The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:

• directly to you:
  • if you operate in the European Economic Area (EEA)
  • offer goods or services to individuals in the EEA
  • monitor the behaviour of individuals in the EEA
• to any organisations in Europe who send you data

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.

Data collected before the end of the transition period

Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'. 

What is the UK GDPR?

The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:

• offering goods or services to individuals in the UK, or
• monitoring the behaviour of individuals taking place in the UK

If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.

The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.

The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.

The UK GDPR does not apply to the personal data processed:

• by competent authorities for law enforcement purposes
• for the purposes of safeguarding national security or defence
• in the course of a purely personal or household activity, with no connection to a professional or commercial activity

What is the difference between data controllers and data processors?

Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:

• data controllers decide why and how they process personal data
• data processors hold or process data on behalf of a data controller

You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.

How to determine if you are a processor or a controller

Whether you are a controller or processor depends on who determines:

• the purposes for which the data is being processed
• the means of processing

If you determine the purposes and the means of processing, you will be the controller.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.

GDPR obligations on data processors

Under the UK GDPR, processing refers to any type of handling of personal data, including:

• obtaining, recording or keeping data (electronically or in hard copy)
• organising or altering the data
• retrieving, consulting or using the data
• disclosing the data to a third party (including publication)
• erasing or destroying the data

If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.

GDPR obligations on data controllers

If you are a controller, you will have the highest level of compliance responsibility. This means:

• you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
• you are responsible for the compliance of your processors
• you will be liable for a breach of any of these obligations
• you must pay the data protection fee, unless you are exempt

Data protection fee

Organisations (or sole traders) that determine the purpose for which personal data is processed must pay a data protection fee to the ICO, unless they are exempt.

The cost of your data protection fee depends on your size and turnover. There are three tiers of fees ranging from £40 and £2,900, but for most organisations, it will be £40 or £60. Small discount is available if you choose to pay by direct debit.

Find out more about the data protection fee.

Exemptions from UK GDPR

In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:

• crime, law and public protection
• regulation, parliament and the judiciary
• journalism, research and archiving
• health, social work, education and child abuse
• finance, management and negotiations
• references and exams

Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.

If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.

To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.

What is personal data?

Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:

• name
• date of birth
• identification numbers
• bank details
• addresses, including email addresses
• other location data, such as an IP address
• online identifiers

Other factors, or a combination of factors, may also identify an individual. For example:

• information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
• pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains

If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.

Sensitive personal data

Personal data may also include special categories of personal data, such as:

• data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
• data on criminal conviction and offences

These are considered to be more sensitive and you may only process them in more limited circumstances.

Does your data relate to an individual?

For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:

• the content of the data - is it directly about the individual or their activities
• the purpose you will process the data for
• the results of (or effects on) the individual from processing the data

It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.

The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).

In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.

How long can you keep personal data?

The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.

Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.

The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:

• for the least amount of time that you can
• in accordance with the requirements of your business
• stored securely while it is in your possession
• until it reaches the appointed deletion time

See more on accountability under the UK GDPR.

The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.

1. Lawfulness, fairness and transparency principle

To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:

• identify valid grounds for collecting or using personal data - known as the lawful basis
• ensure that your use of data doesn't breach any other laws
• use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
• be clear, open and honest with people about how you will use their personal data

2. Purpose limitation principle

To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:

• be clear about what your purposes for processing are from the start
• record your purposes as part of your documentation obligations
• inform individuals about your purposes to comply with transparency obligations
• ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent

3. Data minimisation principle

To comply with the third principle, you must ensure that the personal data you are processing is:

• adequate - sufficient to properly fulfil your stated purpose
• relevant - has a rational link to that purpose
• limited to what is necessary - you do not hold more than you need for that purpose

4. Accuracy principle

The accuracy principle requires you to take all reasonable steps to:

• ensure the personal data you hold or process is not incorrect or misleading
• ensure that the source and status of personal data are clear
• consider any challenges to the accuracy of information
• consider if it is necessary to periodically update the information

5. Storage limitation principle

To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:

• think about - and be able to justify - how long you keep the data depending on the purpose you need it for
• set a retention policy or schedule wherever possible, to comply with the documentation requirements
• periodically review the data you hold, and erase or anonymise it when you no longer need it
• carefully consider any challenges to your retention of data, for example when it comes to erasure

6. Integrity and confidentiality (also known as the security principle)

To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:

• against unauthorised or unlawful processing
• against accidental loss, destruction or damage
• using appropriate technical or organisational measures

7. Accountability principle

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.

Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.

To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.

There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.

Conditions for processing data under the UK GDPR

The lawful bases for processing include:

Consent

This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.

Contract

This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.

Legal obligation

This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.

Vital interests

This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.

Public task

This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

Legitimate interest

This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.

Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.

Why must you have a lawful basis for processing?

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.

The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.

Deciding which lawful basis applies

You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:

• check that the processing is necessary for the relevant purpose
• check that there is no other reasonable way to achieve this purpose
• document why you chose a particular lawful basis - to demonstrate compliance
• explain the purpose and the lawful basis for processing in your privacy notice

If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.

Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.

You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

Can you switch lawful basis for processing?

It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.

Documenting lawful basis

To satisfy the UK GDPR's accountability principle, you must keep a record of:

• which basis you are relying on for each processing purpose
• a justification for why you believe the basis applies

There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.

Find out more about documentation requirements in our guidance on accountability.

Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).

What is valid consent under the GDPR?

For consent to be valid under the UK GDPR, it must:

• be freely given - giving people genuine choice and control over how you use their data
• be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
• be obvious that the individual has consented, and what they have consented to
• require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand

Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.

When should you obtain consent under GDPR?

You may need to seek consent in a number of circumstances. For example, if:

• no other legal basis for data processing applies
• you want to use or share someone's data in unexpected or potentially intrusive ways
• you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)

Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.

Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.

When should you not use consent?

You should not use consent as your lawful basis for processing if:

• you can't offer people a genuine choice over how they use their data
• you could process data on a different lawful basis if consent is refused or withdrawn
• you ask for consent as a precondition of accessing your services
• you are in a position of power over the individual, eg an employer processing employee data

Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

How to obtain consent

You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.

You should obtain consent upfront before processing begins. As a minimum, your consent request must include:

• the name of your organisation and of any other controllers who will rely on the consent
• why you want the data (the purposes of the processing)
• what you will do with the data (the processing activities)
• that people can withdraw their consent at any time

You can use different methods to obtain consent, but you must ask people to actively opt in.

Opt-in consent

Examples of active opt-in mechanisms include:

• signing a consent statement on a paper form
• ticking an opt-in box on paper or electronically
• clicking an opt-in button or link online
• selecting from equally prominent yes/no options
• choosing technical settings or preference dashboard settings
• responding to an email requesting consent
• answering yes to a clear oral consent request
• volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box

Explicit consent

If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.

If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.

If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.

If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.

How to record consent

Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:

• who consented
• when they consented
• what they were told at the time
• how they consented
• whether they have withdrawn consent (and if so, why)

An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.

Reviewing consent

Your obligations don't end when you get consent. You should keep your consents under review and refresh them:

• if anything changes, eg if your purposes for processing evolve
• if you rely on parental consent, when children grow up and can consent for themselves
• automatically at appropriate intervals, depending on the context, people's expectations

If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.

How long does GDPR consent last?

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

Managing consent for use of personal data

In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.

You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.

Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.

What happens when someone withdraws their consent?

If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.

Consent and individuals' rights

If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:

• the right to erasure (also known as 'the right to be forgotten')
• the right to data portability
• the right to withdraw consent - which in effect operates as a right to stop the processing

See more on data subject rights under the UK GDPR.

Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.

The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.

Individuals' rights under the UK GDPR

Under the regulation, individuals can exercise:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object to processing
8. The rights in relation to automated decision making and profiling

1. Right to be informed

This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:

• your business
• your purposes and lawful basis for processing their personal data
• who the data will be shared with, including details of international transfers
• your retention periods for that personal data
• the rights available to them in respect of processing
• the right to lodge a complaint

Depending on the type of processing you do, you may need to provide other categories of information as well. For example:

• if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
• if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent

You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.

