how long you keep the data depending on the purpose you need it for
set a retention policy or schedule wherever possible, to comply with the documentation requirements
periodically review the data you hold, and erase or anonymise it when you no longer need it
carefully consider any challenges to your retention of data, for example when it comes to erasure
6. Integrity and confidentiality (also known as the security principle)
To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:
against unauthorised or unlawful processing
against accidental loss, destruction or damage
using appropriate technical or organisational measures
7. Accountability principle
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.
Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO records management checklist

ICO guidance on legitimate interests

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-protection-principles-under-uk-gdpr

Links
Lawful basis for processing of personal data

An overview of the six lawful bases for processing personal data under the UK GDPR, and how to rely on them in your business.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.
There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.
Conditions for processing data under the UK GDPR
The lawful bases for processing include:
Consent
This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.
Contract
This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.
Legal obligation
This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.
Vital interests
This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.
Public task
This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
Legitimate interest
This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.
Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.
Why must you have a lawful basis for processing?
If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.
The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.
Deciding which lawful basis applies
You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:
check that the processing is necessary for the relevant purpose
check that there is no other reasonable way to achieve this purpose
document why you chose a particular lawful basis - to demonstrate compliance
explain the purpose and the lawful basis for processing in your privacy notice
If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.
Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.
You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
Can you switch lawful basis for processing?
It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.
If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.
Documenting lawful basis
To satisfy the UK GDPR's accountability principle, you must keep a record of:
which basis you are relying on for each processing purpose
a justification for why you believe the basis applies
There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.
Find out more about documentation requirements in our guidance on accountability.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Lawful basis for processing

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/lawful-basis-processing-personal-data

Links
Obtaining, recording and managing consent under the UK GDPR

Introduction to consent under the UK GDPR, the right to withdraw it, and the consequences of non-compliance with consent requirements.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).
What is valid consent under the GDPR?
For consent to be valid under the UK GDPR, it must:
be freely given - giving people genuine choice and control over how you use their data
be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
be obvious that the individual has consented, and what they have consented to
require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand
Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.
When should you obtain consent under GDPR?
You may need to seek consent in a number of circumstances. For example, if:
no other legal basis for data processing applies
you want to use or share someone's data in unexpected or potentially intrusive ways
you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)
Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.
Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.
When should you not use consent?
You should not use consent as your lawful basis for processing if:
you can't offer people a genuine choice over how they use their data
you could process data on a different lawful basis if consent is refused or withdrawn
you ask for consent as a precondition of accessing your services
you are in a position of power over the individual, eg an employer processing employee data
Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
How to obtain consent
You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.
You should obtain consent upfront before processing begins. As a minimum, your consent request must include:
the name of your organisation and of any other controllers who will rely on the consent
why you want the data (the purposes of the processing)
what you will do with the data (the processing activities)
that people can withdraw their consent at any time
You can use different methods to obtain consent, but you must ask people to actively opt in.
Opt-in consent
Examples of active opt-in mechanisms include:
signing a consent statement on a paper form
ticking an opt-in box on paper or electronically
clicking an opt-in button or link online
selecting from equally prominent yes/no options
choosing technical settings or preference dashboard settings
responding to an email requesting consent
answering yes to a clear oral consent request
volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box
Explicit consent
If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.
If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.
If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.
If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.
How to record consent
Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:
who consented
when they consented
what they were told at the time
how they consented
whether they have withdrawn consent (and if so, why)
An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.
Reviewing consent
Your obligations don't end when you get consent. You should keep your consents under review and refresh them:
if anything changes, eg if your purposes for processing evolve
if you rely on parental consent, when children grow up and can consent for themselves
automatically at appropriate intervals, depending on the context, people's expectations
If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.
How long does GDPR consent last?
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Managing consent for use of personal data
In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.
You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.
Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.
What happens when someone withdraws their consent?
If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.
Consent and individuals' rights
If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:
the right to erasure (also known as 'the right to be forgotten')
the right to data portability
the right to withdraw consent - which in effect operates as a right to stop the processing
See more on data subject rights under the UK GDPR.
Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment tool

ICO consent checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/obtaining-recording-and-managing-consent-under-uk-gdpr

Links
Data subject rights under the UK GDPR

Introduction to the rights of individuals under the UK GDPR, and your duties and obligations in respect of them.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.
Individuals' rights under the UK GDPR
Under the regulation, individuals can exercise:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object to processing
The rights in relation to automated decision making and profiling
1. Right to be informed
This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:
your business
your purposes and lawful basis for processing their personal data
who the data will be shared with, including details of international transfers
your retention periods for that personal data
the rights available to them in respect of processing
the right to lodge a complaint
Depending on the type of processing you do, you may need to provide other categories of information as well. For example:
if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent
You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.
The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.
2. Right of access (known as subject access request)
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).
Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.
If you receive a valid SAR:
you should perform a reasonable search for the requested information
you should respond without delay and within one month of receipt of the request
you may extend the time limit by a further two months in certain circumstances
you should provide the information in an accessible, concise and intelligible format
you should disclose information securely
You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.
3. Right of rectification
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.
If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.
4. Right to erasure (also known as the right to be forgotten)
In certain circumstances, individuals have the right to ask you to erase their personal data if:
you have processed their data unlawfully
you no longer need the data for the original purpose
you rely on consent for processing or holding the data, and they withdraw it
they exercise their right to object to processing, and you can't override their objection
erasure is necessary for compliance with other legal obligations
If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.
Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.
5. Right to restrict processing
Individuals can ask you to restrict processing their personal data if, for example:
they believe their data is not accurate and you are verifying the accuracy of the data
the processing is unlawful but the individual doesn't want the data erased
you no longer need the data but the individual needs it to exercise a legal claim
you are taking steps to verify overriding grounds in the context of a request
If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.
If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.
6. Right to data portability
This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:
your lawful basis for processing this information is consent or contract
you are carrying out the processing by automated means (ie excluding paper files)
For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.
7. Right to object to processing
The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:
a task carried out in the public interest
the exercise of official authority vested in you, or
your legitimate interests (or those of a third party)
In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.
If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:
you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
the processing is necessary in connection with legal rights
See more on the right to object.
8. Right related to automated decision making including profiling
Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:
automated individual decision-making - ie making a decision solely by automated means without any human involvement
profiling - automated processing of personal data to evaluate certain things about an individual
You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

ICO guide on individual rights

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-subject-rights-under-uk-gdpr

Links
Dealing with subject access requests under the UK GDPR

How to handle subject access requests effectively and within the legal timeframe under the UK General Data Protection Regulation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a subject access request at some point.
What is a subject access request (SAR)?
A subject access request is the right of an individual to request a copy of any personal information you may hold on them. The request:
can be verbal or in writing
can be submitted by any means, eg via web form, email, letter, phone call, etc
can be made to any part of your business, not just a specific department
doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data
The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.
The Information Commissioner's Office (ICO) offers a free service to assist both individuals and businesses in the SARs process.
Through the 'Make a SAR' service, individuals can submit SAR requests directly through the ICO website. Once submitted, organisations will receive an ICO-branded email containing the request details and guidance on how to respond.
Who can request personal information?
Individuals will only be able to request access to their own personal data, unless:
they are authorised to act on behalf of someone
the data that relates to another person also happens to relate to them
Under the UK GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for the minimum information necessary to confirm who they are.
You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.
The ICO has a series of Q&As clarifying requirements for a valid subject access request and the rules around compliance when dealing with SARs. You can find these Q&As on the ICO website.
What should be provided as part of subject access request?
Data subjects are entitled to receive:
confirmation of whether you are processing their data
a copy of their personal data
other supplementary information (including mandatory privacy information)
Before responding to any request, you should establish if the information requested falls within the definition of personal data.
How to respond to a subject access request?
To comply with subject access requests, you have to:
respond to a request without undue delay and within one month of receipt
give information in a concise, transparent, intelligible and easily accessible form
use clear and plain language, especially if you are disclosing information to a child
respond electronically, if the request was made by the same means - unless asked otherwise
You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.
How long do I have to comply with SAR?
In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the ICO.
You can extend the timescale to respond by a further two months if the request is complex or you have received a number of requests from the individual.
Seeking more information
If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one-month mark for responding to the request begins when you receive the additional information.
If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.
Can you charge for subject access requests?
In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:
if the request is manifestly unfounded or excessive
if an individual requests further copies of their data following a request
Can I refuse a subject access request?
In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.
Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.
You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Find further information on subject access requests.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self assessment

How to deal with a request for information: a step-by-step guide

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/dealing-subject-access-requests-under-uk-gdpr

Links
Privacy information under UK GDPR

Best practices for UK GDPR privacy notices: what to include, how to present, and when to provide for compliance.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Under the UK General Data Protection Regulation (UK GDPR), you need to give individuals certain information when processing their personal data. This information is known as 'privacy information'. It's advisable to document this information in a 'privacy notice'.
What is a privacy notice under UK GDPR?
A privacy notice is a public statement that informs people how you collect, process and use their personal data. It ensures that individuals understand what happens to their data in accordance with their right to be informed.
Before drafting your privacy notice, identify the personal data you have and how you use it. You might need to carry out an information audit or data mapping. Make sure to communicate privacy information clearly, honestly and openly with the individuals.
What to include in your GDPR privacy notice?
The UK GDPR outlines the categories of information and details required in your privacy notice. Key components of a privacy notice include:
Who is collecting the data?
What type of data are you collecting?
How and why are you collecting it?
What is the purpose and the lawful basis for processing the data?
Who can access the information?
Will you share the data with any third parties?
Will you transfer the data abroad?
What safeguards will you put in place for the security of this data?
How will you use the information?
How long will you store the data for?
What rights does the data subject have, including to withdraw consent?
How can the individual raise a complaint?
Will you be making automated decisions about the individual, including profiling?
What you need to tell people varies depending on whether you collect their data directly or from another source. The Information Commissioner's Office (ICO) provides detailed guidance on what information you must include in your privacy notice.
When to provide privacy information under UK GDPR?
Under the UK GDPR, timing requirements mandate that you provide privacy information at the time of data collection if:
you collect information directly from individuals (eg when they fill out a form)
you collect data by observation (eg using CCTV or online tracking)
This is generally done when securing consent or outlining legitimate interests to individuals.
If you obtain personal data from a third party or a public source, you must provide privacy information within a reasonable timeframe, but no later than one month.
For example:
if you plan to contact the individual using their data, give privacy information during the initial contact
if you plan to share data with others, provide a privacy notice with details about the sharing before disclosing the data
If you plan to use personal data for any new purposes, update your privacy information and inform individuals about the changes.
Best practices for providing privacy information under UK GDPR
There are several ways to provide privacy information, including:
layered notices - short notices with key privacy details and links to more detailed information
just-in-time notices - providing information at certain points of data collection (eg during a purchase)
icons and symbols - visual cues showing data processing activities
dashboards - tools that show how you use data and allow people to manage their preferences
smart device features - eg pop-ups, voice alerts and gestures on mobile devices
A blended approach, using multiple methods, is often most effective.
Tools and templates for creating a GDPR-compliant privacy notice
You can use our sample privacy notice and customise it to match your business needs and data processing activities.
You can also use the ICO's privacy notice generator tool, which is ideal for small businesses, sole traders and community groups. Other templates are available online but make sure that any template you use is GDPR-compliant and customised to your data practices.
This guide is for general information only and does not offer legal advice.
Help

ICO Helpline

Actions

FAQs on privacy notices

UK GDPR guidance and resources

Also on this site

Sample IT policies, disclaimers and notices

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/privacy-information-under-uk-gdpr

Links
Accountability under the UK GDPR

Accountability principle says organisations are responsible for, and must be able to demonstrate, compliance with the data protection laws.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.
What does accountability mean in UK GDPR?
Accountability means:
you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply
For a small business, this means you must:
ensure a good level of understanding and awareness of data protection amongst your staff
implement comprehensive but proportionate policies and procedures for handling personal data safely
keep records of what you do and why
You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
How to comply with accountability obligations
The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:
1. Data protection policies
The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:
privacy procedure and notice
staff training policy
information security policy
data protection impact assessment procedure
retention of records procedure
subject access request form and procedure
international data transfer procedure
data portability procedure
Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.
2. Contracts
If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.
3. Documentation
By law, most organisations are required to maintain a record of their processing activities, covering:
name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
the processing purposes
a description of the categories of individuals and categories of personal data
the categories of recipients of personal data
details of your transfers to third countries, including the safeguards in place
retention schedules
a description of your technical and organisational security measures
If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.
As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:
information required for privacy notices
records of consent
controller-processor contracts
the location of personal data
Data Protection Impact Assessment reports
records of personal data breaches
information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018
Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.
4. Data protection by design and default
This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.
The UK GDPR suggests measures that may be appropriate to this, such as:
minimising the data you collect - both in terms of volume and retention
storing data no longer than is necessary
storing data only for the purposes for which it is processed
applying pseudonymisation techniques
improving security features
To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.
5. Data protection officers (DPOs)
The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:
you are a public authority or body
you carry out certain types of processing activities, including:
regular and systematic monitoring of data subjects on a large scale
large-scale processing of sensitive personal data or data relating to criminal convictions and offences
This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.
A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.
Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.
6. Codes of conduct and certification
Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.
Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO records management checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/accountability-under-uk-gdpr

Links
UK GDPR data protection audit: checklist

Things you should consider when carrying out a data protection audit of your organisation's compliance with the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).
What is a data mapping audit?
A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.
The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.
How to perform a data mapping audit?
To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:
What types of personal data do you hold?
List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?
Why do you hold this data?
List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).
How did you collect this data?
List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?
How do you store it?
Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?
What do you do with this data?
How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?
Who owns and controls the data?
Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?
How long do you keep the data for?
Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?
What do you need to do to make your data processing GDPR compliant?
List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.
It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.
Data audit templates
The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:
Download documentation template for controllers (Excel, 31K)
Download documentation template for processors (Excel, 19K)
Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/uk-gdpr-data-protection-audit-checklist

Links
Data protection impact assessments

What is a data protection impact assessment, and how to carry out a DPIA to comply with the requirements of the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.
When is an organisation required to carry out a data protection impact assessment?
You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:
systematic and extensive profiling with significant effects
large-scale use of special category or criminal offence data
systematic monitoring of publicly accessible places on a large scale
When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:
evaluation or scoring
automated decision-making with legal or similar significant effect
systematic monitoring
sensitive data or data of a highly personal nature
data processed on a large scale
matching or combining datasets
data concerning vulnerable data subjects
innovative use or applying new technological or organisational solutions
preventing data subjects from exercising a right or using a service or contract
*EU Exit has not caused any significant change to the criteria that compel DPIAs in the UK, so the Information Commissioner's Office (ICO) still considers these guidelines to be relevant.
In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present - and it is good practice to do so.
What type of processing is likely to result in high risk?
The ICO maintains a list of processing operations that require a DPIA. These include:
use innovative technologies (including artificial intelligence)
use of profiling or special category data to decide on access to services
profiling individuals on a large scale
processing biometric data
processing genetic data, unless by a health professional providing health care directly to the data subject
matching data or combining datasets from different sources
collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
tracking individuals' location or behaviour, including but not limited to the online environment
profiling children or targeting marketing or online services at them
processing data that might endanger the individual's physical health or safety in case of data breach
Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to an individual.
If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
How do you do a data protection impact assessment?
Typically, a DPIA will involve the following key steps:
identify the need for a DPIA
describe the processing
consider consultation
evaluate the necessity and proportionality
identify data protection and related risks
identify measures to reduce or eliminate the risks
sign off and record the outcomes of the DPIA
integrate data protection solutions into the project
keep under review
You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.
You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified.
The ICO offers a summary guidance on DPIA process.
Data protection impact assessment template
You can use or adapt the ICO's sample DPIA template (DOC, 54K), or create your own based on the criteria outlined above.
Consulting the ICO about high risk processing
If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.
In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:
issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
impose a limitation or ban on your intended processing
If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.
Failure to carry out data protection impact assessments
DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also 91�㽶��ɫ��Ƶ compliance with data protection by design and default obligations.
Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide on DPIAs

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-protection-impact-assessments

