UK General Data Protection Regulation (UK GDPR)

The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.

The UK GDPR does not apply to the personal data processed:

• by competent authorities for law enforcement purposes
• for the purposes of safeguarding national security or defence
• in the course of a purely personal or household activity, with no connection to a professional or commercial activity

What is the difference between data controllers and data processors?

Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:

• data controllers decide why and how they process personal data
• data processors hold or process data on behalf of a data controller

You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.

How to determine if you are a processor or a controller

Whether you are a controller or processor depends on who determines:

• the purposes for which the data is being processed
• the means of processing

If you determine the purposes and the means of processing, you will be the controller.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.

GDPR obligations on data processors

Under the UK GDPR, processing refers to any type of handling of personal data, including:

• obtaining, recording or keeping data (electronically or in hard copy)
• organising or altering the data
• retrieving, consulting or using the data
• disclosing the data to a third party (including publication)
• erasing or destroying the data

If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.

GDPR obligations on data controllers

If you are a controller, you will have the highest level of compliance responsibility. This means:

• you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
• you are responsible for the compliance of your processors
• you will be liable for a breach of any of these obligations
• you must pay the data protection fee, unless you are exempt

Data protection fee

Organisations (or sole traders) that determine the purpose for which personal data is processed must pay a data protection fee to the ICO, unless they are exempt.

The cost of your data protection fee depends on your size and turnover. There are three tiers of fees ranging from £40 and £2,900, but for most organisations, it will be £40 or £60. Small discount is available if you choose to pay by direct debit.

Find out more about the data protection fee.

Exemptions from UK GDPR

In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:

• crime, law and public protection
• regulation, parliament and the judiciary
• journalism, research and archiving
• health, social work, education and child abuse
• finance, management and negotiations
• references and exams

Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.

If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.