The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.

2. Right of access (known as subject access request)

Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).

Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.

If you receive a valid SAR:

• you should perform a reasonable search for the requested information
• you should respond without delay and within one month of receipt of the request
• you may extend the time limit by a further two months in certain circumstances
• you should provide the information in an accessible, concise and intelligible format
• you should disclose information securely

You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.

3. Right of rectification

The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.

If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.

4. Right to erasure (also known as the right to be forgotten)

In certain circumstances, individuals have the right to ask you to erase their personal data if:

• you have processed their data unlawfully
• you no longer need the data for the original purpose
• you rely on consent for processing or holding the data, and they withdraw it
• they exercise their right to object to processing, and you can't override their objection
• erasure is necessary for compliance with other legal obligations

If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.

Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.

5. Right to restrict processing

Individuals can ask you to restrict processing their personal data if, for example:

• they believe their data is not accurate and you are verifying the accuracy of the data
• the processing is unlawful but the individual doesn't want the data erased
• you no longer need the data but the individual needs it to exercise a legal claim
• you are taking steps to verify overriding grounds in the context of a request

If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.

If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.

6. Right to data portability

This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:

• your lawful basis for processing this information is consent or contract
• you are carrying out the processing by automated means (ie excluding paper files)

For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.

7. Right to object to processing

The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:

• a task carried out in the public interest
• the exercise of official authority vested in you, or
• your legitimate interests (or those of a third party)

In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.

If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:

• you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
• the processing is necessary in connection with legal rights

See more on the right to object.

8. Right related to automated decision making including profiling

Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:

• automated individual decision-making - ie making a decision solely by automated means without any human involvement
• profiling - automated processing of personal data to evaluate certain things about an individual

You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.

Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a subject access request at some point.

What is a subject access request (SAR)?

A subject access request is the right of an individual to request a copy of any personal information you may hold on them. The request:

• can be verbal or in writing
• can be submitted by any means, eg via web form, email, letter, phone call, etc
• can be made to any part of your business, not just a specific department
• doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data

The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.

The Information Commissioner's Office (ICO) offers a free service to assist both individuals and businesses in the SARs process.

Through the 'Make a SAR' service, individuals can submit SAR requests directly through the ICO website. Once submitted, organisations will receive an ICO-branded email containing the request details and guidance on how to respond.

Who can request personal information?

Individuals will only be able to request access to their own personal data, unless:

• they are authorised to act on behalf of someone
• the data that relates to another person also happens to relate to them

Under the UK GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for the minimum information necessary to confirm who they are.

You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.

The ICO has a series of Q&As clarifying requirements for a valid subject access request and the rules around compliance when dealing with SARs. You can find these Q&As on the ICO website.

What should be provided as part of subject access request?

Data subjects are entitled to receive:

• confirmation of whether you are processing their data
• a copy of their personal data
• other supplementary information (including mandatory privacy information)

Before responding to any request, you should establish if the information requested falls within the definition of personal data.

How to respond to a subject access request?

To comply with subject access requests, you have to:

• respond to a request without undue delay and within one month of receipt
• give information in a concise, transparent, intelligible and easily accessible form
• use clear and plain language, especially if you are disclosing information to a child
• respond electronically, if the request was made by the same means - unless asked otherwise

You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.

How long do I have to comply with SAR?

In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the ICO.

You can extend the timescale to respond by a further two months if the request is complex or you have received a number of requests from the individual.

Seeking more information

If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one-month mark for responding to the request begins when you receive the additional information.

If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.

Can you charge for subject access requests?

In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:

• if the request is manifestly unfounded or excessive
• if an individual requests further copies of their data following a request

Can I refuse a subject access request?

In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.

Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.

You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Find further information on subject access requests.

The UK General Data Protection Regulation (UK GDPR) specifies the types of information that you need to provide individuals with if you're processing personal data that relates to them. This is called 'privacy information'. It's best to have this privacy information written down in a document called a 'privacy notice'.

What are privacy notices under GDPR?

A privacy notice is essentially a public statement that explains - at the point of data collection - how you collect, process and use people's data. It helps people understand what would happen to their data if they decide to share it with you. Individuals are entitled to this information under their right to be informed.

Before you start drafting your privacy notice, you need to know what personal data you have and what you do with it. To help you with this you may need to do an information audit or data mapping exercise. You must also take care that you communicate privacy information clearly, honestly and openly with the individuals.

What is in a privacy notice?

The UK GDPR prescribes the categories of information and the level of detail you must include in your privacy notice.

The key points you may need to address are:

• Who is collecting the data?
• What type of data are you collecting?
• How and why are you collecting it?
• What is the purpose and the lawful basis for processing the data?
• Who can access the information?
• Will you share the data with any third parties?
• Will you transfer the data abroad?
• What safeguards will you put in place for the security of this data?
• How will you use the information?
• How long will you store the data for?
• What rights does the data subject have, including to withdraw consent?
• How can the individual raise a complaint?
• Will you be making automated decisions about the individual, including profiling?

What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to, or obtain it from another source. The Information Commissioner's Office (ICO) has detailed guidance on privacy information, explaining exactly what information you are required to include.

When should privacy information be issued?

The UK GDPR says that you must provide individuals with privacy information at the point of data collection if:

• you are collecting information directly from individuals (eg when they fill in a form)
• you are collecting data by observation (eg using CCTV or tracking people online)

Often, this happens as part of obtaining consent from the user or telling them about legitimate interests.

If you're obtaining information about an individual from a third party, or from a publicly accessible source, you should provide privacy information within a reasonable period after obtaining the personal data, but at the latest within one month.

If, for instance, you plan on:

• using personal data you obtained from a third party or online source to communicate with the individual it relates to, you must provide personal information when the first communication takes place
• disclosing an individual's personal data to someone else, you must provide a privacy notice that includes details of the sharing before you disclose the data

If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people's attention.

Ways to provide privacy information

You can use a number of techniques to provide people with privacy information. For example:

• a layered approach - short notices containing key privacy information that have additional layers of more detailed information
• just-in-time notices - providing information at certain points of data collection (eg during purchasing or interaction)
• icons and symbols - to indicate that a particular type of data processing is occurring
• dashboards - preference management tools that inform people how you use their data and allow them to manage what happens with it
• mobile and smart device functionalities - eg pop-ups, voice alerts and mobile device gestures

You can also use a blended approach. Using more than one of these techniques is often the most effective way to provide privacy information. See common issues you may encounter around privacy information.

UK GDPR privacy notice templates

You can use our sample privacy notice document and customise it to fit the circumstances of your business and the type of processing that you do.

Alternatively, you can download the ICO's template to help build your own privacy notice (DOC, 38K). The template is especially suitable for small businesses, sole traders and community groups.

Other templates are available on the internet. Make sure that whichever template you use is GDPR-compliant, and that you customise it to reflect exactly what you do with personal data.

Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.

What does accountability mean in UK GDPR?

Accountability means:

• you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
• you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply

For a small business, this means you must:

• ensure a good level of understanding and awareness of data protection amongst your staff
• implement comprehensive but proportionate policies and procedures for handling personal data safely
• keep records of what you do and why

You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.

How to comply with accountability obligations

The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:

1. Data protection policies

The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:

• privacy procedure and notice
• staff training policy
• information security policy
• data protection impact assessment procedure
• retention of records procedure
• subject access request form and procedure
• international data transfer procedure
• data portability procedure

Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.

2. Contracts

If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.

3. Documentation

By law, most organisations are required to maintain a record of their processing activities, covering:

• name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
• the processing purposes
• a description of the categories of individuals and categories of personal data
• the categories of recipients of personal data
• details of your transfers to third countries, including the safeguards in place
• retention schedules
• a description of your technical and organisational security measures

If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.

As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:

• information required for privacy notices
• records of consent
• controller-processor contracts
• the location of personal data
• Data Protection Impact Assessment reports
• records of personal data breaches
• information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018

Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.

4. Data protection by design and default

This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.

The UK GDPR suggests measures that may be appropriate to this, such as:

• minimising the data you collect - both in terms of volume and retention
• storing data no longer than is necessary
• storing data only for the purposes for which it is processed
• applying pseudonymisation techniques
• improving security features

To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.