Links
Security principle under the UK GDPR

Measures you should put in place to satisfy data integrity, confidentiality and availability requirements under the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.
The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.
What level of security is needed under UK GDPR?
The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.
The security measures you put in place should seek to ensure that:
the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
the data you hold is accurate and complete in relation to why you are processing it
the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned
Organisational security measures
Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:
build security awareness in your organisation
allocate responsibility for information security within your organisation
ensure those responsible have the resources and authority to do their job effectively
An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.
Other related matters you will need to consider include:
co-ordination between key people in your organisation
access to premises or equipment given to anyone outside your organisation
business continuity arrangements for the protection and recovery of personal data you hold
periodic checks on and updates to your security measures
Technical security measures
Technical measures include both:
physical security, which covers things like
protection of premises by means of alarms, lighting, CCTV
control of access to premises
disposal of paper and electronic waste
secure maintenance and disposal of IT equipment, mobile devices, etc
IT security (or cyber security), extending to the security of
your network and information systems
the data you hold within your systems
your website, online services and applications that you use
your devices, including policies on the use of personal devices in the workplace
Encryption
The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:
widely-available
relatively low costs to implement
available in a large variety of solutions
If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.
Password authentication
Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.
Therefore, any password setup that you implement must:
be appropriate to the particular circumstances of this processing
protect against theft of stored passwords
protect against 'brute-force' or guessing attacks
There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.
The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.
Test your security measures
The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.
Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Privacy and data protection in direct marketing

Comply with the Children's code to protect children's privacy online

Content category

IT
Source URL
/content/security-principle-under-uk-gdpr

Links
Reporting serious breaches of personal data

Serious breaches of personal data that puts people's rights and freedoms at risk must be reported to the Information Commissioner's Office.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.
What is a breach of personal data?
A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:
if you lose, destroy, corrupt or disclose personal data
if someone accesses the data or passes it on without proper authorisation
if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals
When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:
how serious or substantial these are, and
how likely they are to happen
In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.
Should I report a data breach?
You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:
discrimination
damage to reputation
emotional distress
identity theft or fraud
financial or material loss
other significant economic or social disadvantages
You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.
Telling individuals about a breach
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.
If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.
The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.
Determine the level of risk accurately
If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.
If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.
What if a processor experiences a data breach?
If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.
How long do organisations have to report data breaches?
You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.
When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:
the nature of the breach, including:
the categories and approximate number of affected individuals
the categories and approximate number of affected data records
the likely consequences of the breach
the measures taken or proposed to be taken, to deal with and mitigate the breach
the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained
Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.
How do I notify the ICO of the data breach?
To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.
A breach affecting individuals in EEA countries will engage the EU GDPR. This means that as part of your breach response plan, you should establish which European data protection agency would be your lead supervisory authority for the processing activities that have been subject to the breach. For more information, see the Article 29 Working Party guidance on identifying your lead authority.
Recording personal data breaches
As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.
In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.
You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
Failing to report a data breach
Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.
You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.
Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO guide on ransomware and data protection compliance

Also on this site

Cyber security for business

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/reporting-serious-breaches-personal-data

Links
Rules on restricted transfers of personal data

Overview of the rules and regulations governing international transfers of personal data from the UK.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.
Are you making a restricted transfer?
You are making a restricted transfer of personal data if:
the UK GDPR applies to your processing of the personal data you are transferring
you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group
Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.
Rules on transferring personal data from the UK
Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:
Is the restricted transfer covered by adequacy regulations?
Is the restricted transfer covered by appropriate safeguards?
Is the restricted transfer covered by an exception?
Adequacy decisions
You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.
Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:
an adequacy decision for Gibraltar
an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
partial findings of adequacy about Japan and Canada
If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.
Appropriate safeguards
Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.
The safeguards include:
a legal instrument between public authorities or bodies
UK Binding Corporate Rules (UK BCRs)
data protection clauses for restricted transfer
an approved code of conduct
certification under an approved certification scheme
contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
administrative arrangements between public authorities or bodies
UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.
You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.
Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.
Exceptions on restricted transfers
If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.
Specific exemptions, or derogations, for data transfers apply when:
the data subject explicitly consents to the transfer (and is aware of the risks)
you have a contract with the individual and:
the transfer is needed for the performance of that contract
the contract benefits another individual whose data is being transferred
the transfer is deemed necessary for reasons of public interest
the transfer is necessary in relation to a legal claim
the transfer is necessary to protect the data subject's vital interests (eg their life)
the transfer is made from a public register created under UK law
the transfer is a one-off and necessary for your competing legitimate interests
If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.
Rules on transferring personal data from the EEA into the UK
Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:
the country they are sending data to is covered by an EC adequacy decision
one of the EU GDPR appropriate safeguards is in place
one of the list of EU GDPR exceptions applies
The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/rules-restricted-transfers-personal-data

Links
Contractual clauses for international data transfer

Find out how to use standard data protection clauses and the new International Data Transfer Agreement (IDTA) and addendum, to lawfully and securely transfer personal data to 'third' countries
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.
Standard Contractual Clauses (SCCs) for restricted transfers from the EU
In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.
Restricted data transfers from the UK
As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:
International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
Addendum to the EU SCCs – most likely to be used for transfers involving EU data
The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.
International Data Transfer Agreement and guidance
The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.
The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.
Find more information on the IDTA and the Addendum.
Transition period for using the IDTA and the Addendum
The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:
SCCs for controllers to processors (Word, 124K)
SCCs for controllers to controllers (Word, 112K)
All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.
From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.
Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

International data transfers after the EU exit

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/contractual-clauses-international-data-transfer

Links
GDPR penalties and fines

Two levels of fines are possible under the UK data protection law, as well as other sanctions and penalties if you breach data protection rules and legislation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).
The ICO can issue sanctions for a breach of the regulation, including:
warnings and reprimands
compliance orders
bans on processing or data transfers (permanent or temporary)
administrative fines
Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.
Fines for infringement of the UK GDPR
Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:
a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation
The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.
How does the ICO determine the level of penalties?
The ICO will consider a number of factors when determining the level of penalties, including::
the nature, gravity, and duration of the infringement
the number of people affected and the extent of the damage to them
whether the breach was intentional or negligent
any previous history of noncompliance
any action taken to mitigate the damage
whether the controller notified the ICO of the infringement and co-operated
See more on reporting serious breaches of personal data.
A breach affecting individuals in EEA countries will engage the EU GDPR. For businesses that process personal data of EU citizens, failure to comply with the EU GDPR may result in penalties under the EU regulation. A maximum fine under the EU GDPR is €20 million or 4 per cent of the business's total annual worldwide turnover.
As part of your breach response plan, you should establish which European data protection agency is the lead supervisory authority for the processing activities that have been subject to the breach. For more information, see guidance on identifying your lead authority.
Impact of GDPR non-compliance
The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.
You may be subject to:
private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
reputational damage
loss of consumer trust
It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/gdpr-penalties-and-fines

Links

What is considered personal data under the UK GDPR?

dcomisso — Tue, 02 Mar 2021 15:34:32 +0000

What is considered personal data under the UK GDPR? dcomisso Tue, 02/03/2021 - 15:34

UK General Data Protection Regulation (UK GDPR)

In this guide:

Does the GDPR still apply to the UK?

The EU GDPR no longer applies to UK businesses, unless they operate in, offer goods and services to, or monitor the behaviour of, individuals in the EEA.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:
directly to you:
if you operate in the European Economic Area (EEA)
offer goods or services to individuals in the EEA
monitor the behaviour of individuals in the EEA
to any organisations in Europe who send you data
If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.
Data collected before the end of the transition period
Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'.
What is the UK GDPR?
The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:
offering goods or services to individuals in the UK, or
monitoring the behaviour of individuals taking place in the UK
If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.
The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.
This guide does not constitute legal advice and is provided for general information purposes only.
Actions

ICO guide to the UK GDPR

Data protection self-assessment

Data protection: small business and sole traders checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/does-gdpr-still-apply-uk

Links
Who does the UK GDPR apply to?

Understand the difference between data controllers and processors, and how the UK GDPR applies to each group.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.
The UK GDPR does not apply to the personal data processed:
by competent authorities for law enforcement purposes
for the purposes of safeguarding national security or defence
in the course of a purely personal or household activity, with no connection to a professional or commercial activity
What is the difference between data controllers and data processors?
Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:
data controllers decide why and how they process personal data
data processors hold or process data on behalf of a data controller
You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.
How to determine if you are a processor or a controller
Whether you are a controller or processor depends on who determines:
the purposes for which the data is being processed
the means of processing
If you determine the purposes and the means of processing, you will be the controller.
If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.
GDPR obligations on data processors
Under the UK GDPR, processing refers to any type of handling of personal data, including:
obtaining, recording or keeping data (electronically or in hard copy)
organising or altering the data
retrieving, consulting or using the data
disclosing the data to a third party (including publication)
erasing or destroying the data
If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.
GDPR obligations on data controllers
If you are a controller, you will have the highest level of compliance responsibility. This means:
you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
you are responsible for the compliance of your processors
you will be liable for a breach of any of these obligations
you must pay the data protection fee, unless you are exempt
Data protection fee
Under the Data Protection (Charges and Information) Regulations 2018, organisations that handle personal information electronically, such as people's names and addresses, must register with the ICO and pay an annual data protection fee, unless exempt.
Whether you need to pay the fee depends on how your organisation uses personal information for work purposes. For example, if you store personal information on a computer or phone, you must check if the fee applies. If you use CCTV or dashcams, you will likely need to pay.
The cost of your data protection fee depends on your size and turnover. For those with 10 or fewer employees, the fee is currently £40 per year. It's important to pay if you need to, to avoid a fine.
You can use the ICO's online self-assessment to pay or check if you're exempt. It will guide you through some questions about how your organisation uses data to determine whether you need to pay.
Find out more about the data protection fee.
Exemptions from UK GDPR
In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:
crime, law and public protection
regulation, parliament and the judiciary
journalism, research and archiving
health, social work, education and child abuse
finance, management and negotiations
references and exams
Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.
If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

ICO fee assessment tool

Data protection self-assessment

Contracts and liabilities between controllers and processors

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/who-does-uk-gdpr-apply

Links
What is considered personal data under the UK GDPR?

Find out what constitutes personal data under the UK GDPR, and if your processing activities need to comply with the UK regulation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.
What is personal data?
Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:
name
date of birth
identification numbers
bank details
addresses, including email addresses
other location data, such as an IP address
online identifiers
Other factors, or a combination of factors, may also identify an individual. For example:
information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains
If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.
Sensitive personal data
Personal data may also include special categories of personal data, such as:
data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
data on criminal conviction and offences
These are considered to be more sensitive and you may only process them in more limited circumstances.
Does your data relate to an individual?
For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:
the content of the data - is it directly about the individual or their activities
the purpose you will process the data for
the results of (or effects on) the individual from processing the data
It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.
The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).
In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.
How long can you keep personal data?
The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.
Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.
The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:
for the least amount of time that you can
in accordance with the requirements of your business
stored securely while it is in your possession
until it reaches the appointed deletion time
See more on accountability under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO guide on special category data

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/what-considered-personal-data-under-uk-gdpr

Links
Data protection principles under the UK GDPR

Key UK GDPR principles include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.
1. Lawfulness, fairness and transparency principle
To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:
identify valid grounds for collecting or using personal data - known as the lawful basis
ensure that your use of data doesn't breach any other laws
use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
be clear, open and honest with people about how you will use their personal data
2. Purpose limitation principle
To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:
be clear about what your purposes for processing are from the start
record your purposes as part of your documentation obligations
inform individuals about your purposes to comply with transparency obligations
ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent
3. Data minimisation principle
To comply with the third principle, you must ensure that the personal data you are processing is:
adequate - sufficient to properly fulfil your stated purpose
relevant - has a rational link to that purpose
limited to what is necessary - you do not hold more than you need for that purpose
4. Accuracy principle
The accuracy principle requires you to take all reasonable steps to:
ensure the personal data you hold or process is not incorrect or misleading
ensure that the source and status of personal data are clear
consider any challenges to the accuracy of information
consider if it is necessary to periodically update the information
5. Storage limitation principle
To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:
think about - and be able to justify - how long you keep the data depending on the purpose you need it for
set a retention policy or schedule wherever possible, to comply with the documentation requirements
periodically review the data you hold, and erase or anonymise it when you no longer need it
carefully consider any challenges to your retention of data, for example when it comes to erasure
6. Integrity and confidentiality (also known as the security principle)
To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:
against unauthorised or unlawful processing
against accidental loss, destruction or damage
using appropriate technical or organisational measures
7. Accountability principle
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.
Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO records management checklist

ICO guidance on legitimate interests

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-protection-principles-under-uk-gdpr

Links
Lawful basis for processing of personal data

An overview of the six lawful bases for processing personal data under the UK GDPR, and how to rely on them in your business.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.
There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.
Conditions for processing data under the UK GDPR
The lawful bases for processing include:
Consent
This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.
Contract
This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.
Legal obligation
This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.
Vital interests
This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.
Public task
This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
Legitimate interest
This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.
Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.
Why must you have a lawful basis for processing?
If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.
The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.
Deciding which lawful basis applies
You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:
check that the processing is necessary for the relevant purpose
check that there is no other reasonable way to achieve this purpose
document why you chose a particular lawful basis - to demonstrate compliance
explain the purpose and the lawful basis for processing in your privacy notice
If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.
Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.
You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
Can you switch lawful basis for processing?
It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.
If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.
Documenting lawful basis
To satisfy the UK GDPR's accountability principle, you must keep a record of:
which basis you are relying on for each processing purpose
a justification for why you believe the basis applies
There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.
Find out more about documentation requirements in our guidance on accountability.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Lawful basis for processing

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/lawful-basis-processing-personal-data

Links
Obtaining, recording and managing consent under the UK GDPR

Introduction to consent under the UK GDPR, the right to withdraw it, and the consequences of non-compliance with consent requirements.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).
What is valid consent under the GDPR?
For consent to be valid under the UK GDPR, it must:
be freely given - giving people genuine choice and control over how you use their data
be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
be obvious that the individual has consented, and what they have consented to
require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand
Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.
When should you obtain consent under GDPR?
You may need to seek consent in a number of circumstances. For example, if:
no other legal basis for data processing applies
you want to use or share someone's data in unexpected or potentially intrusive ways
you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)
Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.
Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.
When should you not use consent?
You should not use consent as your lawful basis for processing if:
you can't offer people a genuine choice over how they use their data
you could process data on a different lawful basis if consent is refused or withdrawn
you ask for consent as a precondition of accessing your services
you are in a position of power over the individual, eg an employer processing employee data
Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
How to obtain consent
You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.
You should obtain consent upfront before processing begins. As a minimum, your consent request must include:
the name of your organisation and of any other controllers who will rely on the consent
why you want the data (the purposes of the processing)
what you will do with the data (the processing activities)
that people can withdraw their consent at any time
You can use different methods to obtain consent, but you must ask people to actively opt in.
Opt-in consent
Examples of active opt-in mechanisms include:
signing a consent statement on a paper form
ticking an opt-in box on paper or electronically
clicking an opt-in button or link online
selecting from equally prominent yes/no options
choosing technical settings or preference dashboard settings
responding to an email requesting consent
answering yes to a clear oral consent request
volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box
Explicit consent
If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.
If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.
If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.
If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.
How to record consent
Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:
who consented
when they consented
what they were told at the time
how they consented
whether they have withdrawn consent (and if so, why)
An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.
Reviewing consent
Your obligations don't end when you get consent. You should keep your consents under review and refresh them:
if anything changes, eg if your purposes for processing evolve
if you rely on parental consent, when children grow up and can consent for themselves
automatically at appropriate intervals, depending on the context, people's expectations
If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.
How long does GDPR consent last?
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Managing consent for use of personal data
In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.
You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.
Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.
What happens when someone withdraws their consent?
If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.
Consent and individuals' rights
If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:
the right to erasure (also known as 'the right to be forgotten')
the right to data portability
the right to withdraw consent - which in effect operates as a right to stop the processing
See more on data subject rights under the UK GDPR.
Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment tool

ICO consent checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/obtaining-recording-and-managing-consent-under-uk-gdpr

Links
Data subject rights under the UK GDPR

Introduction to the rights of individuals under the UK GDPR, and your duties and obligations in respect of them.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.
Individuals' rights under the UK GDPR
Under the regulation, individuals can exercise:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object to processing
The rights in relation to automated decision making and profiling
1. Right to be informed
This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:
your business
your purposes and lawful basis for processing their personal data
who the data will be shared with, including details of international transfers
your retention periods for that personal data
the rights available to them in respect of processing
the right to lodge a complaint
Depending on the type of processing you do, you may need to provide other categories of information as well. For example:
if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent
You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.
The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.
2. Right of access (known as subject access request)
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).
Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.
If you receive a valid SAR:
you should perform a reasonable search for the requested information
you should respond without delay and within one month of receipt of the request
you may extend the time limit by a further two months in certain circumstances
you should provide the information in an accessible, concise and intelligible format
you should disclose information securely
You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.
3. Right of rectification
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.
If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.
4. Right to erasure (also known as the right to be forgotten)
In certain circumstances, individuals have the right to ask you to erase their personal data if:
you have processed their data unlawfully
you no longer need the data for the original purpose
you rely on consent for processing or holding the data, and they withdraw it
they exercise their right to object to processing, and you can't override their objection
erasure is necessary for compliance with other legal obligations
If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.
Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.
5. Right to restrict processing
Individuals can ask you to restrict processing their personal data if, for example:
they believe their data is not accurate and you are verifying the accuracy of the data
the processing is unlawful but the individual doesn't want the data erased
you no longer need the data but the individual needs it to exercise a legal claim
you are taking steps to verify overriding grounds in the context of a request
If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.
If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.
6. Right to data portability
This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:
your lawful basis for processing this information is consent or contract
you are carrying out the processing by automated means (ie excluding paper files)
For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.
7. Right to object to processing
The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:
a task carried out in the public interest
the exercise of official authority vested in you, or
your legitimate interests (or those of a third party)
In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.
If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:
you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
the processing is necessary in connection with legal rights
See more on the right to object.
8. Right related to automated decision making including profiling
Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:
automated individual decision-making - ie making a decision solely by automated means without any human involvement
profiling - automated processing of personal data to evaluate certain things about an individual
You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

ICO guide on individual rights

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-subject-rights-under-uk-gdpr

Links
Dealing with subject access requests under the UK GDPR

How to handle subject access requests effectively and within the legal timeframe under the UK General Data Protection Regulation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a subject access request at some point.
What is a subject access request (SAR)?
A subject access request is the right of an individual to request a copy of any personal information you may hold on them. The request:
can be verbal or in writing
can be submitted by any means, eg via web form, email, letter, phone call, etc
can be made to any part of your business, not just a specific department
doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data
The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.
The Information Commissioner's Office (ICO) offers a free service to assist both individuals and businesses in the SARs process.
Through the 'Make a SAR' service, individuals can submit SAR requests directly through the ICO website. Once submitted, organisations will receive an ICO-branded email containing the request details and guidance on how to respond.
Who can request personal information?
Individuals will only be able to request access to their own personal data, unless:
they are authorised to act on behalf of someone
the data that relates to another person also happens to relate to them
Under the UK GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for the minimum information necessary to confirm who they are.
You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.
The ICO has a series of Q&As clarifying requirements for a valid subject access request and the rules around compliance when dealing with SARs. You can find these Q&As on the ICO website.
What should be provided as part of subject access request?
Data subjects are entitled to receive:
confirmation of whether you are processing their data
a copy of their personal data
other supplementary information (including mandatory privacy information)
Before responding to any request, you should establish if the information requested falls within the definition of personal data.
How to respond to a subject access request?
To comply with subject access requests, you have to:
respond to a request without undue delay and within one month of receipt
give information in a concise, transparent, intelligible and easily accessible form
use clear and plain language, especially if you are disclosing information to a child
respond electronically, if the request was made by the same means - unless asked otherwise
You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.
How long do I have to comply with SAR?
In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the ICO.
You can extend the timescale to respond by a further two months if the request is complex or you have received a number of requests from the individual.
Seeking more information
If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one-month mark for responding to the request begins when you receive the additional information.
If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.
Can you charge for subject access requests?
In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:
if the request is manifestly unfounded or excessive
if an individual requests further copies of their data following a request
Can I refuse a subject access request?
In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.
Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.
You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Find further information on subject access requests.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self assessment

How to deal with a request for information: a step-by-step guide

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/dealing-subject-access-requests-under-uk-gdpr

Links
Privacy information under UK GDPR

Best practices for UK GDPR privacy notices: what to include, how to present, and when to provide for compliance.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Under the UK General Data Protection Regulation (UK GDPR), you need to give individuals certain information when processing their personal data. This information is known as 'privacy information'. It's advisable to document this information in a 'privacy notice'.
What is a privacy notice under UK GDPR?
A privacy notice is a public statement that informs people how you collect, process and use their personal data. It ensures that individuals understand what happens to their data in accordance with their right to be informed.
Before drafting your privacy notice, identify the personal data you have and how you use it. You might need to carry out an information audit or data mapping. Make sure to communicate privacy information clearly, honestly and openly with the individuals.
What to include in your GDPR privacy notice?
The UK GDPR outlines the categories of information and details required in your privacy notice. Key components of a privacy notice include:
Who is collecting the data?
What type of data are you collecting?
How and why are you collecting it?
What is the purpose and the lawful basis for processing the data?
Who can access the information?
Will you share the data with any third parties?
Will you transfer the data abroad?
What safeguards will you put in place for the security of this data?
How will you use the information?
How long will you store the data for?
What rights does the data subject have, including to withdraw consent?
How can the individual raise a complaint?
Will you be making automated decisions about the individual, including profiling?
What you need to tell people varies depending on whether you collect their data directly or from another source. The Information Commissioner's Office (ICO) provides detailed guidance on what information you must include in your privacy notice.
When to provide privacy information under UK GDPR?
Under the UK GDPR, timing requirements mandate that you provide privacy information at the time of data collection if:
you collect information directly from individuals (eg when they fill out a form)
you collect data by observation (eg using CCTV or online tracking)
This is generally done when securing consent or outlining legitimate interests to individuals.
If you obtain personal data from a third party or a public source, you must provide privacy information within a reasonable timeframe, but no later than one month.
For example:
if you plan to contact the individual using their data, give privacy information during the initial contact
if you plan to share data with others, provide a privacy notice with details about the sharing before disclosing the data
If you plan to use personal data for any new purposes, update your privacy information and inform individuals about the changes.
Best practices for providing privacy information under UK GDPR
There are several ways to provide privacy information, including:
layered notices - short notices with key privacy details and links to more detailed information
just-in-time notices - providing information at certain points of data collection (eg during a purchase)
icons and symbols - visual cues showing data processing activities
dashboards - tools that show how you use data and allow people to manage their preferences
smart device features - eg pop-ups, voice alerts and gestures on mobile devices
A blended approach, using multiple methods, is often most effective.
Tools and templates for creating a GDPR-compliant privacy notice
You can use our sample privacy notice and customise it to match your business needs and data processing activities.
You can also use the ICO's privacy notice generator tool, which is ideal for small businesses, sole traders and community groups. Other templates are available online but make sure that any template you use is GDPR-compliant and customised to your data practices.
This guide is for general information only and does not offer legal advice.
Help

ICO Helpline

Actions

FAQs on privacy notices

UK GDPR guidance and resources

Also on this site

Sample IT policies, disclaimers and notices

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/privacy-information-under-uk-gdpr

Links
Accountability under the UK GDPR

Accountability principle says organisations are responsible for, and must be able to demonstrate, compliance with the data protection laws.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.
What does accountability mean in UK GDPR?
Accountability means:
you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply
For a small business, this means you must:
ensure a good level of understanding and awareness of data protection amongst your staff
implement comprehensive but proportionate policies and procedures for handling personal data safely
keep records of what you do and why
You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
How to comply with accountability obligations
The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:
1. Data protection policies
The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:
privacy procedure and notice
staff training policy
information security policy
data protection impact assessment procedure
retention of records procedure
subject access request form and procedure
international data transfer procedure
data portability procedure
Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.
2. Contracts
If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.
3. Documentation
By law, most organisations are required to maintain a record of their processing activities, covering:
name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
the processing purposes
a description of the categories of individuals and categories of personal data
the categories of recipients of personal data
details of your transfers to third countries, including the safeguards in place
retention schedules
a description of your technical and organisational security measures
If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.
As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:
information required for privacy notices
records of consent
controller-processor contracts
the location of personal data
Data Protection Impact Assessment reports
records of personal data breaches
information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018
Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.
4. Data protection by design and default
This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.
The UK GDPR suggests measures that may be appropriate to this, such as:
minimising the data you collect - both in terms of volume and retention
storing data no longer than is necessary
storing data only for the purposes for which it is processed
applying pseudonymisation techniques
improving security features
To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.
5. Data protection officers (DPOs)
The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:
you are a public authority or body
you carry out certain types of processing activities, including:
regular and systematic monitoring of data subjects on a large scale
large-scale processing of sensitive personal data or data relating to criminal convictions and offences
This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.
A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.
Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.
6. Codes of conduct and certification
Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.
Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO records management checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/accountability-under-uk-gdpr

Links
UK GDPR data protection audit: checklist

Things you should consider when carrying out a data protection audit of your organisation's compliance with the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).
What is a data mapping audit?
A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.
The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.
How to perform a data mapping audit?
To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:
What types of personal data do you hold?
List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?
Why do you hold this data?
List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).
How did you collect this data?
List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?
How do you store it?
Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?
What do you do with this data?
How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?
Who owns and controls the data?
Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?
How long do you keep the data for?
Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?
What do you need to do to make your data processing GDPR compliant?
List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.
It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.
Data audit templates
The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:
Download documentation template for controllers (Excel, 31K)
Download documentation template for processors (Excel, 19K)
Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/uk-gdpr-data-protection-audit-checklist

Links
Data protection impact assessments

What is a data protection impact assessment, and how to carry out a DPIA to comply with the requirements of the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.
When is an organisation required to carry out a data protection impact assessment?
You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:
systematic and extensive profiling with significant effects
large-scale use of special category or criminal offence data
systematic monitoring of publicly accessible places on a large scale
When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:
evaluation or scoring
automated decision-making with legal or similar significant effect
systematic monitoring
sensitive data or data of a highly personal nature
data processed on a large scale
matching or combining datasets
data concerning vulnerable data subjects
innovative use or applying new technological or organisational solutions
preventing data subjects from exercising a right or using a service or contract
*EU Exit has not caused any significant change to the criteria that compel DPIAs in the UK, so the Information Commissioner's Office (ICO) still considers these guidelines to be relevant.
In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present - and it is good practice to do so.
What type of processing is likely to result in high risk?
The ICO maintains a list of processing operations that require a DPIA. These include:
use innovative technologies (including artificial intelligence)
use of profiling or special category data to decide on access to services
profiling individuals on a large scale
processing biometric data
processing genetic data, unless by a health professional providing health care directly to the data subject
matching data or combining datasets from different sources
collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
tracking individuals' location or behaviour, including but not limited to the online environment
profiling children or targeting marketing or online services at them
processing data that might endanger the individual's physical health or safety in case of data breach
Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to an individual.
If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
How do you do a data protection impact assessment?
Typically, a DPIA will involve the following key steps:
identify the need for a DPIA
describe the processing
consider consultation
evaluate the necessity and proportionality
identify data protection and related risks
identify measures to reduce or eliminate the risks
sign off and record the outcomes of the DPIA
integrate data protection solutions into the project
keep under review
You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.
You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified.
The ICO offers a summary guidance on DPIA process.
Data protection impact assessment template
You can use or adapt the ICO's sample DPIA template (DOC, 54K), or create your own based on the criteria outlined above.
Consulting the ICO about high risk processing
If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.
In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:
issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
impose a limitation or ban on your intended processing
If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.
Failure to carry out data protection impact assessments
DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also 91�㽶��ɫ��Ƶ compliance with data protection by design and default obligations.
Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide on DPIAs

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-protection-impact-assessments

Links
Security principle under the UK GDPR

Measures you should put in place to satisfy data integrity, confidentiality and availability requirements under the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.
The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.
What level of security is needed under UK GDPR?
The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.
The security measures you put in place should seek to ensure that:
the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
the data you hold is accurate and complete in relation to why you are processing it
the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned
Organisational security measures
Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:
build security awareness in your organisation
allocate responsibility for information security within your organisation
ensure those responsible have the resources and authority to do their job effectively
An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.
Other related matters you will need to consider include:
co-ordination between key people in your organisation
access to premises or equipment given to anyone outside your organisation
business continuity arrangements for the protection and recovery of personal data you hold
periodic checks on and updates to your security measures
Technical security measures
Technical measures include both:
physical security, which covers things like
protection of premises by means of alarms, lighting, CCTV
control of access to premises
disposal of paper and electronic waste
secure maintenance and disposal of IT equipment, mobile devices, etc
IT security (or cyber security), extending to the security of
your network and information systems
the data you hold within your systems
your website, online services and applications that you use
your devices, including policies on the use of personal devices in the workplace
Encryption
The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:
widely-available
relatively low costs to implement
available in a large variety of solutions
If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.
Password authentication
Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.
Therefore, any password setup that you implement must:
be appropriate to the particular circumstances of this processing
protect against theft of stored passwords
protect against 'brute-force' or guessing attacks
There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.
The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.
Test your security measures
The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.
Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Privacy and data protection in direct marketing

Comply with the Children's code to protect children's privacy online

Content category

IT
Source URL
/content/security-principle-under-uk-gdpr

Links
Reporting serious breaches of personal data

Serious breaches of personal data that puts people's rights and freedoms at risk must be reported to the Information Commissioner's Office.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.
What is a breach of personal data?
A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:
if you lose, destroy, corrupt or disclose personal data
if someone accesses the data or passes it on without proper authorisation
if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals
When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:
how serious or substantial these are, and
how likely they are to happen
In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.
Should I report a data breach?
You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:
discrimination
damage to reputation
emotional distress
identity theft or fraud
financial or material loss
other significant economic or social disadvantages
You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.
Telling individuals about a breach
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.
If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.
The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.
Determine the level of risk accurately
If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.
If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.
What if a processor experiences a data breach?
If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.
How long do organisations have to report data breaches?
You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.
When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:
the nature of the breach, including:
the categories and approximate number of affected individuals
the categories and approximate number of affected data records
the likely consequences of the breach
the measures taken or proposed to be taken, to deal with and mitigate the breach
the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained
Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.
How do I notify the ICO of the data breach?
To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.
A breach affecting individuals in EEA countries will engage the EU GDPR. This means that as part of your breach response plan, you should establish which European data protection agency would be your lead supervisory authority for the processing activities that have been subject to the breach. For more information, see the Article 29 Working Party guidance on identifying your lead authority.
Recording personal data breaches
As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.
In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.
You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
Failing to report a data breach
Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.
You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.
Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO guide on ransomware and data protection compliance

Also on this site

Cyber security for business

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/reporting-serious-breaches-personal-data

Links
Rules on restricted transfers of personal data

Overview of the rules and regulations governing international transfers of personal data from the UK.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.
Are you making a restricted transfer?
You are making a restricted transfer of personal data if:
the UK GDPR applies to your processing of the personal data you are transferring
you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group
Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.
Rules on transferring personal data from the UK
Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:
Is the restricted transfer covered by adequacy regulations?
Is the restricted transfer covered by appropriate safeguards?
Is the restricted transfer covered by an exception?
Adequacy decisions
You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.
Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:
an adequacy decision for Gibraltar
an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
partial findings of adequacy about Japan and Canada
If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.
Appropriate safeguards
Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.
The safeguards include:
a legal instrument between public authorities or bodies
UK Binding Corporate Rules (UK BCRs)
data protection clauses for restricted transfer
an approved code of conduct
certification under an approved certification scheme
contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
administrative arrangements between public authorities or bodies
UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.
You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.
Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.
Exceptions on restricted transfers
If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.
Specific exemptions, or derogations, for data transfers apply when:
the data subject explicitly consents to the transfer (and is aware of the risks)
you have a contract with the individual and:
the transfer is needed for the performance of that contract
the contract benefits another individual whose data is being transferred
the transfer is deemed necessary for reasons of public interest
the transfer is necessary in relation to a legal claim
the transfer is necessary to protect the data subject's vital interests (eg their life)
the transfer is made from a public register created under UK law
the transfer is a one-off and necessary for your competing legitimate interests
If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.
Rules on transferring personal data from the EEA into the UK
Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:
the country they are sending data to is covered by an EC adequacy decision
one of the EU GDPR appropriate safeguards is in place
one of the list of EU GDPR exceptions applies
The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/rules-restricted-transfers-personal-data

Links
Contractual clauses for international data transfer

Find out how to use standard data protection clauses and the new International Data Transfer Agreement (IDTA) and addendum, to lawfully and securely transfer personal data to 'third' countries
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.
Standard Contractual Clauses (SCCs) for restricted transfers from the EU
In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.
Restricted data transfers from the UK
As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:
International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
Addendum to the EU SCCs – most likely to be used for transfers involving EU data
The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.
International Data Transfer Agreement and guidance
The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.
The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.
Find more information on the IDTA and the Addendum.
Transition period for using the IDTA and the Addendum
The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:
SCCs for controllers to processors (Word, 124K)
SCCs for controllers to controllers (Word, 112K)
All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.
From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.
Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

International data transfers after the EU exit

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/contractual-clauses-international-data-transfer

Links
GDPR penalties and fines

Two levels of fines are possible under the UK data protection law, as well as other sanctions and penalties if you breach data protection rules and legislation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).
The ICO can issue sanctions for a breach of the regulation, including:
warnings and reprimands
compliance orders
bans on processing or data transfers (permanent or temporary)
administrative fines
Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.
Fines for infringement of the UK GDPR
Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:
a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation
The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.
How does the ICO determine the level of penalties?
The ICO will consider a number of factors when determining the level of penalties, including::
the nature, gravity, and duration of the infringement
the number of people affected and the extent of the damage to them
whether the breach was intentional or negligent
any previous history of noncompliance
any action taken to mitigate the damage
whether the controller notified the ICO of the infringement and co-operated
See more on reporting serious breaches of personal data.
A breach affecting individuals in EEA countries will engage the EU GDPR. For businesses that process personal data of EU citizens, failure to comply with the EU GDPR may result in penalties under the EU regulation. A maximum fine under the EU GDPR is €20 million or 4 per cent of the business's total annual worldwide turnover.
As part of your breach response plan, you should establish which European data protection agency is the lead supervisory authority for the processing activities that have been subject to the breach. For more information, see guidance on identifying your lead authority.
Impact of GDPR non-compliance
The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.
You may be subject to:
private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
reputational damage
loss of consumer trust
It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/gdpr-penalties-and-fines

Links

Security principle under the UK GDPR

dcomisso — Tue, 02 Mar 2021 12:15:27 +0000

Security principle under the UK GDPR dcomisso Tue, 02/03/2021 - 12:15

UK General Data Protection Regulation (UK GDPR)

In this guide:

Does the GDPR still apply to the UK?