5. Data protection officers (DPOs)

The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:

• you are a public authority or body
• you carry out certain types of processing activities, including:
  • regular and systematic monitoring of data subjects on a large scale
  • large-scale processing of sensitive personal data or data relating to criminal convictions and offences

This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.

A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.

Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.

6. Codes of conduct and certification

Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.

Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.

Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).

What is a data mapping audit?

A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.

The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.

How to perform a data mapping audit?

To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:

What types of personal data do you hold?

List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?

Why do you hold this data?

List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).

How did you collect this data?

List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?

How do you store it?

Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?

What do you do with this data?

How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?

Who owns and controls the data?

Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?

How long do you keep the data for?

Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?

What do you need to do to make your data processing GDPR compliant?

List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.

It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.

Data audit templates

The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:

• Download documentation template for controllers (Excel, 31K)
• Download documentation template for processors (Excel, 19K)

Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.

A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.

When is an organisation required to carry out a data protection impact assessment?

You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:

• systematic and extensive profiling with significant effects
• large-scale use of special category or criminal offence data
• systematic monitoring of publicly accessible places on a large scale

When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:

• evaluation or scoring
• automated decision-making with legal or similar significant effect
• systematic monitoring
• sensitive data or data of a highly personal nature
• data processed on a large scale
• matching or combining datasets
• data concerning vulnerable data subjects
• innovative use or applying new technological or organisational solutions
• preventing data subjects from exercising a right or using a service or contract

In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present - and it is good practice to do so.

What type of processing is likely to result in high risk?

The ICO maintains a list of processing operations that require a DPIA. These include:

• use innovative technologies (including artificial intelligence)
• use of profiling or special category data to decide on access to services
• profiling individuals on a large scale
• processing biometric data
• processing genetic data, unless by a health professional providing health care directly to the data subject
• matching data or combining datasets from different sources
• collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
• tracking individuals' location or behaviour, including but not limited to the online environment
• profiling children or targeting marketing or online services at them
• processing data that might endanger the individual's physical health or safety in case of data breach

Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to an individual.

If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

How do you do a data protection impact assessment?

Typically, a DPIA will involve the following key steps:

• identify the need for a DPIA
• describe the processing
• consider consultation
• evaluate the necessity and proportionality
• identify data protection and related risks
• identify measures to reduce or eliminate the risks
• sign off and record the outcomes of the DPIA
• integrate data protection solutions into the project
• keep under review

You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.

You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified. 

The ICO offers a summary guidance on DPIA process.

Data protection impact assessment template

You can use or adapt the ICO's sample DPIA template (DOC, 54K), or create your own based on the criteria outlined above.

Consulting the ICO about high risk processing

If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.

In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:

• issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
• impose a limitation or ban on your intended processing

If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.

Failure to carry out data protection impact assessments

DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also support compliance with data protection by design and default obligations.

Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.

The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.

The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.

What level of security is needed under UK GDPR?

The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.

The security measures you put in place should seek to ensure that:

• the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
• the data you hold is accurate and complete in relation to why you are processing it
• the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned

Organisational security measures

Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:

• build security awareness in your organisation
• allocate responsibility for information security within your organisation
• ensure those responsible have the resources and authority to do their job effectively

An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.

Other related matters you will need to consider include:

• co-ordination between key people in your organisation
• access to premises or equipment given to anyone outside your organisation
• business continuity arrangements for the protection and recovery of personal data you hold
• periodic checks on and updates to your security measures

Technical security measures

Technical measures include both:

• physical security, which covers things like
  • protection of premises by means of alarms, lighting, CCTV
  • control of access to premises
  • disposal of paper and electronic waste
  • secure maintenance and disposal of IT equipment, mobile devices, etc
• IT security (or cyber security), extending to the security of
  • your network and information systems
  • the data you hold within your systems
  • your website, online services and applications that you use
  • your devices, including policies on the use of personal devices in the workplace

Encryption

The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:

• widely-available
• relatively low costs to implement
• available in a large variety of solutions

If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.

Password authentication

Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Therefore, any password setup that you implement must:

• be appropriate to the particular circumstances of this processing
• protect against theft of stored passwords
• protect against 'brute-force' or guessing attacks

There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.

The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.

Test your security measures

The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.

Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.

Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.

What is a breach of personal data?

A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:

• if you lose, destroy, corrupt or disclose personal data
• if someone accesses the data or passes it on without proper authorisation
• if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals

When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:

• how serious or substantial these are, and
• how likely they are to happen

In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.

Should I report a data breach?

You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:

• discrimination
• damage to reputation
• emotional distress
• identity theft or fraud
• financial or material loss
• other significant economic or social disadvantages

You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.

Telling individuals about a breach

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.

If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.

The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.

Determine the level of risk accurately

If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.

If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.

What if a processor experiences a data breach?

If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.

How long do organisations have to report data breaches?

You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.

When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:

• the nature of the breach, including:
  • the categories and approximate number of affected individuals
  • the categories and approximate number of affected data records
• the likely consequences of the breach
• the measures taken or proposed to be taken, to deal with and mitigate the breach
• the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained

Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.

How do I notify the ICO of the data breach?

To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.

Recording personal data breaches

As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.

In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.

You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.

Failing to report a data breach

Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.

You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.

Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.

If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.

Are you making a restricted transfer?

You are making a restricted transfer of personal data if:

• the UK GDPR applies to your processing of the personal data you are transferring
• you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
• the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group

Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.

Rules on transferring personal data from the UK

Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:

• Is the restricted transfer covered by adequacy regulations?
• Is the restricted transfer covered by appropriate safeguards?
• Is the restricted transfer covered by an exception?

Adequacy decisions

You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.

Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.

The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:

• an adequacy decision for Gibraltar
• an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
• partial findings of adequacy about Japan and Canada

If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.

Appropriate safeguards

Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.

The safeguards include:

• a legal instrument between public authorities or bodies
• UK Binding Corporate Rules (UK BCRs)
• data protection clauses for restricted transfer
• an approved code of conduct
• certification under an approved certification scheme
• contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
• administrative arrangements between public authorities or bodies

UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.

For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.

You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.

The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.

Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.

Exceptions on restricted transfers

If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.

Specific exemptions, or derogations, for data transfers apply when:

• the data subject explicitly consents to the transfer (and is aware of the risks)
• you have a contract with the individual and:
  • the transfer is needed for the performance of that contract
  • the contract benefits another individual whose data is being transferred
• the transfer is deemed necessary for reasons of public interest
• the transfer is necessary in relation to a legal claim
• the transfer is necessary to protect the data subject's vital interests (eg their life)
• the transfer is made from a public register created under UK law
• the transfer is a one-off and necessary for your competing legitimate interests

If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.

Rules on transferring personal data from the EEA into the UK

Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:

• the country they are sending data to is covered by an EC adequacy decision
• one of the EU GDPR appropriate safeguards is in place
• one of the list of EU GDPR exceptions applies

The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.

The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.

Standard Contractual Clauses (SCCs) for restricted transfers from the EU

In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.

Restricted data transfers from the UK

As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:

• International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
• Addendum to the EU SCCs – most likely to be used for transfers involving EU data

The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.

International Data Transfer Agreement and guidance

The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.

The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.

Find more information on the IDTA and the Addendum.

Transition period for using the IDTA and the Addendum

The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:

• SCCs for controllers to processors (Word, 124K)
• SCCs for controllers to controllers (Word, 112K)

All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.

From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.

Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.

If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).

The ICO can issue sanctions for a breach of the regulation, including:

• warnings and reprimands
• compliance orders
• bans on processing or data transfers (permanent or temporary)
• administrative fines

Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.

Fines for infringement of the UK GDPR

Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:

• a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
• a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation

The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.

How does the ICO determine the level of penalties?

The ICO will consider a number of factors when determining the level of penalties, including::

• the nature, gravity, and duration of the infringement
• the number of people affected and the extent of the damage to them
• whether the breach was intentional or negligent
• any previous history of noncompliance
• any action taken to mitigate the damage
• whether the controller notified the ICO of the infringement and co-operated

See more on reporting serious breaches of personal data.