The EU GDPR no longer applies to UK businesses, unless they operate in, offer goods and services to, or monitor the behaviour of, individuals in the EEA.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:
directly to you:
if you operate in the European Economic Area (EEA)
offer goods or services to individuals in the EEA
monitor the behaviour of individuals in the EEA
to any organisations in Europe who send you data
If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.
Data collected before the end of the transition period
Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'.
What is the UK GDPR?
The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:
offering goods or services to individuals in the UK, or
monitoring the behaviour of individuals taking place in the UK
If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.
The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.
This guide does not constitute legal advice and is provided for general information purposes only.
Actions

ICO guide to the UK GDPR

Data protection self-assessment

Data protection: small business and sole traders checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/does-gdpr-still-apply-uk

Links
Who does the UK GDPR apply to?

Understand the difference between data controllers and processors, and how the UK GDPR applies to each group.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.
The UK GDPR does not apply to the personal data processed:
by competent authorities for law enforcement purposes
for the purposes of safeguarding national security or defence
in the course of a purely personal or household activity, with no connection to a professional or commercial activity
What is the difference between data controllers and data processors?
Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:
data controllers decide why and how they process personal data
data processors hold or process data on behalf of a data controller
You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.
How to determine if you are a processor or a controller
Whether you are a controller or processor depends on who determines:
the purposes for which the data is being processed
the means of processing
If you determine the purposes and the means of processing, you will be the controller.
If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.
GDPR obligations on data processors
Under the UK GDPR, processing refers to any type of handling of personal data, including:
obtaining, recording or keeping data (electronically or in hard copy)
organising or altering the data
retrieving, consulting or using the data
disclosing the data to a third party (including publication)
erasing or destroying the data
If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.
GDPR obligations on data controllers
If you are a controller, you will have the highest level of compliance responsibility. This means:
you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
you are responsible for the compliance of your processors
you will be liable for a breach of any of these obligations
you must pay the data protection fee, unless you are exempt
Data protection fee
Under the Data Protection (Charges and Information) Regulations 2018, organisations that handle personal information electronically, such as people's names and addresses, must register with the ICO and pay an annual data protection fee, unless exempt.
Whether you need to pay the fee depends on how your organisation uses personal information for work purposes. For example, if you store personal information on a computer or phone, you must check if the fee applies. If you use CCTV or dashcams, you will likely need to pay.
The cost of your data protection fee depends on your size and turnover. For those with 10 or fewer employees, the fee is currently £40 per year. It's important to pay if you need to, to avoid a fine.
You can use the ICO's online self-assessment to pay or check if you're exempt. It will guide you through some questions about how your organisation uses data to determine whether you need to pay.
Find out more about the data protection fee.
Exemptions from UK GDPR
In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:
crime, law and public protection
regulation, parliament and the judiciary
journalism, research and archiving
health, social work, education and child abuse
finance, management and negotiations
references and exams
Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.
If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

ICO fee assessment tool

Data protection self-assessment

Contracts and liabilities between controllers and processors

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/who-does-uk-gdpr-apply

Links
What is considered personal data under the UK GDPR?

Find out what constitutes personal data under the UK GDPR, and if your processing activities need to comply with the UK regulation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.
What is personal data?
Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:
name
date of birth
identification numbers
bank details
addresses, including email addresses
other location data, such as an IP address
online identifiers
Other factors, or a combination of factors, may also identify an individual. For example:
information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains
If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.
Sensitive personal data
Personal data may also include special categories of personal data, such as:
data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
data on criminal conviction and offences
These are considered to be more sensitive and you may only process them in more limited circumstances.
Does your data relate to an individual?
For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:
the content of the data - is it directly about the individual or their activities
the purpose you will process the data for
the results of (or effects on) the individual from processing the data
It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.
The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).
In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.
How long can you keep personal data?
The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.
Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.
The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:
for the least amount of time that you can
in accordance with the requirements of your business
stored securely while it is in your possession
until it reaches the appointed deletion time
See more on accountability under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO guide on special category data

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/what-considered-personal-data-under-uk-gdpr

Links
Data protection principles under the UK GDPR

Key UK GDPR principles include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.
1. Lawfulness, fairness and transparency principle
To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:
identify valid grounds for collecting or using personal data - known as the lawful basis
ensure that your use of data doesn't breach any other laws
use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
be clear, open and honest with people about how you will use their personal data
2. Purpose limitation principle
To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:
be clear about what your purposes for processing are from the start
record your purposes as part of your documentation obligations
inform individuals about your purposes to comply with transparency obligations
ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent
3. Data minimisation principle
To comply with the third principle, you must ensure that the personal data you are processing is:
adequate - sufficient to properly fulfil your stated purpose
relevant - has a rational link to that purpose
limited to what is necessary - you do not hold more than you need for that purpose
4. Accuracy principle
The accuracy principle requires you to take all reasonable steps to:
ensure the personal data you hold or process is not incorrect or misleading
ensure that the source and status of personal data are clear
consider any challenges to the accuracy of information
consider if it is necessary to periodically update the information
5. Storage limitation principle
To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:
think about - and be able to justify - how long you keep the data depending on the purpose you need it for
set a retention policy or schedule wherever possible, to comply with the documentation requirements
periodically review the data you hold, and erase or anonymise it when you no longer need it
carefully consider any challenges to your retention of data, for example when it comes to erasure
6. Integrity and confidentiality (also known as the security principle)
To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:
against unauthorised or unlawful processing
against accidental loss, destruction or damage
using appropriate technical or organisational measures
7. Accountability principle
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.
Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO records management checklist

ICO guidance on legitimate interests

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-protection-principles-under-uk-gdpr

Links
Lawful basis for processing of personal data

An overview of the six lawful bases for processing personal data under the UK GDPR, and how to rely on them in your business.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.
There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.
Conditions for processing data under the UK GDPR
The lawful bases for processing include:
Consent
This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.
Contract
This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.
Legal obligation
This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.
Vital interests
This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.
Public task
This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
Legitimate interest
This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.
Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.
Why must you have a lawful basis for processing?
If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.
The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.
Deciding which lawful basis applies
You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:
check that the processing is necessary for the relevant purpose
check that there is no other reasonable way to achieve this purpose
document why you chose a particular lawful basis - to demonstrate compliance
explain the purpose and the lawful basis for processing in your privacy notice
If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.
Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.
You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
Can you switch lawful basis for processing?
It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.
If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.
Documenting lawful basis
To satisfy the UK GDPR's accountability principle, you must keep a record of:
which basis you are relying on for each processing purpose
a justification for why you believe the basis applies
There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.
Find out more about documentation requirements in our guidance on accountability.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Lawful basis for processing

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/lawful-basis-processing-personal-data

Links
Obtaining, recording and managing consent under the UK GDPR

Introduction to consent under the UK GDPR, the right to withdraw it, and the consequences of non-compliance with consent requirements.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).
What is valid consent under the GDPR?
For consent to be valid under the UK GDPR, it must:
be freely given - giving people genuine choice and control over how you use their data
be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
be obvious that the individual has consented, and what they have consented to
require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand
Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.
When should you obtain consent under GDPR?
You may need to seek consent in a number of circumstances. For example, if:
no other legal basis for data processing applies
you want to use or share someone's data in unexpected or potentially intrusive ways
you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)
Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.
Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.
When should you not use consent?
You should not use consent as your lawful basis for processing if:
you can't offer people a genuine choice over how they use their data
you could process data on a different lawful basis if consent is refused or withdrawn
you ask for consent as a precondition of accessing your services
you are in a position of power over the individual, eg an employer processing employee data
Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
How to obtain consent
You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.
You should obtain consent upfront before processing begins. As a minimum, your consent request must include:
the name of your organisation and of any other controllers who will rely on the consent
why you want the data (the purposes of the processing)
what you will do with the data (the processing activities)
that people can withdraw their consent at any time
You can use different methods to obtain consent, but you must ask people to actively opt in.
Opt-in consent
Examples of active opt-in mechanisms include:
signing a consent statement on a paper form
ticking an opt-in box on paper or electronically
clicking an opt-in button or link online
selecting from equally prominent yes/no options
choosing technical settings or preference dashboard settings
responding to an email requesting consent
answering yes to a clear oral consent request
volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box
Explicit consent
If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.
If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.
If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.
If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.
How to record consent
Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:
who consented
when they consented
what they were told at the time
how they consented
whether they have withdrawn consent (and if so, why)
An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.
Reviewing consent
Your obligations don't end when you get consent. You should keep your consents under review and refresh them:
if anything changes, eg if your purposes for processing evolve
if you rely on parental consent, when children grow up and can consent for themselves
automatically at appropriate intervals, depending on the context, people's expectations
If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.
How long does GDPR consent last?
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Managing consent for use of personal data
In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.
You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.
Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.
What happens when someone withdraws their consent?
If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.
Consent and individuals' rights
If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:
the right to erasure (also known as 'the right to be forgotten')
the right to data portability
the right to withdraw consent - which in effect operates as a right to stop the processing
See more on data subject rights under the UK GDPR.
Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment tool

ICO consent checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/obtaining-recording-and-managing-consent-under-uk-gdpr

Links
Data subject rights under the UK GDPR

Introduction to the rights of individuals under the UK GDPR, and your duties and obligations in respect of them.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.
Individuals' rights under the UK GDPR
Under the regulation, individuals can exercise:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object to processing
The rights in relation to automated decision making and profiling
1. Right to be informed
This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:
your business
your purposes and lawful basis for processing their personal data
who the data will be shared with, including details of international transfers
your retention periods for that personal data
the rights available to them in respect of processing
the right to lodge a complaint
Depending on the type of processing you do, you may need to provide other categories of information as well. For example:
if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent
You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.
The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.
2. Right of access (known as subject access request)
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).
Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.
If you receive a valid SAR:
you should perform a reasonable search for the requested information
you should respond without delay and within one month of receipt of the request
you may extend the time limit by a further two months in certain circumstances
you should provide the information in an accessible, concise and intelligible format
you should disclose information securely
You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.
3. Right of rectification
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.
If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.
4. Right to erasure (also known as the right to be forgotten)
In certain circumstances, individuals have the right to ask you to erase their personal data if:
you have processed their data unlawfully
you no longer need the data for the original purpose
you rely on consent for processing or holding the data, and they withdraw it
they exercise their right to object to processing, and you can't override their objection
erasure is necessary for compliance with other legal obligations
If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.
Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.
5. Right to restrict processing
Individuals can ask you to restrict processing their personal data if, for example:
they believe their data is not accurate and you are verifying the accuracy of the data
the processing is unlawful but the individual doesn't want the data erased
you no longer need the data but the individual needs it to exercise a legal claim
you are taking steps to verify overriding grounds in the context of a request
If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.
If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.
6. Right to data portability
This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:
your lawful basis for processing this information is consent or contract
you are carrying out the processing by automated means (ie excluding paper files)
For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.
7. Right to object to processing
The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:
a task carried out in the public interest
the exercise of official authority vested in you, or
your legitimate interests (or those of a third party)
In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.
If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:
you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
the processing is necessary in connection with legal rights
See more on the right to object.
8. Right related to automated decision making including profiling
Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:
automated individual decision-making - ie making a decision solely by automated means without any human involvement
profiling - automated processing of personal data to evaluate certain things about an individual
You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

ICO guide on individual rights

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-subject-rights-under-uk-gdpr

Links
Dealing with subject access requests under the UK GDPR

How to handle subject access requests effectively and within the legal timeframe under the UK General Data Protection Regulation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a subject access request at some point.
What is a subject access request (SAR)?
A subject access request is the right of an individual to request a copy of any personal information you may hold on them. The request:
can be verbal or in writing
can be submitted by any means, eg via web form, email, letter, phone call, etc
can be made to any part of your business, not just a specific department
doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data
The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.
The Information Commissioner's Office (ICO) offers a free service to assist both individuals and businesses in the SARs process.
Through the 'Make a SAR' service, individuals can submit SAR requests directly through the ICO website. Once submitted, organisations will receive an ICO-branded email containing the request details and guidance on how to respond.
Who can request personal information?
Individuals will only be able to request access to their own personal data, unless:
they are authorised to act on behalf of someone
the data that relates to another person also happens to relate to them
Under the UK GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for the minimum information necessary to confirm who they are.
You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.
The ICO has a series of Q&As clarifying requirements for a valid subject access request and the rules around compliance when dealing with SARs. You can find these Q&As on the ICO website.
What should be provided as part of subject access request?
Data subjects are entitled to receive:
confirmation of whether you are processing their data
a copy of their personal data
other supplementary information (including mandatory privacy information)
Before responding to any request, you should establish if the information requested falls within the definition of personal data.
How to respond to a subject access request?
To comply with subject access requests, you have to:
respond to a request without undue delay and within one month of receipt
give information in a concise, transparent, intelligible and easily accessible form
use clear and plain language, especially if you are disclosing information to a child
respond electronically, if the request was made by the same means - unless asked otherwise
You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.
How long do I have to comply with SAR?
In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the ICO.
You can extend the timescale to respond by a further two months if the request is complex or you have received a number of requests from the individual.
Seeking more information
If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one-month mark for responding to the request begins when you receive the additional information.
If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.
Can you charge for subject access requests?
In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:
if the request is manifestly unfounded or excessive
if an individual requests further copies of their data following a request
Can I refuse a subject access request?
In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.
Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.
You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Find further information on subject access requests.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self assessment

How to deal with a request for information: a step-by-step guide

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/dealing-subject-access-requests-under-uk-gdpr

Links
Privacy information under UK GDPR

Best practices for UK GDPR privacy notices: what to include, how to present, and when to provide for compliance.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Under the UK General Data Protection Regulation (UK GDPR), you need to give individuals certain information when processing their personal data. This information is known as 'privacy information'. It's advisable to document this information in a 'privacy notice'.
What is a privacy notice under UK GDPR?
A privacy notice is a public statement that informs people how you collect, process and use their personal data. It ensures that individuals understand what happens to their data in accordance with their right to be informed.
Before drafting your privacy notice, identify the personal data you have and how you use it. You might need to carry out an information audit or data mapping. Make sure to communicate privacy information clearly, honestly and openly with the individuals.
What to include in your GDPR privacy notice?
The UK GDPR outlines the categories of information and details required in your privacy notice. Key components of a privacy notice include:
Who is collecting the data?
What type of data are you collecting?
How and why are you collecting it?
What is the purpose and the lawful basis for processing the data?
Who can access the information?
Will you share the data with any third parties?
Will you transfer the data abroad?
What safeguards will you put in place for the security of this data?
How will you use the information?
How long will you store the data for?
What rights does the data subject have, including to withdraw consent?
How can the individual raise a complaint?
Will you be making automated decisions about the individual, including profiling?
What you need to tell people varies depending on whether you collect their data directly or from another source. The Information Commissioner's Office (ICO) provides detailed guidance on what information you must include in your privacy notice.
When to provide privacy information under UK GDPR?
Under the UK GDPR, timing requirements mandate that you provide privacy information at the time of data collection if:
you collect information directly from individuals (eg when they fill out a form)
you collect data by observation (eg using CCTV or online tracking)
This is generally done when securing consent or outlining legitimate interests to individuals.
If you obtain personal data from a third party or a public source, you must provide privacy information within a reasonable timeframe, but no later than one month.
For example:
if you plan to contact the individual using their data, give privacy information during the initial contact
if you plan to share data with others, provide a privacy notice with details about the sharing before disclosing the data
If you plan to use personal data for any new purposes, update your privacy information and inform individuals about the changes.
Best practices for providing privacy information under UK GDPR
There are several ways to provide privacy information, including:
layered notices - short notices with key privacy details and links to more detailed information
just-in-time notices - providing information at certain points of data collection (eg during a purchase)
icons and symbols - visual cues showing data processing activities
dashboards - tools that show how you use data and allow people to manage their preferences
smart device features - eg pop-ups, voice alerts and gestures on mobile devices
A blended approach, using multiple methods, is often most effective.
Tools and templates for creating a GDPR-compliant privacy notice
You can use our sample privacy notice and customise it to match your business needs and data processing activities.
You can also use the ICO's privacy notice generator tool, which is ideal for small businesses, sole traders and community groups. Other templates are available online but make sure that any template you use is GDPR-compliant and customised to your data practices.
This guide is for general information only and does not offer legal advice.
Help

ICO Helpline

Actions

FAQs on privacy notices

UK GDPR guidance and resources

Also on this site

Sample IT policies, disclaimers and notices

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/privacy-information-under-uk-gdpr

Links
Accountability under the UK GDPR

Accountability principle says organisations are responsible for, and must be able to demonstrate, compliance with the data protection laws.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.
What does accountability mean in UK GDPR?
Accountability means:
you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply
For a small business, this means you must:
ensure a good level of understanding and awareness of data protection amongst your staff
implement comprehensive but proportionate policies and procedures for handling personal data safely
keep records of what you do and why
You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
How to comply with accountability obligations
The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:
1. Data protection policies
The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:
privacy procedure and notice
staff training policy
information security policy
data protection impact assessment procedure
retention of records procedure
subject access request form and procedure
international data transfer procedure
data portability procedure
Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.
2. Contracts
If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.
3. Documentation
By law, most organisations are required to maintain a record of their processing activities, covering:
name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
the processing purposes
a description of the categories of individuals and categories of personal data
the categories of recipients of personal data
details of your transfers to third countries, including the safeguards in place
retention schedules
a description of your technical and organisational security measures
If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.
As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:
information required for privacy notices
records of consent
controller-processor contracts
the location of personal data
Data Protection Impact Assessment reports
records of personal data breaches
information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018
Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.
4. Data protection by design and default
This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.
The UK GDPR suggests measures that may be appropriate to this, such as:
minimising the data you collect - both in terms of volume and retention
storing data no longer than is necessary
storing data only for the purposes for which it is processed
applying pseudonymisation techniques
improving security features
To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.
5. Data protection officers (DPOs)
The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:
you are a public authority or body
you carry out certain types of processing activities, including:
regular and systematic monitoring of data subjects on a large scale
large-scale processing of sensitive personal data or data relating to criminal convictions and offences
This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.
A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.
Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.
6. Codes of conduct and certification
Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.
Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO records management checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/accountability-under-uk-gdpr

Links
UK GDPR data protection audit: checklist

Things you should consider when carrying out a data protection audit of your organisation's compliance with the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).
What is a data mapping audit?
A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.
The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.
How to perform a data mapping audit?
To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:
What types of personal data do you hold?
List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?
Why do you hold this data?
List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).
How did you collect this data?
List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?
How do you store it?
Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?
What do you do with this data?
How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?
Who owns and controls the data?
Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?
How long do you keep the data for?
Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?
What do you need to do to make your data processing GDPR compliant?
List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.
It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.
Data audit templates
The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:
Download documentation template for controllers (Excel, 31K)
Download documentation template for processors (Excel, 19K)
Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/uk-gdpr-data-protection-audit-checklist

Links
Data protection impact assessments

What is a data protection impact assessment, and how to carry out a DPIA to comply with the requirements of the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.
When is an organisation required to carry out a data protection impact assessment?
You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:
systematic and extensive profiling with significant effects
large-scale use of special category or criminal offence data
systematic monitoring of publicly accessible places on a large scale
When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:
evaluation or scoring
automated decision-making with legal or similar significant effect
systematic monitoring
sensitive data or data of a highly personal nature
data processed on a large scale
matching or combining datasets
data concerning vulnerable data subjects
innovative use or applying new technological or organisational solutions
preventing data subjects from exercising a right or using a service or contract
*EU Exit has not caused any significant change to the criteria that compel DPIAs in the UK, so the Information Commissioner's Office (ICO) still considers these guidelines to be relevant.
In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present - and it is good practice to do so.
What type of processing is likely to result in high risk?
The ICO maintains a list of processing operations that require a DPIA. These include:
use innovative technologies (including artificial intelligence)
use of profiling or special category data to decide on access to services
profiling individuals on a large scale
processing biometric data
processing genetic data, unless by a health professional providing health care directly to the data subject
matching data or combining datasets from different sources
collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
tracking individuals' location or behaviour, including but not limited to the online environment
profiling children or targeting marketing or online services at them
processing data that might endanger the individual's physical health or safety in case of data breach
Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to an individual.
If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
How do you do a data protection impact assessment?
Typically, a DPIA will involve the following key steps:
identify the need for a DPIA
describe the processing
consider consultation
evaluate the necessity and proportionality
identify data protection and related risks
identify measures to reduce or eliminate the risks
sign off and record the outcomes of the DPIA
integrate data protection solutions into the project
keep under review
You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.
You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified.
The ICO offers a summary guidance on DPIA process.
Data protection impact assessment template
You can use or adapt the ICO's sample DPIA template (DOC, 54K), or create your own based on the criteria outlined above.
Consulting the ICO about high risk processing
If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.
In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:
issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
impose a limitation or ban on your intended processing
If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.
Failure to carry out data protection impact assessments
DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also 91�㽶��ɫ��Ƶ compliance with data protection by design and default obligations.
Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide on DPIAs

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-protection-impact-assessments

Links
Security principle under the UK GDPR

Measures you should put in place to satisfy data integrity, confidentiality and availability requirements under the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.
The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.
What level of security is needed under UK GDPR?
The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.
The security measures you put in place should seek to ensure that:
the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
the data you hold is accurate and complete in relation to why you are processing it
the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned
Organisational security measures
Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:
build security awareness in your organisation
allocate responsibility for information security within your organisation
ensure those responsible have the resources and authority to do their job effectively
An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.
Other related matters you will need to consider include:
co-ordination between key people in your organisation
access to premises or equipment given to anyone outside your organisation
business continuity arrangements for the protection and recovery of personal data you hold
periodic checks on and updates to your security measures
Technical security measures
Technical measures include both:
physical security, which covers things like
protection of premises by means of alarms, lighting, CCTV
control of access to premises
disposal of paper and electronic waste
secure maintenance and disposal of IT equipment, mobile devices, etc
IT security (or cyber security), extending to the security of
your network and information systems
the data you hold within your systems
your website, online services and applications that you use
your devices, including policies on the use of personal devices in the workplace
Encryption
The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:
widely-available
relatively low costs to implement
available in a large variety of solutions
If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.
Password authentication
Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.
Therefore, any password setup that you implement must:
be appropriate to the particular circumstances of this processing
protect against theft of stored passwords
protect against 'brute-force' or guessing attacks
There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.
The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.
Test your security measures
The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.
Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Privacy and data protection in direct marketing

Comply with the Children's code to protect children's privacy online

Content category

IT
Source URL
/content/security-principle-under-uk-gdpr

Links
Reporting serious breaches of personal data

Serious breaches of personal data that puts people's rights and freedoms at risk must be reported to the Information Commissioner's Office.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.
What is a breach of personal data?
A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:
if you lose, destroy, corrupt or disclose personal data
if someone accesses the data or passes it on without proper authorisation
if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals
When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:
how serious or substantial these are, and
how likely they are to happen
In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.
Should I report a data breach?
You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:
discrimination
damage to reputation
emotional distress
identity theft or fraud
financial or material loss
other significant economic or social disadvantages
You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.
Telling individuals about a breach
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.
If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.
The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.
Determine the level of risk accurately
If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.
If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.
What if a processor experiences a data breach?
If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.
How long do organisations have to report data breaches?
You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.
When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:
the nature of the breach, including:
the categories and approximate number of affected individuals
the categories and approximate number of affected data records
the likely consequences of the breach
the measures taken or proposed to be taken, to deal with and mitigate the breach
the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained
Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.
How do I notify the ICO of the data breach?
To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.
A breach affecting individuals in EEA countries will engage the EU GDPR. This means that as part of your breach response plan, you should establish which European data protection agency would be your lead supervisory authority for the processing activities that have been subject to the breach. For more information, see the Article 29 Working Party guidance on identifying your lead authority.
Recording personal data breaches
As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.
In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.
You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
Failing to report a data breach
Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.
You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.
Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO guide on ransomware and data protection compliance

Also on this site

Cyber security for business

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/reporting-serious-breaches-personal-data

Links
Rules on restricted transfers of personal data

Overview of the rules and regulations governing international transfers of personal data from the UK.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.
Are you making a restricted transfer?
You are making a restricted transfer of personal data if:
the UK GDPR applies to your processing of the personal data you are transferring
you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group
Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.
Rules on transferring personal data from the UK
Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:
Is the restricted transfer covered by adequacy regulations?
Is the restricted transfer covered by appropriate safeguards?
Is the restricted transfer covered by an exception?
Adequacy decisions
You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.
Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:
an adequacy decision for Gibraltar
an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
partial findings of adequacy about Japan and Canada
If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.
Appropriate safeguards
Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.
The safeguards include:
a legal instrument between public authorities or bodies
UK Binding Corporate Rules (UK BCRs)
data protection clauses for restricted transfer
an approved code of conduct
certification under an approved certification scheme
contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
administrative arrangements between public authorities or bodies
UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.
You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.
Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.
Exceptions on restricted transfers
If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.
Specific exemptions, or derogations, for data transfers apply when:
the data subject explicitly consents to the transfer (and is aware of the risks)
you have a contract with the individual and:
the transfer is needed for the performance of that contract
the contract benefits another individual whose data is being transferred
the transfer is deemed necessary for reasons of public interest
the transfer is necessary in relation to a legal claim
the transfer is necessary to protect the data subject's vital interests (eg their life)
the transfer is made from a public register created under UK law
the transfer is a one-off and necessary for your competing legitimate interests
If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.
Rules on transferring personal data from the EEA into the UK
Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:
the country they are sending data to is covered by an EC adequacy decision
one of the EU GDPR appropriate safeguards is in place
one of the list of EU GDPR exceptions applies
The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/rules-restricted-transfers-personal-data

Links
Contractual clauses for international data transfer

Find out how to use standard data protection clauses and the new International Data Transfer Agreement (IDTA) and addendum, to lawfully and securely transfer personal data to 'third' countries
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.
Standard Contractual Clauses (SCCs) for restricted transfers from the EU
In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.
Restricted data transfers from the UK
As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:
International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
Addendum to the EU SCCs – most likely to be used for transfers involving EU data
The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.
International Data Transfer Agreement and guidance
The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.
The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.
Find more information on the IDTA and the Addendum.
Transition period for using the IDTA and the Addendum
The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:
SCCs for controllers to processors (Word, 124K)
SCCs for controllers to controllers (Word, 112K)
All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.
From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.
Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

International data transfers after the EU exit

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/contractual-clauses-international-data-transfer

Links
GDPR penalties and fines

Two levels of fines are possible under the UK data protection law, as well as other sanctions and penalties if you breach data protection rules and legislation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).
The ICO can issue sanctions for a breach of the regulation, including:
warnings and reprimands
compliance orders
bans on processing or data transfers (permanent or temporary)
administrative fines
Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.
Fines for infringement of the UK GDPR
Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:
a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation
The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.
How does the ICO determine the level of penalties?
The ICO will consider a number of factors when determining the level of penalties, including::
the nature, gravity, and duration of the infringement
the number of people affected and the extent of the damage to them
whether the breach was intentional or negligent
any previous history of noncompliance
any action taken to mitigate the damage
whether the controller notified the ICO of the infringement and co-operated
See more on reporting serious breaches of personal data.
A breach affecting individuals in EEA countries will engage the EU GDPR. For businesses that process personal data of EU citizens, failure to comply with the EU GDPR may result in penalties under the EU regulation. A maximum fine under the EU GDPR is €20 million or 4 per cent of the business's total annual worldwide turnover.
As part of your breach response plan, you should establish which European data protection agency is the lead supervisory authority for the processing activities that have been subject to the breach. For more information, see guidance on identifying your lead authority.
Impact of GDPR non-compliance
The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.
You may be subject to:
private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
reputational damage
loss of consumer trust
It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/gdpr-penalties-and-fines

Links

Contractual clauses for international data transfer

dcomisso — Tue, 02 Mar 2021 10:17:42 +0000

Contractual clauses for international data transfer dcomisso Tue, 02/03/2021 - 10:17

UK General Data Protection Regulation (UK GDPR)

In this guide:

Does the GDPR still apply to the UK?

The EU GDPR no longer applies to UK businesses, unless they operate in, offer goods and services to, or monitor the behaviour of, individuals in the EEA.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:
directly to you:
if you operate in the European Economic Area (EEA)
offer goods or services to individuals in the EEA
monitor the behaviour of individuals in the EEA
to any organisations in Europe who send you data
If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.
Data collected before the end of the transition period
Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'.
What is the UK GDPR?
The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:
offering goods or services to individuals in the UK, or
monitoring the behaviour of individuals taking place in the UK
If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.
The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.
This guide does not constitute legal advice and is provided for general information purposes only.
Actions

ICO guide to the UK GDPR

Data protection self-assessment

Data protection: small business and sole traders checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/does-gdpr-still-apply-uk

Links
Who does the UK GDPR apply to?

Understand the difference between data controllers and processors, and how the UK GDPR applies to each group.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.
The UK GDPR does not apply to the personal data processed:
by competent authorities for law enforcement purposes
for the purposes of safeguarding national security or defence
in the course of a purely personal or household activity, with no connection to a professional or commercial activity
What is the difference between data controllers and data processors?
Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:
data controllers decide why and how they process personal data
data processors hold or process data on behalf of a data controller
You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.
How to determine if you are a processor or a controller
Whether you are a controller or processor depends on who determines:
the purposes for which the data is being processed
the means of processing
If you determine the purposes and the means of processing, you will be the controller.
If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.
GDPR obligations on data processors
Under the UK GDPR, processing refers to any type of handling of personal data, including:
obtaining, recording or keeping data (electronically or in hard copy)
organising or altering the data
retrieving, consulting or using the data
disclosing the data to a third party (including publication)
erasing or destroying the data
If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.
GDPR obligations on data controllers
If you are a controller, you will have the highest level of compliance responsibility. This means:
you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
you are responsible for the compliance of your processors
you will be liable for a breach of any of these obligations
you must pay the data protection fee, unless you are exempt
Data protection fee
Under the Data Protection (Charges and Information) Regulations 2018, organisations that handle personal information electronically, such as people's names and addresses, must register with the ICO and pay an annual data protection fee, unless exempt.
Whether you need to pay the fee depends on how your organisation uses personal information for work purposes. For example, if you store personal information on a computer or phone, you must check if the fee applies. If you use CCTV or dashcams, you will likely need to pay.
The cost of your data protection fee depends on your size and turnover. For those with 10 or fewer employees, the fee is currently £40 per year. It's important to pay if you need to, to avoid a fine.
You can use the ICO's online self-assessment to pay or check if you're exempt. It will guide you through some questions about how your organisation uses data to determine whether you need to pay.
Find out more about the data protection fee.
Exemptions from UK GDPR
In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:
crime, law and public protection
regulation, parliament and the judiciary
journalism, research and archiving
health, social work, education and child abuse
finance, management and negotiations
references and exams
Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.
If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

ICO fee assessment tool

Data protection self-assessment

Contracts and liabilities between controllers and processors

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/who-does-uk-gdpr-apply

Links
What is considered personal data under the UK GDPR?