Impact of GDPR non-compliance

The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.

You may be subject to:

• private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
• reputational damage
• loss of consumer trust

It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.

The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:

• directly to you:
  • if you operate in the European Economic Area (EEA)
  • offer goods or services to individuals in the EEA
  • monitor the behaviour of individuals in the EEA
• to any organisations in Europe who send you data

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.

Data collected before the end of the transition period

Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'. 

What is the UK GDPR?

The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:

• offering goods or services to individuals in the UK, or
• monitoring the behaviour of individuals taking place in the UK

If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.

The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.

The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.

The UK GDPR does not apply to the personal data processed:

• by competent authorities for law enforcement purposes
• for the purposes of safeguarding national security or defence
• in the course of a purely personal or household activity, with no connection to a professional or commercial activity

What is the difference between data controllers and data processors?

Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:

• data controllers decide why and how they process personal data
• data processors hold or process data on behalf of a data controller

You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.

How to determine if you are a processor or a controller

Whether you are a controller or processor depends on who determines:

• the purposes for which the data is being processed
• the means of processing

If you determine the purposes and the means of processing, you will be the controller.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.

GDPR obligations on data processors

Under the UK GDPR, processing refers to any type of handling of personal data, including:

• obtaining, recording or keeping data (electronically or in hard copy)
• organising or altering the data
• retrieving, consulting or using the data
• disclosing the data to a third party (including publication)
• erasing or destroying the data

If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.

GDPR obligations on data controllers

If you are a controller, you will have the highest level of compliance responsibility. This means:

• you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
• you are responsible for the compliance of your processors
• you will be liable for a breach of any of these obligations
• you must pay the data protection fee, unless you are exempt

Data protection fee

Organisations (or sole traders) that determine the purpose for which personal data is processed must pay a data protection fee to the ICO, unless they are exempt.

The cost of your data protection fee depends on your size and turnover. There are three tiers of fees ranging from £40 and £2,900, but for most organisations, it will be £40 or £60. Small discount is available if you choose to pay by direct debit.

Find out more about the data protection fee.

Exemptions from UK GDPR

In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:

• crime, law and public protection
• regulation, parliament and the judiciary
• journalism, research and archiving
• health, social work, education and child abuse
• finance, management and negotiations
• references and exams

Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.

If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.

To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.

What is personal data?

Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:

• name
• date of birth
• identification numbers
• bank details
• addresses, including email addresses
• other location data, such as an IP address
• online identifiers

Other factors, or a combination of factors, may also identify an individual. For example:

• information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
• pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains

If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.

Sensitive personal data

Personal data may also include special categories of personal data, such as:

• data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
• data on criminal conviction and offences

These are considered to be more sensitive and you may only process them in more limited circumstances.

Does your data relate to an individual?

For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:

• the content of the data - is it directly about the individual or their activities
• the purpose you will process the data for
• the results of (or effects on) the individual from processing the data

It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.

The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).

In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.

How long can you keep personal data?

The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.

Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.

The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:

• for the least amount of time that you can
• in accordance with the requirements of your business
• stored securely while it is in your possession
• until it reaches the appointed deletion time

See more on accountability under the UK GDPR.

The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.

1. Lawfulness, fairness and transparency principle

To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:

• identify valid grounds for collecting or using personal data - known as the lawful basis
• ensure that your use of data doesn't breach any other laws
• use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
• be clear, open and honest with people about how you will use their personal data

2. Purpose limitation principle

To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:

• be clear about what your purposes for processing are from the start
• record your purposes as part of your documentation obligations
• inform individuals about your purposes to comply with transparency obligations
• ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent

3. Data minimisation principle

To comply with the third principle, you must ensure that the personal data you are processing is:

• adequate - sufficient to properly fulfil your stated purpose
• relevant - has a rational link to that purpose
• limited to what is necessary - you do not hold more than you need for that purpose

4. Accuracy principle

The accuracy principle requires you to take all reasonable steps to:

• ensure the personal data you hold or process is not incorrect or misleading
• ensure that the source and status of personal data are clear
• consider any challenges to the accuracy of information
• consider if it is necessary to periodically update the information

5. Storage limitation principle

To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:

• think about - and be able to justify - how long you keep the data depending on the purpose you need it for
• set a retention policy or schedule wherever possible, to comply with the documentation requirements
• periodically review the data you hold, and erase or anonymise it when you no longer need it
• carefully consider any challenges to your retention of data, for example when it comes to erasure

6. Integrity and confidentiality (also known as the security principle)

To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:

• against unauthorised or unlawful processing
• against accidental loss, destruction or damage
• using appropriate technical or organisational measures

7. Accountability principle

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.

Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.

To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.

There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.

Conditions for processing data under the UK GDPR

The lawful bases for processing include:

Consent

This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.

Contract

This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.

Legal obligation

This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.

Vital interests

This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.

Public task

This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

Legitimate interest

This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.

Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.

Why must you have a lawful basis for processing?

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.

The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.

Deciding which lawful basis applies

You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:

• check that the processing is necessary for the relevant purpose
• check that there is no other reasonable way to achieve this purpose
• document why you chose a particular lawful basis - to demonstrate compliance
• explain the purpose and the lawful basis for processing in your privacy notice

If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.

Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.

You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

Can you switch lawful basis for processing?

It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.

Documenting lawful basis

To satisfy the UK GDPR's accountability principle, you must keep a record of:

• which basis you are relying on for each processing purpose
• a justification for why you believe the basis applies

There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.

Find out more about documentation requirements in our guidance on accountability.

Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).

What is valid consent under the GDPR?

For consent to be valid under the UK GDPR, it must:

• be freely given - giving people genuine choice and control over how you use their data
• be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
• be obvious that the individual has consented, and what they have consented to
• require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand

Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.

When should you obtain consent under GDPR?

You may need to seek consent in a number of circumstances. For example, if:

• no other legal basis for data processing applies
• you want to use or share someone's data in unexpected or potentially intrusive ways
• you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)

Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.

Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.

When should you not use consent?

You should not use consent as your lawful basis for processing if:

• you can't offer people a genuine choice over how they use their data
• you could process data on a different lawful basis if consent is refused or withdrawn
• you ask for consent as a precondition of accessing your services
• you are in a position of power over the individual, eg an employer processing employee data

Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

How to obtain consent

You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.

You should obtain consent upfront before processing begins. As a minimum, your consent request must include:

• the name of your organisation and of any other controllers who will rely on the consent
• why you want the data (the purposes of the processing)
• what you will do with the data (the processing activities)
• that people can withdraw their consent at any time

You can use different methods to obtain consent, but you must ask people to actively opt in.

Opt-in consent

Examples of active opt-in mechanisms include:

• signing a consent statement on a paper form
• ticking an opt-in box on paper or electronically
• clicking an opt-in button or link online
• selecting from equally prominent yes/no options
• choosing technical settings or preference dashboard settings
• responding to an email requesting consent
• answering yes to a clear oral consent request
• volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box

Explicit consent

If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.

If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.

If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.

If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.

How to record consent

Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:

• who consented
• when they consented
• what they were told at the time
• how they consented
• whether they have withdrawn consent (and if so, why)

An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.

Reviewing consent

Your obligations don't end when you get consent. You should keep your consents under review and refresh them:

• if anything changes, eg if your purposes for processing evolve
• if you rely on parental consent, when children grow up and can consent for themselves
• automatically at appropriate intervals, depending on the context, people's expectations

If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.

How long does GDPR consent last?

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

Managing consent for use of personal data

In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.

You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.

Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.

What happens when someone withdraws their consent?

If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.

Consent and individuals' rights

If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:

• the right to erasure (also known as 'the right to be forgotten')
• the right to data portability
• the right to withdraw consent - which in effect operates as a right to stop the processing

See more on data subject rights under the UK GDPR.

Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.

The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.

Individuals' rights under the UK GDPR

Under the regulation, individuals can exercise:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object to processing
8. The rights in relation to automated decision making and profiling

1. Right to be informed

This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:

• your business
• your purposes and lawful basis for processing their personal data
• who the data will be shared with, including details of international transfers
• your retention periods for that personal data
• the rights available to them in respect of processing
• the right to lodge a complaint

Depending on the type of processing you do, you may need to provide other categories of information as well. For example:

• if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
• if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent

You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.