Find out what constitutes personal data under the UK GDPR, and if your processing activities need to comply with the UK regulation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.
What is personal data?
Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:
name
date of birth
identification numbers
bank details
addresses, including email addresses
other location data, such as an IP address
online identifiers
Other factors, or a combination of factors, may also identify an individual. For example:
information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains
If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.
Sensitive personal data
Personal data may also include special categories of personal data, such as:
data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
data on criminal conviction and offences
These are considered to be more sensitive and you may only process them in more limited circumstances.
Does your data relate to an individual?
For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:
the content of the data - is it directly about the individual or their activities
the purpose you will process the data for
the results of (or effects on) the individual from processing the data
It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.
The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).
In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.
How long can you keep personal data?
The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.
Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.
The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:
for the least amount of time that you can
in accordance with the requirements of your business
stored securely while it is in your possession
until it reaches the appointed deletion time
See more on accountability under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO guide on special category data

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/what-considered-personal-data-under-uk-gdpr

Links
Data protection principles under the UK GDPR

Key UK GDPR principles include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.
1. Lawfulness, fairness and transparency principle
To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:
identify valid grounds for collecting or using personal data - known as the lawful basis
ensure that your use of data doesn't breach any other laws
use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
be clear, open and honest with people about how you will use their personal data
2. Purpose limitation principle
To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:
be clear about what your purposes for processing are from the start
record your purposes as part of your documentation obligations
inform individuals about your purposes to comply with transparency obligations
ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent
3. Data minimisation principle
To comply with the third principle, you must ensure that the personal data you are processing is:
adequate - sufficient to properly fulfil your stated purpose
relevant - has a rational link to that purpose
limited to what is necessary - you do not hold more than you need for that purpose
4. Accuracy principle
The accuracy principle requires you to take all reasonable steps to:
ensure the personal data you hold or process is not incorrect or misleading
ensure that the source and status of personal data are clear
consider any challenges to the accuracy of information
consider if it is necessary to periodically update the information
5. Storage limitation principle
To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:
think about - and be able to justify - how long you keep the data depending on the purpose you need it for
set a retention policy or schedule wherever possible, to comply with the documentation requirements
periodically review the data you hold, and erase or anonymise it when you no longer need it
carefully consider any challenges to your retention of data, for example when it comes to erasure
6. Integrity and confidentiality (also known as the security principle)
To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:
against unauthorised or unlawful processing
against accidental loss, destruction or damage
using appropriate technical or organisational measures
7. Accountability principle
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.
Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO records management checklist

ICO guidance on legitimate interests

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-protection-principles-under-uk-gdpr

Links
Lawful basis for processing of personal data

An overview of the six lawful bases for processing personal data under the UK GDPR, and how to rely on them in your business.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.
There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.
Conditions for processing data under the UK GDPR
The lawful bases for processing include:
Consent
This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.
Contract
This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.
Legal obligation
This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.
Vital interests
This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.
Public task
This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
Legitimate interest
This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.
Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.
Why must you have a lawful basis for processing?
If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.
The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.
Deciding which lawful basis applies
You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:
check that the processing is necessary for the relevant purpose
check that there is no other reasonable way to achieve this purpose
document why you chose a particular lawful basis - to demonstrate compliance
explain the purpose and the lawful basis for processing in your privacy notice
If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.
Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.
You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
Can you switch lawful basis for processing?
It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.
If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.
Documenting lawful basis
To satisfy the UK GDPR's accountability principle, you must keep a record of:
which basis you are relying on for each processing purpose
a justification for why you believe the basis applies
There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.
Find out more about documentation requirements in our guidance on accountability.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Lawful basis for processing

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/lawful-basis-processing-personal-data

Links
Obtaining, recording and managing consent under the UK GDPR

Introduction to consent under the UK GDPR, the right to withdraw it, and the consequences of non-compliance with consent requirements.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).
What is valid consent under the GDPR?
For consent to be valid under the UK GDPR, it must:
be freely given - giving people genuine choice and control over how you use their data
be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
be obvious that the individual has consented, and what they have consented to
require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand
Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.
When should you obtain consent under GDPR?
You may need to seek consent in a number of circumstances. For example, if:
no other legal basis for data processing applies
you want to use or share someone's data in unexpected or potentially intrusive ways
you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)
Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.
Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.
When should you not use consent?
You should not use consent as your lawful basis for processing if:
you can't offer people a genuine choice over how they use their data
you could process data on a different lawful basis if consent is refused or withdrawn
you ask for consent as a precondition of accessing your services
you are in a position of power over the individual, eg an employer processing employee data
Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.
How to obtain consent
You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.
You should obtain consent upfront before processing begins. As a minimum, your consent request must include:
the name of your organisation and of any other controllers who will rely on the consent
why you want the data (the purposes of the processing)
what you will do with the data (the processing activities)
that people can withdraw their consent at any time
You can use different methods to obtain consent, but you must ask people to actively opt in.
Opt-in consent
Examples of active opt-in mechanisms include:
signing a consent statement on a paper form
ticking an opt-in box on paper or electronically
clicking an opt-in button or link online
selecting from equally prominent yes/no options
choosing technical settings or preference dashboard settings
responding to an email requesting consent
answering yes to a clear oral consent request
volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box
Explicit consent
If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.
If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.
If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.
If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.
How to record consent
Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:
who consented
when they consented
what they were told at the time
how they consented
whether they have withdrawn consent (and if so, why)
An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.
Reviewing consent
Your obligations don't end when you get consent. You should keep your consents under review and refresh them:
if anything changes, eg if your purposes for processing evolve
if you rely on parental consent, when children grow up and can consent for themselves
automatically at appropriate intervals, depending on the context, people's expectations
If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.
How long does GDPR consent last?
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Managing consent for use of personal data
In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.
You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.
Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.
What happens when someone withdraws their consent?
If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.
Consent and individuals' rights
If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:
the right to erasure (also known as 'the right to be forgotten')
the right to data portability
the right to withdraw consent - which in effect operates as a right to stop the processing
See more on data subject rights under the UK GDPR.
Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment tool

ICO consent checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/obtaining-recording-and-managing-consent-under-uk-gdpr

Links
Data subject rights under the UK GDPR

Introduction to the rights of individuals under the UK GDPR, and your duties and obligations in respect of them.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.
Individuals' rights under the UK GDPR
Under the regulation, individuals can exercise:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object to processing
The rights in relation to automated decision making and profiling
1. Right to be informed
This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:
your business
your purposes and lawful basis for processing their personal data
who the data will be shared with, including details of international transfers
your retention periods for that personal data
the rights available to them in respect of processing
the right to lodge a complaint
Depending on the type of processing you do, you may need to provide other categories of information as well. For example:
if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent
You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.
The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.
2. Right of access (known as subject access request)
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).
Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.
If you receive a valid SAR:
you should perform a reasonable search for the requested information
you should respond without delay and within one month of receipt of the request
you may extend the time limit by a further two months in certain circumstances
you should provide the information in an accessible, concise and intelligible format
you should disclose information securely
You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.
3. Right of rectification
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.
If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.
4. Right to erasure (also known as the right to be forgotten)
In certain circumstances, individuals have the right to ask you to erase their personal data if:
you have processed their data unlawfully
you no longer need the data for the original purpose
you rely on consent for processing or holding the data, and they withdraw it
they exercise their right to object to processing, and you can't override their objection
erasure is necessary for compliance with other legal obligations
If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.
Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.
5. Right to restrict processing
Individuals can ask you to restrict processing their personal data if, for example:
they believe their data is not accurate and you are verifying the accuracy of the data
the processing is unlawful but the individual doesn't want the data erased
you no longer need the data but the individual needs it to exercise a legal claim
you are taking steps to verify overriding grounds in the context of a request
If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.
If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.
6. Right to data portability
This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:
your lawful basis for processing this information is consent or contract
you are carrying out the processing by automated means (ie excluding paper files)
For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.
7. Right to object to processing
The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:
a task carried out in the public interest
the exercise of official authority vested in you, or
your legitimate interests (or those of a third party)
In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.
If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:
you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
the processing is necessary in connection with legal rights
See more on the right to object.
8. Right related to automated decision making including profiling
Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:
automated individual decision-making - ie making a decision solely by automated means without any human involvement
profiling - automated processing of personal data to evaluate certain things about an individual
You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

ICO guide on individual rights

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-subject-rights-under-uk-gdpr

Links
Dealing with subject access requests under the UK GDPR

How to handle subject access requests effectively and within the legal timeframe under the UK General Data Protection Regulation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a subject access request at some point.
What is a subject access request (SAR)?
A subject access request is the right of an individual to request a copy of any personal information you may hold on them. The request:
can be verbal or in writing
can be submitted by any means, eg via web form, email, letter, phone call, etc
can be made to any part of your business, not just a specific department
doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data
The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.
The Information Commissioner's Office (ICO) offers a free service to assist both individuals and businesses in the SARs process.
Through the 'Make a SAR' service, individuals can submit SAR requests directly through the ICO website. Once submitted, organisations will receive an ICO-branded email containing the request details and guidance on how to respond.
Who can request personal information?
Individuals will only be able to request access to their own personal data, unless:
they are authorised to act on behalf of someone
the data that relates to another person also happens to relate to them
Under the UK GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for the minimum information necessary to confirm who they are.
You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.
The ICO has a series of Q&As clarifying requirements for a valid subject access request and the rules around compliance when dealing with SARs. You can find these Q&As on the ICO website.
What should be provided as part of subject access request?
Data subjects are entitled to receive:
confirmation of whether you are processing their data
a copy of their personal data
other supplementary information (including mandatory privacy information)
Before responding to any request, you should establish if the information requested falls within the definition of personal data.
How to respond to a subject access request?
To comply with subject access requests, you have to:
respond to a request without undue delay and within one month of receipt
give information in a concise, transparent, intelligible and easily accessible form
use clear and plain language, especially if you are disclosing information to a child
respond electronically, if the request was made by the same means - unless asked otherwise
You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.
How long do I have to comply with SAR?
In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the ICO.
You can extend the timescale to respond by a further two months if the request is complex or you have received a number of requests from the individual.
Seeking more information
If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one-month mark for responding to the request begins when you receive the additional information.
If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.
Can you charge for subject access requests?
In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:
if the request is manifestly unfounded or excessive
if an individual requests further copies of their data following a request
Can I refuse a subject access request?
In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.
Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.
You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Find further information on subject access requests.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self assessment

How to deal with a request for information: a step-by-step guide

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/dealing-subject-access-requests-under-uk-gdpr

Links
Privacy information under UK GDPR

Best practices for UK GDPR privacy notices: what to include, how to present, and when to provide for compliance.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Under the UK General Data Protection Regulation (UK GDPR), you need to give individuals certain information when processing their personal data. This information is known as 'privacy information'. It's advisable to document this information in a 'privacy notice'.
What is a privacy notice under UK GDPR?
A privacy notice is a public statement that informs people how you collect, process and use their personal data. It ensures that individuals understand what happens to their data in accordance with their right to be informed.
Before drafting your privacy notice, identify the personal data you have and how you use it. You might need to carry out an information audit or data mapping. Make sure to communicate privacy information clearly, honestly and openly with the individuals.
What to include in your GDPR privacy notice?
The UK GDPR outlines the categories of information and details required in your privacy notice. Key components of a privacy notice include:
Who is collecting the data?
What type of data are you collecting?
How and why are you collecting it?
What is the purpose and the lawful basis for processing the data?
Who can access the information?
Will you share the data with any third parties?
Will you transfer the data abroad?
What safeguards will you put in place for the security of this data?
How will you use the information?
How long will you store the data for?
What rights does the data subject have, including to withdraw consent?
How can the individual raise a complaint?
Will you be making automated decisions about the individual, including profiling?
What you need to tell people varies depending on whether you collect their data directly or from another source. The Information Commissioner's Office (ICO) provides detailed guidance on what information you must include in your privacy notice.
When to provide privacy information under UK GDPR?
Under the UK GDPR, timing requirements mandate that you provide privacy information at the time of data collection if:
you collect information directly from individuals (eg when they fill out a form)
you collect data by observation (eg using CCTV or online tracking)
This is generally done when securing consent or outlining legitimate interests to individuals.
If you obtain personal data from a third party or a public source, you must provide privacy information within a reasonable timeframe, but no later than one month.
For example:
if you plan to contact the individual using their data, give privacy information during the initial contact
if you plan to share data with others, provide a privacy notice with details about the sharing before disclosing the data
If you plan to use personal data for any new purposes, update your privacy information and inform individuals about the changes.
Best practices for providing privacy information under UK GDPR
There are several ways to provide privacy information, including:
layered notices - short notices with key privacy details and links to more detailed information
just-in-time notices - providing information at certain points of data collection (eg during a purchase)
icons and symbols - visual cues showing data processing activities
dashboards - tools that show how you use data and allow people to manage their preferences
smart device features - eg pop-ups, voice alerts and gestures on mobile devices
A blended approach, using multiple methods, is often most effective.
Tools and templates for creating a GDPR-compliant privacy notice
You can use our sample privacy notice and customise it to match your business needs and data processing activities.
You can also use the ICO's privacy notice generator tool, which is ideal for small businesses, sole traders and community groups. Other templates are available online but make sure that any template you use is GDPR-compliant and customised to your data practices.
This guide is for general information only and does not offer legal advice.
Help

ICO Helpline

Actions

FAQs on privacy notices

UK GDPR guidance and resources

Also on this site

Sample IT policies, disclaimers and notices

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/privacy-information-under-uk-gdpr

Links
Accountability under the UK GDPR

Accountability principle says organisations are responsible for, and must be able to demonstrate, compliance with the data protection laws.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.
What does accountability mean in UK GDPR?
Accountability means:
you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply
For a small business, this means you must:
ensure a good level of understanding and awareness of data protection amongst your staff
implement comprehensive but proportionate policies and procedures for handling personal data safely
keep records of what you do and why
You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
How to comply with accountability obligations
The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:
1. Data protection policies
The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:
privacy procedure and notice
staff training policy
information security policy
data protection impact assessment procedure
retention of records procedure
subject access request form and procedure
international data transfer procedure
data portability procedure
Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.
2. Contracts
If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.
3. Documentation
By law, most organisations are required to maintain a record of their processing activities, covering:
name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
the processing purposes
a description of the categories of individuals and categories of personal data
the categories of recipients of personal data
details of your transfers to third countries, including the safeguards in place
retention schedules
a description of your technical and organisational security measures
If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.
As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:
information required for privacy notices
records of consent
controller-processor contracts
the location of personal data
Data Protection Impact Assessment reports
records of personal data breaches
information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018
Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.
4. Data protection by design and default
This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.
The UK GDPR suggests measures that may be appropriate to this, such as:
minimising the data you collect - both in terms of volume and retention
storing data no longer than is necessary
storing data only for the purposes for which it is processed
applying pseudonymisation techniques
improving security features
To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.
5. Data protection officers (DPOs)
The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:
you are a public authority or body
you carry out certain types of processing activities, including:
regular and systematic monitoring of data subjects on a large scale
large-scale processing of sensitive personal data or data relating to criminal convictions and offences
This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.
A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.
Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.
6. Codes of conduct and certification
Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.
Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO records management checklist

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/accountability-under-uk-gdpr

Links
UK GDPR data protection audit: checklist

Things you should consider when carrying out a data protection audit of your organisation's compliance with the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).
What is a data mapping audit?
A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.
The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.
How to perform a data mapping audit?
To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:
What types of personal data do you hold?
List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?
Why do you hold this data?
List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).
How did you collect this data?
List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?
How do you store it?
Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?
What do you do with this data?
How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?
Who owns and controls the data?
Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?
How long do you keep the data for?
Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?
What do you need to do to make your data processing GDPR compliant?
List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.
It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.
Data audit templates
The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:
Download documentation template for controllers (Excel, 31K)
Download documentation template for processors (Excel, 19K)
Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/uk-gdpr-data-protection-audit-checklist