The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.

2. Right of access (known as subject access request)

Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).

Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.

If you receive a valid SAR:

• you should perform a reasonable search for the requested information
• you should respond without delay and within one month of receipt of the request
• you may extend the time limit by a further two months in certain circumstances
• you should provide the information in an accessible, concise and intelligible format
• you should disclose information securely

You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.

3. Right of rectification

The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.

If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.

4. Right to erasure (also known as the right to be forgotten)

In certain circumstances, individuals have the right to ask you to erase their personal data if:

• you have processed their data unlawfully
• you no longer need the data for the original purpose
• you rely on consent for processing or holding the data, and they withdraw it
• they exercise their right to object to processing, and you can't override their objection
• erasure is necessary for compliance with other legal obligations

If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.

Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.

5. Right to restrict processing

Individuals can ask you to restrict processing their personal data if, for example:

• they believe their data is not accurate and you are verifying the accuracy of the data
• the processing is unlawful but the individual doesn't want the data erased
• you no longer need the data but the individual needs it to exercise a legal claim
• you are taking steps to verify overriding grounds in the context of a request

If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.

If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.

6. Right to data portability

This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:

• your lawful basis for processing this information is consent or contract
• you are carrying out the processing by automated means (ie excluding paper files)

For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.

7. Right to object to processing

The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:

• a task carried out in the public interest
• the exercise of official authority vested in you, or
• your legitimate interests (or those of a third party)

In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.

If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:

• you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
• the processing is necessary in connection with legal rights

See more on the right to object.

8. Right related to automated decision making including profiling

Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:

• automated individual decision-making - ie making a decision solely by automated means without any human involvement
• profiling - automated processing of personal data to evaluate certain things about an individual

You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.

Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a subject access request at some point.

What is a subject access request (SAR)?

A subject access request is the right of an individual to request a copy of any personal information you may hold on them. The request:

• can be verbal or in writing
• can be submitted by any means, eg via web form, email, letter, phone call, etc
• can be made to any part of your business, not just a specific department
• doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data

The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.

The Information Commissioner's Office (ICO) offers a free service to assist both individuals and businesses in the SARs process.

Through the 'Make a SAR' service, individuals can submit SAR requests directly through the ICO website. Once submitted, organisations will receive an ICO-branded email containing the request details and guidance on how to respond.

Who can request personal information?

Individuals will only be able to request access to their own personal data, unless:

• they are authorised to act on behalf of someone
• the data that relates to another person also happens to relate to them

Under the UK GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for the minimum information necessary to confirm who they are.

You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.

The ICO has a series of Q&As clarifying requirements for a valid subject access request and the rules around compliance when dealing with SARs. You can find these Q&As on the ICO website.

What should be provided as part of subject access request?

Data subjects are entitled to receive:

• confirmation of whether you are processing their data
• a copy of their personal data
• other supplementary information (including mandatory privacy information)

Before responding to any request, you should establish if the information requested falls within the definition of personal data.

How to respond to a subject access request?

To comply with subject access requests, you have to:

• respond to a request without undue delay and within one month of receipt
• give information in a concise, transparent, intelligible and easily accessible form
• use clear and plain language, especially if you are disclosing information to a child
• respond electronically, if the request was made by the same means - unless asked otherwise

You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.

How long do I have to comply with SAR?

In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the ICO.

You can extend the timescale to respond by a further two months if the request is complex or you have received a number of requests from the individual.

Seeking more information

If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one-month mark for responding to the request begins when you receive the additional information.

If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.

Can you charge for subject access requests?

In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:

• if the request is manifestly unfounded or excessive
• if an individual requests further copies of their data following a request

Can I refuse a subject access request?

In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.

Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.

You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Find further information on subject access requests.

The UK General Data Protection Regulation (UK GDPR) specifies the types of information that you need to provide individuals with if you're processing personal data that relates to them. This is called 'privacy information'. It's best to have this privacy information written down in a document called a 'privacy notice'.

What are privacy notices under GDPR?

A privacy notice is essentially a public statement that explains - at the point of data collection - how you collect, process and use people's data. It helps people understand what would happen to their data if they decide to share it with you. Individuals are entitled to this information under their right to be informed.

Before you start drafting your privacy notice, you need to know what personal data you have and what you do with it. To help you with this you may need to do an information audit or data mapping exercise. You must also take care that you communicate privacy information clearly, honestly and openly with the individuals.

What is in a privacy notice?

The UK GDPR prescribes the categories of information and the level of detail you must include in your privacy notice.

The key points you may need to address are:

• Who is collecting the data?
• What type of data are you collecting?
• How and why are you collecting it?
• What is the purpose and the lawful basis for processing the data?
• Who can access the information?
• Will you share the data with any third parties?
• Will you transfer the data abroad?
• What safeguards will you put in place for the security of this data?
• How will you use the information?
• How long will you store the data for?
• What rights does the data subject have, including to withdraw consent?
• How can the individual raise a complaint?
• Will you be making automated decisions about the individual, including profiling?

What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to, or obtain it from another source. The Information Commissioner's Office (ICO) has detailed guidance on privacy information, explaining exactly what information you are required to include.

When should privacy information be issued?

The UK GDPR says that you must provide individuals with privacy information at the point of data collection if:

• you are collecting information directly from individuals (eg when they fill in a form)
• you are collecting data by observation (eg using CCTV or tracking people online)

Often, this happens as part of obtaining consent from the user or telling them about legitimate interests.

If you're obtaining information about an individual from a third party, or from a publicly accessible source, you should provide privacy information within a reasonable period after obtaining the personal data, but at the latest within one month.

If, for instance, you plan on:

• using personal data you obtained from a third party or online source to communicate with the individual it relates to, you must provide personal information when the first communication takes place
• disclosing an individual's personal data to someone else, you must provide a privacy notice that includes details of the sharing before you disclose the data

If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people's attention.

Ways to provide privacy information

You can use a number of techniques to provide people with privacy information. For example:

• a layered approach - short notices containing key privacy information that have additional layers of more detailed information
• just-in-time notices - providing information at certain points of data collection (eg during purchasing or interaction)
• icons and symbols - to indicate that a particular type of data processing is occurring
• dashboards - preference management tools that inform people how you use their data and allow them to manage what happens with it
• mobile and smart device functionalities - eg pop-ups, voice alerts and mobile device gestures

You can also use a blended approach. Using more than one of these techniques is often the most effective way to provide privacy information. See common issues you may encounter around privacy information.

UK GDPR privacy notice templates

You can use our sample privacy notice document and customise it to fit the circumstances of your business and the type of processing that you do.

Alternatively, you can download the ICO's template to help build your own privacy notice (DOC, 38K). The template is especially suitable for small businesses, sole traders and community groups.

Other templates are available on the internet. Make sure that whichever template you use is GDPR-compliant, and that you customise it to reflect exactly what you do with personal data.

Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.

What does accountability mean in UK GDPR?

Accountability means:

• you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
• you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply

For a small business, this means you must:

• ensure a good level of understanding and awareness of data protection amongst your staff
• implement comprehensive but proportionate policies and procedures for handling personal data safely
• keep records of what you do and why

You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.

How to comply with accountability obligations

The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:

1. Data protection policies

The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:

• privacy procedure and notice
• staff training policy
• information security policy
• data protection impact assessment procedure
• retention of records procedure
• subject access request form and procedure
• international data transfer procedure
• data portability procedure

Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.

2. Contracts

If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.

3. Documentation

By law, most organisations are required to maintain a record of their processing activities, covering:

• name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
• the processing purposes
• a description of the categories of individuals and categories of personal data
• the categories of recipients of personal data
• details of your transfers to third countries, including the safeguards in place
• retention schedules
• a description of your technical and organisational security measures

If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.

As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:

• information required for privacy notices
• records of consent
• controller-processor contracts
• the location of personal data
• Data Protection Impact Assessment reports
• records of personal data breaches
• information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018

Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.

4. Data protection by design and default

This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.