Links
Data protection impact assessments

What is a data protection impact assessment, and how to carry out a DPIA to comply with the requirements of the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.
When is an organisation required to carry out a data protection impact assessment?
You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:
systematic and extensive profiling with significant effects
large-scale use of special category or criminal offence data
systematic monitoring of publicly accessible places on a large scale
When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:
evaluation or scoring
automated decision-making with legal or similar significant effect
systematic monitoring
sensitive data or data of a highly personal nature
data processed on a large scale
matching or combining datasets
data concerning vulnerable data subjects
innovative use or applying new technological or organisational solutions
preventing data subjects from exercising a right or using a service or contract
*EU Exit has not caused any significant change to the criteria that compel DPIAs in the UK, so the Information Commissioner's Office (ICO) still considers these guidelines to be relevant.
In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present - and it is good practice to do so.
What type of processing is likely to result in high risk?
The ICO maintains a list of processing operations that require a DPIA. These include:
use innovative technologies (including artificial intelligence)
use of profiling or special category data to decide on access to services
profiling individuals on a large scale
processing biometric data
processing genetic data, unless by a health professional providing health care directly to the data subject
matching data or combining datasets from different sources
collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
tracking individuals' location or behaviour, including but not limited to the online environment
profiling children or targeting marketing or online services at them
processing data that might endanger the individual's physical health or safety in case of data breach
Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to an individual.
If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
How do you do a data protection impact assessment?
Typically, a DPIA will involve the following key steps:
identify the need for a DPIA
describe the processing
consider consultation
evaluate the necessity and proportionality
identify data protection and related risks
identify measures to reduce or eliminate the risks
sign off and record the outcomes of the DPIA
integrate data protection solutions into the project
keep under review
You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.
You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified.
The ICO offers a summary guidance on DPIA process.
Data protection impact assessment template
You can use or adapt the ICO's sample DPIA template (DOC, 54K), or create your own based on the criteria outlined above.
Consulting the ICO about high risk processing
If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.
In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:
issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
impose a limitation or ban on your intended processing
If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.
Failure to carry out data protection impact assessments
DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also 91�㽶��ɫ��Ƶ compliance with data protection by design and default obligations.
Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide on DPIAs

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/data-protection-impact-assessments

Links
Security principle under the UK GDPR

Measures you should put in place to satisfy data integrity, confidentiality and availability requirements under the UK GDPR.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.
The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.
What level of security is needed under UK GDPR?
The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.
The security measures you put in place should seek to ensure that:
the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
the data you hold is accurate and complete in relation to why you are processing it
the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned
Organisational security measures
Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:
build security awareness in your organisation
allocate responsibility for information security within your organisation
ensure those responsible have the resources and authority to do their job effectively
An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.
Other related matters you will need to consider include:
co-ordination between key people in your organisation
access to premises or equipment given to anyone outside your organisation
business continuity arrangements for the protection and recovery of personal data you hold
periodic checks on and updates to your security measures
Technical security measures
Technical measures include both:
physical security, which covers things like
protection of premises by means of alarms, lighting, CCTV
control of access to premises
disposal of paper and electronic waste
secure maintenance and disposal of IT equipment, mobile devices, etc
IT security (or cyber security), extending to the security of
your network and information systems
the data you hold within your systems
your website, online services and applications that you use
your devices, including policies on the use of personal devices in the workplace
Encryption
The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:
widely-available
relatively low costs to implement
available in a large variety of solutions
If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.
Password authentication
Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.
Therefore, any password setup that you implement must:
be appropriate to the particular circumstances of this processing
protect against theft of stored passwords
protect against 'brute-force' or guessing attacks
There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.
The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.
Test your security measures
The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.
Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Privacy and data protection in direct marketing

Comply with the Children's code to protect children's privacy online

Content category

IT
Source URL
/content/security-principle-under-uk-gdpr

Links
Reporting serious breaches of personal data

Serious breaches of personal data that puts people's rights and freedoms at risk must be reported to the Information Commissioner's Office.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.
What is a breach of personal data?
A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:
if you lose, destroy, corrupt or disclose personal data
if someone accesses the data or passes it on without proper authorisation
if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals
When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:
how serious or substantial these are, and
how likely they are to happen
In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.
Should I report a data breach?
You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:
discrimination
damage to reputation
emotional distress
identity theft or fraud
financial or material loss
other significant economic or social disadvantages
You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.
Telling individuals about a breach
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.
If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.
The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.
Determine the level of risk accurately
If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.
If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.
What if a processor experiences a data breach?
If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.
How long do organisations have to report data breaches?
You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.
When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:
the nature of the breach, including:
the categories and approximate number of affected individuals
the categories and approximate number of affected data records
the likely consequences of the breach
the measures taken or proposed to be taken, to deal with and mitigate the breach
the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained
Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.
How do I notify the ICO of the data breach?
To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.
A breach affecting individuals in EEA countries will engage the EU GDPR. This means that as part of your breach response plan, you should establish which European data protection agency would be your lead supervisory authority for the processing activities that have been subject to the breach. For more information, see the Article 29 Working Party guidance on identifying your lead authority.
Recording personal data breaches
As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.
In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.
You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
Failing to report a data breach
Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.
You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.
Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

ICO guide on ransomware and data protection compliance

Also on this site

Cyber security for business

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/reporting-serious-breaches-personal-data

Links
Rules on restricted transfers of personal data

Overview of the rules and regulations governing international transfers of personal data from the UK.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.
Are you making a restricted transfer?
You are making a restricted transfer of personal data if:
the UK GDPR applies to your processing of the personal data you are transferring
you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group
Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.
Rules on transferring personal data from the UK
Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:
Is the restricted transfer covered by adequacy regulations?
Is the restricted transfer covered by appropriate safeguards?
Is the restricted transfer covered by an exception?
Adequacy decisions
You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.
Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.
The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:
an adequacy decision for Gibraltar
an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
partial findings of adequacy about Japan and Canada
If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.
Appropriate safeguards
Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.
The safeguards include:
a legal instrument between public authorities or bodies
UK Binding Corporate Rules (UK BCRs)
data protection clauses for restricted transfer
an approved code of conduct
certification under an approved certification scheme
contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
administrative arrangements between public authorities or bodies
UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.
You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.
Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.
Exceptions on restricted transfers
If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.
Specific exemptions, or derogations, for data transfers apply when:
the data subject explicitly consents to the transfer (and is aware of the risks)
you have a contract with the individual and:
the transfer is needed for the performance of that contract
the contract benefits another individual whose data is being transferred
the transfer is deemed necessary for reasons of public interest
the transfer is necessary in relation to a legal claim
the transfer is necessary to protect the data subject's vital interests (eg their life)
the transfer is made from a public register created under UK law
the transfer is a one-off and necessary for your competing legitimate interests
If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.
Rules on transferring personal data from the EEA into the UK
Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:
the country they are sending data to is covered by an EC adequacy decision
one of the EU GDPR appropriate safeguards is in place
one of the list of EU GDPR exceptions applies
The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/rules-restricted-transfers-personal-data

Links
Contractual clauses for international data transfer

Find out how to use standard data protection clauses and the new International Data Transfer Agreement (IDTA) and addendum, to lawfully and securely transfer personal data to 'third' countries
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.
Standard Contractual Clauses (SCCs) for restricted transfers from the EU
In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.
Restricted data transfers from the UK
As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:
International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
Addendum to the EU SCCs – most likely to be used for transfers involving EU data
The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.
International Data Transfer Agreement and guidance
The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.
The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.
Find more information on the IDTA and the Addendum.
Transition period for using the IDTA and the Addendum
The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:
SCCs for controllers to processors (Word, 124K)
SCCs for controllers to controllers (Word, 112K)
All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.
From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.
Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

International data transfers after the EU exit

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/contractual-clauses-international-data-transfer

Links
GDPR penalties and fines

Two levels of fines are possible under the UK data protection law, as well as other sanctions and penalties if you breach data protection rules and legislation.
The Data (Use and Access) Act (DUAA) became law on 19 June 2025. As a result, this guidance is under review and may change. See the latest DUAA guidance.
If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).
The ICO can issue sanctions for a breach of the regulation, including:
warnings and reprimands
compliance orders
bans on processing or data transfers (permanent or temporary)
administrative fines
Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.
Fines for infringement of the UK GDPR
Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:
a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation
The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.
How does the ICO determine the level of penalties?
The ICO will consider a number of factors when determining the level of penalties, including::
the nature, gravity, and duration of the infringement
the number of people affected and the extent of the damage to them
whether the breach was intentional or negligent
any previous history of noncompliance
any action taken to mitigate the damage
whether the controller notified the ICO of the infringement and co-operated
See more on reporting serious breaches of personal data.
A breach affecting individuals in EEA countries will engage the EU GDPR. For businesses that process personal data of EU citizens, failure to comply with the EU GDPR may result in penalties under the EU regulation. A maximum fine under the EU GDPR is €20 million or 4 per cent of the business's total annual worldwide turnover.
As part of your breach response plan, you should establish which European data protection agency is the lead supervisory authority for the processing activities that have been subject to the breach. For more information, see guidance on identifying your lead authority.
Impact of GDPR non-compliance
The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.
You may be subject to:
private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
reputational damage
loss of consumer trust
It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.
This guide does not constitute legal advice and is provided for general information purposes only.
Help

ICO Helpline

Actions

ICO guide to the UK GDPR

Data protection self-assessment

Also on this site

Comply with the Children's code to protect children's privacy online

Privacy and data protection in direct marketing

Content category

IT
Source URL
/content/gdpr-penalties-and-fines

Links

Registering and renewing .eu domain names in the UK

dcomisso — Mon, 04 Jan 2021 08:57:16 +0000

Registering and renewing .eu domain names in the UK dcomisso Mon, 04/01/2021 - 08:57

Registering and renewing .eu domain names in the UK

Closure of landlines and fixed telephone services

dcomisso — Thu, 08 Aug 2019 13:48:34 +0000

Closure of landlines and fixed telephone services dcomisso Thu, 08/08/2019 - 14:48

Business phone systems

In this guide:

Types of business phone systems

Different types of business phone systems include key system units, private branch exchange and virtual (VoIP) systems.
There are three main types of business telephone systems: key system units (KSUs), private branch exchange (PBX) and virtual phone systems. Each has different features, functions and cabling requirements.

Key telephone systems

Many small businesses use key system units (or KSUs) to manage incoming calls. Calls come in via landlines to the central switching unit (sometimes called a keyphone or a key station). The device has buttons that the operator can use to:

view the status of lines and extensions

select outgoing lines or incoming calls

transfer incoming calls to other extensions

facilitate connections between extensions and external lines

The key system is reliable and easy to use but offers only basic telephony functions, such as voicemail and call forwarding. It takes a limited number of phone lines, so may not suit a larger business or one with more complex needs.

What is a PBX phone system?

PBX stands for a private branch exchange, which is a private telephone network used within a business. A typical PBX system:

connects the internal telephones within a business

allows users to share a number of external telephone lines for outgoing calls

Depending on its capacity, a PBX can handle tens or hundreds of telephone lines. Most PBXs today are digital, with computers managing and switching the calls, although some businesses may still use human-operated PBXs.

PBX vs key phone system

A typical private branch exchange offers more functions than the key system. These include various calling and messaging services, including:

call logging

call transfer

automated routing to individual extensions (also known as direct dial-in or DDI)

individual voicemail

fax and computer modem integration

You can host the PBX system on-premise and manage the switchboard system in-house. Alternatively, you can choose a third-party provider to manage the switchboard externally, or even virtually in the cloud.

PBX systems generally suit small businesses that are planning to grow, or businesses requiring 40 or more lines for handling higher volumes of incoming calls.

Virtual phone systems

Virtual phone systems deliver the PBX functionality and services over the internet and enable workers to stay connected wherever they are. When used with Voice over Internet Protocol (VoIP) software, virtual PBXs can include additional features, such as video conferencing, video calling, document sharing, instant messaging, etc.

Virtual phone systems are more flexible than traditional, on-premise systems and suit small and large businesses alike. They don't need extra hardware, since they are delivered over the broadband connection and they work with existing phones, including landlines and mobiles. As a result, they usually involve lower start-up costs for businesses.

Read more about the advantages and disadvantages of VoIP.

If you're looking for a new phone system for your business, it's essential to consider your specific needs and plan your purchase carefully. See business phones: buyer's checklist.

You should also note that changes are expected in the coming years which will see the traditional UK 'copper wire' telephone network closed by 2025 and replaced by digital services. Read more about the future of fixed telephone services.
Actions

Overview of business phone systems

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Mobile technology

Cloud computing

Choose an IT supplier for your business

Content category

IT
Source URL
/content/types-business-phone-systems

Links
Closure of landlines and fixed telephone services

Prepare your business for the PSTN switch-off by January 2027, and upgrade legacy, analogue systems to digital solutions like VoIP.
The Public Switched Telephone Network (PSTN), which currently 91�㽶��ɫ��Ƶs landlines, will be switched off by January 2027. This means businesses must upgrade their landlines and other devices reliant on PSTN to new digital technologies like Voice over Internet Protocol (VoIP), Digital Voice, or all-IP telephony. Other systems, such as alarm systems, telecare devices, and door entry systems, will also require upgrades.
Why and when are landlines going away?
The PSTN network, in use since the late 1800s, is outdated and increasingly unreliable due to the lack of available parts and environmental issues like storms and heat. Digital phone lines will provide clearer communication, greater reliability, enhanced security, and energy efficiency.
The transition from PSTN to digital phone lines is being carried out in phases, with full migration to digital technology required by 31 January 2027. As of June 2025, over two-thirds of UK landlines have already moved to VoIP.
How businesses should prepare for the switch to digital phone lines
You should begin migrating to digital systems as soon as possible to safeguard your services and minimise disruption. Review your infrastructure to identify any systems that may not be compatible with digital lines. These include:
analogue phones and faxes
personal, property or fire alarms
payment terminals
communication systems in lifts and elevators
intercom systems
Some devices and systems may require an upgrade or replacement to function correctly on an all-IP network. Engage with your provider to discuss migration options and timelines.
If you need to upgrade or replace incompatible equipment, consider this an opportunity to future-proof your infrastructure with scalable, flexible digital solutions that can 91�㽶��ɫ��Ƶ your future growth.
If your business is not yet ready to transition fully, discuss interim solutions with your telecom provider. It is essential that you understand the specific steps and timelines for your business’s migration so you can prepare. Your provider may be able to offer tailored advice and 91�㽶��ɫ��Ƶ to facilitate a smooth transition. If your business has multiple sites and/or requires multiple lines, early preparation is essential.
Openreach has published guidance to help businesses get ready for digital phone lines.
Actions

OFCOM's guidance on the future of landline calls

Voice over IP

Also on this site

Wireless technology

Mobile technology

Choosing a business broadband connection

Content category

IT
Source URL
/content/closure-landlines-and-fixed-telephone-services

Links
Basic telephony functions

Six essential functions of office phones systems, and how best to use them to benefit your business.
Most phone systems offer basic telephony functions that give your business flexibility in making and receiving calls. In addition to making and receiving calls, other important small business phone functions include:

voicemail

call redirection

conference calling

call logging

call barring

sending faxes

Essential office phone features

Voicemail

Voicemail is a core telephony function. It allows callers to leave messages while you're away from the phone or on another call. You can store, redirect and access voicemails remotely. You should use voicemail as a temporary measure only; leaving it on for long periods or not responding to messages can damage your customer relations. If you plan to be away from your phone for a while, think about using call redirection.

Call redirection

Call redirection automatically reroutes calls received on one phone to another. For example, you could redirect calls received at the office to employees who work from home, or to salespeople visiting clients, ensuring that calls from potential customers are answered.

Conference calling

Conference calling allows you to work collaboratively when businesses or colleagues are on different sites. It lets you conduct telephone calls involving more than two people - a useful way of coordinating work on projects involving different teams or businesses.

Call logging

Call logging is used to record the number, timing and duration of calls made from each extension. This helps to ensure that your phone system is used appropriately. You can use call logging to monitor productivity in departments where phone calls are a core business activity, such as customer service or sales departments.

Call barring

Call barring restricts access to certain numbers, allowing you to control the use of your phone system. For example, you can use call barring to stop employees dialling overseas or premium-rate numbers.

Fax

The ability to send faxes is still important, eg for sending urgent documents that you do not hold electronically. However, document scanning and email are increasingly replacing this function. See more on the benefits of computer telephony integration.

Advanced and call centre telephone features

Businesses with more complex needs, such as call centres, may benefit from a range of additional features to help them manage their workflow. These may be call recording, automatic attendants or automatic call distribution, or any other features that help with handling higher volumes of incoming calls.
Actions

Overview of business phone systems

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Mobile technology

Plan your business IT systems

Employees working from home

Content category

IT
Source URL
/content/basic-telephony-functions

Links
Handling higher volumes of incoming calls

Use automated telephony features such as call distribution or automatic attendants to handle a high volume of calls.
If your business receives a high volume of incoming calls, you can use automated telephony features to help you deal with them efficiently. These features are particularly important for businesses in consumer-facing sectors, such as call centres.