The UK GDPR suggests measures that may be appropriate to this, such as:

• minimising the data you collect - both in terms of volume and retention
• storing data no longer than is necessary
• storing data only for the purposes for which it is processed
• applying pseudonymisation techniques
• improving security features

To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.

5. Data protection officers (DPOs)

The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:

• you are a public authority or body
• you carry out certain types of processing activities, including:
  • regular and systematic monitoring of data subjects on a large scale
  • large-scale processing of sensitive personal data or data relating to criminal convictions and offences

This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.

A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.

Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.

6. Codes of conduct and certification

Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.

Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.

Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).

What is a data mapping audit?

A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.

The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.

How to perform a data mapping audit?

To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:

What types of personal data do you hold?

List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?

Why do you hold this data?

List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).

How did you collect this data?

List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?

How do you store it?

Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?

What do you do with this data?

How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?

Who owns and controls the data?

Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?

How long do you keep the data for?

Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?

What do you need to do to make your data processing GDPR compliant?

List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.

It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.

Data audit templates

The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:

• Download documentation template for controllers (Excel, 31K)
• Download documentation template for processors (Excel, 19K)

Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.

A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.

When is an organisation required to carry out a data protection impact assessment?

You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:

• systematic and extensive profiling with significant effects
• large-scale use of special category or criminal offence data
• systematic monitoring of publicly accessible places on a large scale

When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:

• evaluation or scoring
• automated decision-making with legal or similar significant effect
• systematic monitoring
• sensitive data or data of a highly personal nature
• data processed on a large scale
• matching or combining datasets
• data concerning vulnerable data subjects
• innovative use or applying new technological or organisational solutions
• preventing data subjects from exercising a right or using a service or contract

In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present - and it is good practice to do so.

What type of processing is likely to result in high risk?

The ICO maintains a list of processing operations that require a DPIA. These include:

• use innovative technologies (including artificial intelligence)
• use of profiling or special category data to decide on access to services
• profiling individuals on a large scale
• processing biometric data
• processing genetic data, unless by a health professional providing health care directly to the data subject
• matching data or combining datasets from different sources
• collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
• tracking individuals' location or behaviour, including but not limited to the online environment
• profiling children or targeting marketing or online services at them
• processing data that might endanger the individual's physical health or safety in case of data breach

Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to an individual.

If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

How do you do a data protection impact assessment?

Typically, a DPIA will involve the following key steps:

• identify the need for a DPIA
• describe the processing
• consider consultation
• evaluate the necessity and proportionality
• identify data protection and related risks
• identify measures to reduce or eliminate the risks
• sign off and record the outcomes of the DPIA
• integrate data protection solutions into the project
• keep under review

You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.

You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified. 

The ICO offers a summary guidance on DPIA process.

Data protection impact assessment template

You can use or adapt the ICO's sample DPIA template (DOC, 54K), or create your own based on the criteria outlined above.

Consulting the ICO about high risk processing

If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.

In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:

• issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
• impose a limitation or ban on your intended processing

If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.

Failure to carry out data protection impact assessments

DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also support compliance with data protection by design and default obligations.

Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.

The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.

The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.

What level of security is needed under UK GDPR?

The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.

The security measures you put in place should seek to ensure that:

• the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
• the data you hold is accurate and complete in relation to why you are processing it
• the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned

Organisational security measures

Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:

• build security awareness in your organisation
• allocate responsibility for information security within your organisation
• ensure those responsible have the resources and authority to do their job effectively

An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.

Other related matters you will need to consider include:

• co-ordination between key people in your organisation
• access to premises or equipment given to anyone outside your organisation
• business continuity arrangements for the protection and recovery of personal data you hold
• periodic checks on and updates to your security measures

Technical security measures

Technical measures include both:

• physical security, which covers things like
  • protection of premises by means of alarms, lighting, CCTV
  • control of access to premises
  • disposal of paper and electronic waste
  • secure maintenance and disposal of IT equipment, mobile devices, etc
• IT security (or cyber security), extending to the security of
  • your network and information systems
  • the data you hold within your systems
  • your website, online services and applications that you use
  • your devices, including policies on the use of personal devices in the workplace

Encryption

The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:

• widely-available
• relatively low costs to implement
• available in a large variety of solutions

If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.

Password authentication

Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Therefore, any password setup that you implement must:

• be appropriate to the particular circumstances of this processing
• protect against theft of stored passwords
• protect against 'brute-force' or guessing attacks

There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.

The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.

Test your security measures

The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.

Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.

Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.

What is a breach of personal data?

A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:

• if you lose, destroy, corrupt or disclose personal data
• if someone accesses the data or passes it on without proper authorisation
• if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals

When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:

• how serious or substantial these are, and
• how likely they are to happen

In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.

Should I report a data breach?

You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:

• discrimination
• damage to reputation
• emotional distress
• identity theft or fraud
• financial or material loss
• other significant economic or social disadvantages

You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.

Telling individuals about a breach

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.

If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.

The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.

Determine the level of risk accurately

If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.

If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.

What if a processor experiences a data breach?

If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.

How long do organisations have to report data breaches?

You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.

When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:

• the nature of the breach, including:
  • the categories and approximate number of affected individuals
  • the categories and approximate number of affected data records
• the likely consequences of the breach
• the measures taken or proposed to be taken, to deal with and mitigate the breach
• the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained

Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.

How do I notify the ICO of the data breach?

To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.

Recording personal data breaches

As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.

In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.

You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.

Failing to report a data breach

Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.

You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.

Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.

If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.

Are you making a restricted transfer?

You are making a restricted transfer of personal data if:

• the UK GDPR applies to your processing of the personal data you are transferring
• you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
• the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group

Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.

Rules on transferring personal data from the UK

Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:

• Is the restricted transfer covered by adequacy regulations?
• Is the restricted transfer covered by appropriate safeguards?
• Is the restricted transfer covered by an exception?

Adequacy decisions

You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.

Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.

The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:

• an adequacy decision for Gibraltar
• an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
• partial findings of adequacy about Japan and Canada

If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.

Appropriate safeguards

Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.

The safeguards include:

• a legal instrument between public authorities or bodies
• UK Binding Corporate Rules (UK BCRs)
• data protection clauses for restricted transfer
• an approved code of conduct
• certification under an approved certification scheme
• contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
• administrative arrangements between public authorities or bodies

UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.

For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.

You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.

The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.

Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.

Exceptions on restricted transfers

If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.

Specific exemptions, or derogations, for data transfers apply when:

• the data subject explicitly consents to the transfer (and is aware of the risks)
• you have a contract with the individual and:
  • the transfer is needed for the performance of that contract
  • the contract benefits another individual whose data is being transferred
• the transfer is deemed necessary for reasons of public interest
• the transfer is necessary in relation to a legal claim
• the transfer is necessary to protect the data subject's vital interests (eg their life)
• the transfer is made from a public register created under UK law
• the transfer is a one-off and necessary for your competing legitimate interests

If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.

Rules on transferring personal data from the EEA into the UK

Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:

• the country they are sending data to is covered by an EC adequacy decision
• one of the EU GDPR appropriate safeguards is in place
• one of the list of EU GDPR exceptions applies

The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.

The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.

Standard Contractual Clauses (SCCs) for restricted transfers from the EU

In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.

Restricted data transfers from the UK

As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:

• International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
• Addendum to the EU SCCs – most likely to be used for transfers involving EU data

The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.

International Data Transfer Agreement and guidance

The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.

The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.

Find more information on the IDTA and the Addendum.

Transition period for using the IDTA and the Addendum

The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:

• SCCs for controllers to processors (Word, 124K)
• SCCs for controllers to controllers (Word, 112K)

All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.

From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.

Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.

If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).

The ICO can issue sanctions for a breach of the regulation, including:

• warnings and reprimands
• compliance orders
• bans on processing or data transfers (permanent or temporary)
• administrative fines

Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.

Fines for infringement of the UK GDPR

Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:

• a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
• a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation

The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.

How does the ICO determine the level of penalties?

The ICO will consider a number of factors when determining the level of penalties, including::

• the nature, gravity, and duration of the infringement
• the number of people affected and the extent of the damage to them
• whether the breach was intentional or negligent
• any previous history of noncompliance
• any action taken to mitigate the damage
• whether the controller notified the ICO of the infringement and co-operated

See more on reporting serious breaches of personal data.