Common call centre telephony features

Call centres and similar businesses often use a range of advanced features to manage their workload and interact with their customers over the phone. Some of these features include:

automatic attendant

automatic call distributor

skills-based routing

call queues

advanced call control, recording, monitoring, barging, etc

Automatic attendant

This function greets callers with an introductory message and a list of options. Pressing the relevant number on their telephone keypad directs the caller to the right department or person for their query. An automatic attendant feature can:

save time and resources by redirecting incoming calls

improve customer experience by connecting the caller with the right person in the shortest time possible

The design of an auto-attendant menu is crucial to the function's success. Keep your greeting, prompts and menu options simple. Customers will get frustrated if the system is making it difficult to reach the right person. Providing an additional option to cover 'all other queries' or 'speak to a service representative' will often be enough to meet the needs of your callers.

Automatic call distributor (ACD)

This function routes incoming calls to the most appropriate agent in the call centre. You can use ACD to gather usage data, such as call duration and wait time, which can help you manage high call volumes with increased efficiency. Many distribution functions also have advanced options that allow you to:

present marketing messages to callers while they wait in the queue

tell callers their queue position and the expected wait time

You should manage your line capacity carefully to ensure that callers are not kept waiting for too long. If you are playing background music to your callers while they are 'on hold', make sure that the audio you've chosen is sensible. It should be pleasant, fit your brand and at an appropriate sound level - otherwise waiting on hold can turn into an irritating experience for your customers.

Skills-based routing

This functionality can help you optimise the service you provide to your callers. It sends calls to different agents, departments or teams based on customised tags or rules. This way you can direct the caller to the specific staff most qualified to meet their needs.

Integrating telephony and other business tools

When combined with call centre software, telephony can integrate with other business tools to provide comprehensive information about callers. It is common, for example, to integrate telephony with:

customer relationship management (CRM) systems

e-commerce platforms

marketing software

chat systems

Integrated software systems can be feature-rich and offer things like:

automated screen pop

predictive dialler

voicemail transcription and notification

real-time or historical reporting

Read more about computer telephony integration.
Actions

Overview of business phone systems

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Mobile technology

Plan your business IT systems

Staff security and monitoring employees

Content category

IT
Source URL
/content/handling-higher-volumes-incoming-calls

Links
Advantages and disadvantages of VoIP

How Voice over Internet Protocol works, what are the benefits of VoIP, and how to use it to your business' advantage.
Voice over Internet Protocol (VoIP) technology is gradually replacing the traditional landline networks and is becoming a popular alternative to mobile phone calling.

What is VoIP and how does it work?

VoIP is short for Voice over Internet Protocol. It is a digital technology that allows you to make calls using the internet, rather than a regular phone line. VoIP is also commonly referred to as internet telephony, IP telephony or Voice over IP.

VoIP works by converting analogue voice calls into digital data that travels over the public internet or a private internet protocol (IP) network. Using VoIP, you can make phone calls over the internet to landlines, mobile phones and even computer-to-computer anywhere in the world where an internet connection is available.

As well as audio calls, you can use VoIP for services such as video calls, instant messaging and file sharing. Many VoIP applications are available as stand-alone products or bundled with popular web browsers.

What are the advantages of VoIP?

There are many benefits to using VoIP for business. For example:

Cost savings - with VoIP, you pay only for your internet connection. Calls between individuals with VoIP equipment - even international calls - are free.

Rich features - VoIP offers a wide range of features: from call forwarding, blocking, caller ID and voicemail, to remote management, automatic call distribution and interactive voice recognition.

Collaboration - VoIP integrates easily with other systems and helps staff collaborate through voice, video, web conferencing or instant messaging, usually from a single user interface.

Improved productivity - staff can use your communication system remotely and flexibly, with access to your data and network whenever and wherever they need it.

Difficulties with VoIP

While VoIP is often cheaper and more flexible than traditional phone systems, it's worth keeping in mind potential problems. For example:

Audio quality - depending on your broadband, hardware and services, the quality and reliability of VoIP connections may not be as good as the standard phone connections. Common issues that can happen during calls are delays, noise and echo.

Bandwidth dependency - VoIP depends on your internet connection. If your connection goes down, so does your phone line. Similarly, insufficient bandwidth will likely cause quality issues with the service.

Security - as with other internet technologies, security is a major consideration with VoIP. Possible threats include identity and service theft, phishing, viruses and malware, spamming over internet telephony, call tempering and denial of service attacks.

Extra costs - if you use VoIP to phone someone without VoIP capabilities, you can incur additional costs.

Read more about the different types of business phone systems and computer telephony integration (CTI).

You should also note that changes are expected in the coming years which will see the traditional UK 'copper wire' telephone network closed by 2025 and replaced by digital services, including VoIP. Read about the closure of landlines and fixed telephone services.
Actions

Voice over IP

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Wireless technology

Mobile technology

Choosing a business broadband connection

Content category

IT
Source URL
/content/advantages-and-disadvantages-voip

Links
Advantages and disadvantages of mobile phones in business

Pros and cons of using mobile phones and tablets in the workplace, and possible risks to your business.
Mobile phones are a vital piece of business equipment for many business owners and their staff. While they offer substantial advantages, using mobile phones in the workplace is not without challenges.

Advantages of mobile phones

Using mobile phones in business can boost productivity, mobility, safety and morale of your workforce. Mobiles can help employees to:

improve customer service

remain in contact with the office, customers and suppliers

increase mobility

increase productivity

work remotely (eg work from home or away from an office)

Connecting a mobile phone or a laptop to the internet can give employees an even greater degree of flexibility. Read more about mobile technology.

Disadvantages of using mobile phones in business

Significant business challenges can emerge from using mobile phones at work. For example:

Workflow disruption - always-on communication in the form of personal and work-related calls can disturb employee workflow and decrease their productivity.

Compromised work-life balance - 'all hours' availability can interrupt your employees' personal life if they receive calls outside their working hours.

Costs - providing mobile phones to your workforce can be expensive. However, you can enable features on your handsets and SIM cards to restrict the use of phones for business purposes only. You can also choose a tariff that suits company usage. Speak to your service provider about what is possible.

Legal issues - the law prohibits using handheld phones while driving. If you require or permit your staff to use a handheld mobile phone while driving on duty, you could be committing an offence.

Territories - if you expect mobile users to travel overseas, you should check costs. Keep in mind that you may need 'tri-band' handsets if travelling to North America.

When employees use company mobile phones for reasons unrelated to work, the devices can become an unwelcome distraction at the very least and a legal and operational risk at worst.

To avoid potential problems, you should have a clear policy on the use of mobile phones at work. See our sample telephone usage policy.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Wireless technology

Sample IT policies, disclaimers and notices

Content category

IT
Source URL
/content/advantages-and-disadvantages-mobile-phones-business

Links
Computer telephony integration (CTI)

What is computer telephony integration or CTI, and how integrating telephone and IT systems can benefit your business.
Computer telephony integration (CTI) is a way of connecting your phone system to your computer network to handle all your voice, fax and data traffic.

What is computer telephony integration?

In short, CTI is a technology that allows computers to interact with telephone systems. CTI allows users to carry out call-related tasks directly from their desktop, rather than a private branch exchange or key system telephone. This gives you centralised control over your communications (ie phone, voice mail, mobile, email, fax, etc) through a single interface.

CTI is particularly useful for businesses that handle a large volume of sales and calls, such as customer service call centres.

Most businesses can use CTI for:

sending and receiving voicemails as emails so they appear in your email inbox

using the internet to make outward calls

consolidating all messages (including email, voicemail, fax, phone messages) into one inbox using unified messaging technology

What is unified messaging?

Unified messaging allows you to collect all email, voicemail, faxes and text messages in one inbox. This technology offers a number of benefits. For example, it enables you to:

access any type of communication through a number of means - phone, laptop, internet cafe

remain in total contact even while out of the office

interact with the messages - eg by forwarding voicemail messages or adding private notes to the message

consolidate and simplify existing technologies, reducing costs

Benefits of computer telephony integration in business

CTI usually comes at a cost. For many small businesses, the cost of implementing CTI may not be justified by the benefits it offers. However, businesses in which employees spend a lot of their time on the phone in consumer-facing services (eg call centres) may significantly benefit from CTI.

For example, CTI can:

improve customer service - eg customer records can be automatically presented to staff members taking calls

increase efficiency by automating routine tasks, eg dialling numbers automatically from your computer

improve collaboration and productivity or staff through a single CTI interface

enable efficient call monitoring, recording and real-time analytics

Read more about handling higher volumes of incoming calls.

How to set up CTI in your business?

The equipment you will need to implement CTI in your business varies according to the size of your system. To connect a single PC and telephone all you need is a special modem and software to retrieve database records. For CTI systems with more than one user, you will need a network server. This can be an existing server or a separate one dedicated to managing your telephony.
Actions

Computer telephony integration

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Mobile technology

Wireless technology

Plan your business IT systems

Content category

IT
Source URL
/content/computer-telephony-integration-cti

Links
Business phones: buyer's checklist

Use our checklist to help you determine your requirements and buy the best phone system for your business.
If you're thinking of buying a new phone system for your business or upgrading to a different service, you should assess your needs carefully. You will want to think about your:

infrastructure

scalability

user needs

acceptance and training

network compatibility

long-term implications

potential for productivity enhancements

You will also want to bear in mind that changes are expected in the coming years which will see the traditional UK 'copper wire' telephone network closed by 2025 and effectively replaced by digital services.

Read about the closure of landlines and fixed telephone services.

9 questions to ask before buying a new business phone system

Consider these specific questions in your decision-making process:

Do you need a full phone system with physical telephones or could you get by with virtual phone service? Compare the different types of business phone systems.

If you need actual telephones, how big does your system need to be? How many lines and extensions will you need? One line for every four or five extensions should be enough depending on how telephone-intensive your business is. Do you need the lines connected to your main business number, or is direct dial-in to individual extensions a better option?

Think about how your business needs are likely to change. How many employees do you expect to have in the future? Is your business seasonal? If you have few permanent staff, you may need to add extra extensions at peak times.

How do you want to manage calls, faxes and emails? You may need a separate fax line as well as the capacity for connecting to the internet. Could you benefit from a unified messaging system? See computer telephony integration (CTI).

What features and capabilities would you like your system to have? Do you need basic telephony functions or are your needs more complex?

Do you want to route your calls over landlines or use the Voice over Internet Protocol (VoIP) connection? See the advantages and disadvantages of VoIP.

Are mobile data services important to you? If so, you will need to consider a suitable option. Your network service provider will be able to help you make this choice. Read about the advantages and disadvantages of mobile phones in business.

What type of individual handsets will you need? Cordless units let you move between different departments or around a site, while hands-free units allow employees to type and write while on the phone. Some phones have microphones and speakers for conference calls.

Think about your phone number. Should you buy an easy-to-remember number? Should you buy numbers with 0800, 0870, 0845 and 09 prefixes? These can decrease or, in the case of 09 prefixes, increase the cost to your customer of calling you. Non-geographic numbers can also help small, locally run businesses achieve a national identity.

After considering your business phone system requirements, you will also have to choose the right telecom supplier for your business.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Mobile technology

Choosing a business broadband connection

Choose an IT supplier for your business

Content category

IT
Source URL
/content/business-phones-buyers-checklist

Links
Choose the right telecoms supplier

Key things to consider when selecting a supplier for your business' telecoms service.
Your choice of telecoms suppliers is likely to depend on a range of factors, including how complicated your business needs are and how confident you are in knowing what equipment you require.

The main suppliers of telephone systems and services are:

manufacturers

retailers

telecoms service providers

consultants

How to find the right telecoms supplier for your business?

Recommendations are a good place to start when looking for a supplier. Talk to business acquaintances with telephone systems similar in size to yours and ask them about their experiences.

It's a good idea to talk to a number of suppliers. Retailers and service providers often recommend a single manufacturer but there may be a range of systems on the market you could use. It might also be worth using a tariff comparison website such as uSwitch. These sites can often help you assess which suppliers offer packages most suited to your requirements.

It's important to be clear about what you want your supplier to provide and to make sure from the outset they'll be able to deliver it. Things to consider include:

Initial advice - do you need help identifying appropriate systems and functions?

Installation - will the supplier install your system?

Maintenance - what happens if there's a problem? Will there be a charge for maintenance?

Training - do you need training to use the new system and conduct day-to-day maintenance?

Scalability - can the system accommodate extra users or enhanced functions if your business grows or its needs become more complicated?

After-sales service - will there be ongoing telephone or online 91�㽶��ɫ��Ƶ? Using a local dealer can give you easier after-sales access to your supplier.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

Also on this site

Choose an IT supplier for your business

Choosing a business broadband connection

Mobile technology

Content category

IT
Source URL
/content/choose-right-telecoms-supplier

Links
Sample telephone usage policy

How to write an acceptable telephone usage policy for your business to ensure that you include all the key terms.
Many businesses use telephone usage policy to ensure high standards of customer service. You should tailor the policy to your business needs and processes, and set out the general rules for the appropriate use of telephones in your business.

What to put in a telephone usage policy

A telephone usage policy could cover the following issues:

Standard greetings

A consistent approach to responding to calls is an important part of your customer service. Explain in your policy how employees should greet callers. For example, they could state the business name, their own name and then ask: "How may I help you?"

Message quality

Identify in your policy any control measures or provisions for supervision or approval of the quality and content of any automatic messages or recorded guidance.

Transferring calls

Explain protocols for call transfers. For example, employees in all areas should be aware of the names, roles and responsibilities of people across your business so that they can transfer calls swiftly and accurately.

Call scripts

Businesses conducting large numbers of similar calls might use manuals providing lists of standardised responses to frequently received queries.

Private use

Some businesses place limits on making personal calls at work. You may also consider restricting the use of private mobile phones.

Call monitoring

For training and quality control purposes, you may want to record calls your employees make and receive. Contact your telephone system's supplier to find out the options for call monitoring and automatic call recording.

Monitoring telephone calls in the workplace

Call monitoring in the workplace can occur for a variety of reasons. For example, it can help with:

employee training

customer quality insurance and monitoring

legal and regulatory compliance

resolving potential disputes with customers

evidencing business transactions

preventing or detecting crime

Monitoring and recording of calls are subject to regulation and have privacy and data protection implications. Before you implement any measures, you must identify clear business benefits and weigh these against any adverse impact on your employees.

If you wish to monitor or record calls with your customers, you must let them know that you may be recording the calls. Find out how to monitor staff correctly and lawfully.
Actions

Invest NI's ICT 91�㽶��ɫ��Ƶ for business

ICO’s GDPR code of conduct

Also on this site

Staff security and monitoring employees

Privacy and data protection in direct marketing

UK General Data Protection Regulation (UK GDPR)

Content category

IT
Source URL
/content/sample-telephone-usage-policy

Links

IT

5G technology

5G technology

Understanding your business IT needs (video)

Plan your business IT systems

Carry out a technology needs assessment

What is a technology needs assessment?

How to assess technology needs in your business?

1. Gather relevant information

2. Identify drivers for change

3. Determine the requirements

4. Consider your resources

5. Review and prioritise results

Source URL

Links

Align IT with your business strategy

What does it mean to align IT with business strategy?

Benefits of aligning IT with business strategy

How to align IT with business objectives?

Source URL

Links

Develop an IT strategy

What is an IT strategy?

How do you develop an IT strategy?

Importance of having an IT strategy

Source URL

Links

Choose the right IT system for your business

Types of IT systems in business

Bespoke systems

Cloud systems

Linked systems

Networked systems

Source URL

Links

Implement new IT system within your business

Steps for successful systems implementation

Communication

Project kick-off

System installation and configuration

Change management

Staff training

User 91�㽶��ɫ��Ƶ

Data migration

Contingency planning

Scheduling go-live

Monitoring risks during implementation

Checking security

Measuring outcomes and results

Potential pitfalls of new IT system implementation

Help with IT system implementation

Source URL

Links

Integrate your back-office systems

What are back-office systems?

What is integration in IT?

Benefits of system integration

Integration solutions

Source URL

Links

Checklist for planning and integrating IT systems

Source URL

Links

Benefits of information systems in business

Importance of information systems

Other advantages of information systems

Source URL

Links

Understanding your business IT needs (video)

Source URL

Links

Using your mobile in EU and EEA countries

Using your mobile in EU and EEA countries

Comply with the Children's code to protect children's privacy online

Comply with the Children's code to protect children's privacy online

Does the GDPR still apply to the UK?

UK General Data Protection Regulation (UK GDPR)

Does the GDPR still apply to the UK?

Data collected before the end of the transition period

What is the UK GDPR?