Impact of GDPR non-compliance

The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.

You may be subject to:

• private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
• reputational damage
• loss of consumer trust

It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.

The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:

• directly to you:
  • if you operate in the European Economic Area (EEA)
  • offer goods or services to individuals in the EEA
  • monitor the behaviour of individuals in the EEA
• to any organisations in Europe who send you data

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.

Data collected before the end of the transition period

Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'. 

What is the UK GDPR?

The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:

• offering goods or services to individuals in the UK, or
• monitoring the behaviour of individuals taking place in the UK

If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.

The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.

The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.

The UK GDPR does not apply to the personal data processed:

• by competent authorities for law enforcement purposes
• for the purposes of safeguarding national security or defence
• in the course of a purely personal or household activity, with no connection to a professional or commercial activity

What is the difference between data controllers and data processors?

Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:

• data controllers decide why and how they process personal data
• data processors hold or process data on behalf of a data controller

You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.

How to determine if you are a processor or a controller

Whether you are a controller or processor depends on who determines:

• the purposes for which the data is being processed
• the means of processing

If you determine the purposes and the means of processing, you will be the controller.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.

GDPR obligations on data processors

Under the UK GDPR, processing refers to any type of handling of personal data, including:

• obtaining, recording or keeping data (electronically or in hard copy)
• organising or altering the data
• retrieving, consulting or using the data
• disclosing the data to a third party (including publication)
• erasing or destroying the data

If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.

GDPR obligations on data controllers

If you are a controller, you will have the highest level of compliance responsibility. This means:

• you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
• you are responsible for the compliance of your processors
• you will be liable for a breach of any of these obligations
• you must pay the data protection fee, unless you are exempt

Data protection fee

Organisations (or sole traders) that determine the purpose for which personal data is processed must pay a data protection fee to the ICO, unless they are exempt.

The cost of your data protection fee depends on your size and turnover. There are three tiers of fees ranging from £40 and £2,900, but for most organisations, it will be £40 or £60. Small discount is available if you choose to pay by direct debit.

Find out more about the data protection fee.

Exemptions from UK GDPR

In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:

• crime, law and public protection
• regulation, parliament and the judiciary
• journalism, research and archiving
• health, social work, education and child abuse
• finance, management and negotiations
• references and exams

Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.

If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.

To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.

What is personal data?

Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:

• name
• date of birth
• identification numbers
• bank details
• addresses, including email addresses
• other location data, such as an IP address
• online identifiers

Other factors, or a combination of factors, may also identify an individual. For example:

• information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
• pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains

If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.

Sensitive personal data

Personal data may also include special categories of personal data, such as:

• data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
• data on criminal conviction and offences

These are considered to be more sensitive and you may only process them in more limited circumstances.

Does your data relate to an individual?

For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:

• the content of the data - is it directly about the individual or their activities
• the purpose you will process the data for
• the results of (or effects on) the individual from processing the data

It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.

The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).

In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.

How long can you keep personal data?

The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.

Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.

The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:

• for the least amount of time that you can
• in accordance with the requirements of your business
• stored securely while it is in your possession
• until it reaches the appointed deletion time

See more on accountability under the UK GDPR.

The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.

1. Lawfulness, fairness and transparency principle

To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:

• identify valid grounds for collecting or using personal data - known as the lawful basis
• ensure that your use of data doesn't breach any other laws
• use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
• be clear, open and honest with people about how you will use their personal data

2. Purpose limitation principle

To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:

• be clear about what your purposes for processing are from the start
• record your purposes as part of your documentation obligations
• inform individuals about your purposes to comply with transparency obligations
• ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent

3. Data minimisation principle

To comply with the third principle, you must ensure that the personal data you are processing is:

• adequate - sufficient to properly fulfil your stated purpose
• relevant - has a rational link to that purpose
• limited to what is necessary - you do not hold more than you need for that purpose

4. Accuracy principle

The accuracy principle requires you to take all reasonable steps to:

• ensure the personal data you hold or process is not incorrect or misleading
• ensure that the source and status of personal data are clear
• consider any challenges to the accuracy of information
• consider if it is necessary to periodically update the information

5. Storage limitation principle

To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:

• think about - and be able to justify - how long you keep the data depending on the purpose you need it for
• set a retention policy or schedule wherever possible, to comply with the documentation requirements
• periodically review the data you hold, and erase or anonymise it when you no longer need it
• carefully consider any challenges to your retention of data, for example when it comes to erasure

6. Integrity and confidentiality (also known as the security principle)

To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:

• against unauthorised or unlawful processing
• against accidental loss, destruction or damage
• using appropriate technical or organisational measures

7. Accountability principle

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.

Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.

To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.

There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.

Conditions for processing data under the UK GDPR

The lawful bases for processing include:

Consent

This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.

Contract

This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.

Legal obligation

This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.

Vital interests

This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.

Public task

This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

Legitimate interest

This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.

Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.

Why must you have a lawful basis for processing?

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.

The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.

Deciding which lawful basis applies

You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:

• check that the processing is necessary for the relevant purpose
• check that there is no other reasonable way to achieve this purpose
• document why you chose a particular lawful basis - to demonstrate compliance
• explain the purpose and the lawful basis for processing in your privacy notice

If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.

Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.

You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

Can you switch lawful basis for processing?

It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.

Documenting lawful basis

To satisfy the UK GDPR's accountability principle, you must keep a record of:

• which basis you are relying on for each processing purpose
• a justification for why you believe the basis applies

There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.

Find out more about documentation requirements in our guidance on accountability.

Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).

What is valid consent under the GDPR?

For consent to be valid under the UK GDPR, it must:

• be freely given - giving people genuine choice and control over how you use their data
• be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
• be obvious that the individual has consented, and what they have consented to
• require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand

Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.

When should you obtain consent under GDPR?

You may need to seek consent in a number of circumstances. For example, if:

• no other legal basis for data processing applies
• you want to use or share someone's data in unexpected or potentially intrusive ways
• you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)

Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.

Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.

When should you not use consent?

You should not use consent as your lawful basis for processing if:

• you can't offer people a genuine choice over how they use their data
• you could process data on a different lawful basis if consent is refused or withdrawn
• you ask for consent as a precondition of accessing your services
• you are in a position of power over the individual, eg an employer processing employee data

Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

How to obtain consent

You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.

You should obtain consent upfront before processing begins. As a minimum, your consent request must include:

• the name of your organisation and of any other controllers who will rely on the consent
• why you want the data (the purposes of the processing)
• what you will do with the data (the processing activities)
• that people can withdraw their consent at any time

You can use different methods to obtain consent, but you must ask people to actively opt in.

Opt-in consent

Examples of active opt-in mechanisms include:

• signing a consent statement on a paper form
• ticking an opt-in box on paper or electronically
• clicking an opt-in button or link online
• selecting from equally prominent yes/no options
• choosing technical settings or preference dashboard settings
• responding to an email requesting consent
• answering yes to a clear oral consent request
• volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box

Explicit consent

If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.

If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.

If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.

If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.

How to record consent

Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:

• who consented
• when they consented
• what they were told at the time
• how they consented
• whether they have withdrawn consent (and if so, why)

An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.

Reviewing consent

Your obligations don't end when you get consent. You should keep your consents under review and refresh them:

• if anything changes, eg if your purposes for processing evolve
• if you rely on parental consent, when children grow up and can consent for themselves
• automatically at appropriate intervals, depending on the context, people's expectations

If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.

How long does GDPR consent last?

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

Managing consent for use of personal data

In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.

You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.

Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.

What happens when someone withdraws their consent?

If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.

Consent and individuals' rights

If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:

• the right to erasure (also known as 'the right to be forgotten')
• the right to data portability
• the right to withdraw consent - which in effect operates as a right to stop the processing

See more on data subject rights under the UK GDPR.

Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.

The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.

Individuals' rights under the UK GDPR

Under the regulation, individuals can exercise:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object to processing
8. The rights in relation to automated decision making and profiling

1. Right to be informed

This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:

• your business
• your purposes and lawful basis for processing their personal data
• who the data will be shared with, including details of international transfers
• your retention periods for that personal data
• the rights available to them in respect of processing
• the right to lodge a complaint

Depending on the type of processing you do, you may need to provide other categories of information as well. For example:

• if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
• if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent

You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.

The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.

2. Right of access (known as subject access request)

Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).

Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.

If you receive a valid SAR:

• you should perform a reasonable search for the requested information
• you should respond without delay and within one month of receipt of the request
• you may extend the time limit by a further two months in certain circumstances
• you should provide the information in an accessible, concise and intelligible format
• you should disclose information securely

You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.

3. Right of rectification

The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.

If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.

4. Right to erasure (also known as the right to be forgotten)

In certain circumstances, individuals have the right to ask you to erase their personal data if:

• you have processed their data unlawfully
• you no longer need the data for the original purpose
• you rely on consent for processing or holding the data, and they withdraw it
• they exercise their right to object to processing, and you can't override their objection
• erasure is necessary for compliance with other legal obligations

If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.

Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.

5. Right to restrict processing

Individuals can ask you to restrict processing their personal data if, for example:

• they believe their data is not accurate and you are verifying the accuracy of the data
• the processing is unlawful but the individual doesn't want the data erased
• you no longer need the data but the individual needs it to exercise a legal claim
• you are taking steps to verify overriding grounds in the context of a request

If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.

If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.

6. Right to data portability

This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:

• your lawful basis for processing this information is consent or contract
• you are carrying out the processing by automated means (ie excluding paper files)

For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.

7. Right to object to processing

The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:

• a task carried out in the public interest
• the exercise of official authority vested in you, or
• your legitimate interests (or those of a third party)

In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.

If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:

• you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
• the processing is necessary in connection with legal rights

See more on the right to object.

8. Right related to automated decision making including profiling

Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:

• automated individual decision-making - ie making a decision solely by automated means without any human involvement
• profiling - automated processing of personal data to evaluate certain things about an individual

You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.

Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a subject access request at some point.

What is a subject access request (SAR)?

A subject access request is the right of an individual to request a copy of any personal information you may hold on them. The request:

• can be verbal or in writing
• can be submitted by any means, eg via web form, email, letter, phone call, etc
• can be made to any part of your business, not just a specific department
• doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data

The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.

The Information Commissioner's Office (ICO) offers a free service to assist both individuals and businesses in the SARs process.

Through the 'Make a SAR' service, individuals can submit SAR requests directly through the ICO website. Once submitted, organisations will receive an ICO-branded email containing the request details and guidance on how to respond.

Who can request personal information?

Individuals will only be able to request access to their own personal data, unless:

• they are authorised to act on behalf of someone
• the data that relates to another person also happens to relate to them

Under the UK GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for the minimum information necessary to confirm who they are.

You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.

The ICO has a series of Q&As clarifying requirements for a valid subject access request and the rules around compliance when dealing with SARs. You can find these Q&As on the ICO website.

What should be provided as part of subject access request?

Data subjects are entitled to receive:

• confirmation of whether you are processing their data
• a copy of their personal data
• other supplementary information (including mandatory privacy information)

Before responding to any request, you should establish if the information requested falls within the definition of personal data.

How to respond to a subject access request?

To comply with subject access requests, you have to:

• respond to a request without undue delay and within one month of receipt
• give information in a concise, transparent, intelligible and easily accessible form
• use clear and plain language, especially if you are disclosing information to a child
• respond electronically, if the request was made by the same means - unless asked otherwise

You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.

How long do I have to comply with SAR?

In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the ICO.

You can extend the timescale to respond by a further two months if the request is complex or you have received a number of requests from the individual.

Seeking more information

If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one-month mark for responding to the request begins when you receive the additional information.

If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.

Can you charge for subject access requests?

In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:

• if the request is manifestly unfounded or excessive
• if an individual requests further copies of their data following a request

Can I refuse a subject access request?

In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.

Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.

You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Find further information on subject access requests.

The UK General Data Protection Regulation (UK GDPR) specifies the types of information that you need to provide individuals with if you're processing personal data that relates to them. This is called 'privacy information'. It's best to have this privacy information written down in a document called a 'privacy notice'.

What are privacy notices under GDPR?

A privacy notice is essentially a public statement that explains - at the point of data collection - how you collect, process and use people's data. It helps people understand what would happen to their data if they decide to share it with you. Individuals are entitled to this information under their right to be informed.

Before you start drafting your privacy notice, you need to know what personal data you have and what you do with it. To help you with this you may need to do an information audit or data mapping exercise. You must also take care that you communicate privacy information clearly, honestly and openly with the individuals.

What is in a privacy notice?

The UK GDPR prescribes the categories of information and the level of detail you must include in your privacy notice.

The key points you may need to address are:

• Who is collecting the data?
• What type of data are you collecting?
• How and why are you collecting it?
• What is the purpose and the lawful basis for processing the data?
• Who can access the information?
• Will you share the data with any third parties?
• Will you transfer the data abroad?
• What safeguards will you put in place for the security of this data?
• How will you use the information?
• How long will you store the data for?
• What rights does the data subject have, including to withdraw consent?
• How can the individual raise a complaint?
• Will you be making automated decisions about the individual, including profiling?

What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to, or obtain it from another source. The Information Commissioner's Office (ICO) has detailed guidance on privacy information, explaining exactly what information you are required to include.

When should privacy information be issued?

The UK GDPR says that you must provide individuals with privacy information at the point of data collection if:

• you are collecting information directly from individuals (eg when they fill in a form)
• you are collecting data by observation (eg using CCTV or tracking people online)

Often, this happens as part of obtaining consent from the user or telling them about legitimate interests.

If you're obtaining information about an individual from a third party, or from a publicly accessible source, you should provide privacy information within a reasonable period after obtaining the personal data, but at the latest within one month.

If, for instance, you plan on:

• using personal data you obtained from a third party or online source to communicate with the individual it relates to, you must provide personal information when the first communication takes place
• disclosing an individual's personal data to someone else, you must provide a privacy notice that includes details of the sharing before you disclose the data

If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people's attention.

Ways to provide privacy information

You can use a number of techniques to provide people with privacy information. For example:

• a layered approach - short notices containing key privacy information that have additional layers of more detailed information
• just-in-time notices - providing information at certain points of data collection (eg during purchasing or interaction)
• icons and symbols - to indicate that a particular type of data processing is occurring
• dashboards - preference management tools that inform people how you use their data and allow them to manage what happens with it
• mobile and smart device functionalities - eg pop-ups, voice alerts and mobile device gestures

You can also use a blended approach. Using more than one of these techniques is often the most effective way to provide privacy information. See common issues you may encounter around privacy information.

UK GDPR privacy notice templates

You can use our sample privacy notice document and customise it to fit the circumstances of your business and the type of processing that you do.

Alternatively, you can download the ICO's template to help build your own privacy notice (DOC, 38K). The template is especially suitable for small businesses, sole traders and community groups.

Other templates are available on the internet. Make sure that whichever template you use is GDPR-compliant, and that you customise it to reflect exactly what you do with personal data.

Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.

What does accountability mean in UK GDPR?

Accountability means:

• you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
• you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply

For a small business, this means you must:

• ensure a good level of understanding and awareness of data protection amongst your staff
• implement comprehensive but proportionate policies and procedures for handling personal data safely
• keep records of what you do and why

You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.

How to comply with accountability obligations

The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:

1. Data protection policies

The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:

• privacy procedure and notice
• staff training policy
• information security policy
• data protection impact assessment procedure
• retention of records procedure
• subject access request form and procedure
• international data transfer procedure
• data portability procedure

Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.

2. Contracts

If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.

3. Documentation

By law, most organisations are required to maintain a record of their processing activities, covering:

• name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
• the processing purposes
• a description of the categories of individuals and categories of personal data
• the categories of recipients of personal data
• details of your transfers to third countries, including the safeguards in place
• retention schedules
• a description of your technical and organisational security measures

If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.

As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:

• information required for privacy notices
• records of consent
• controller-processor contracts
• the location of personal data
• Data Protection Impact Assessment reports
• records of personal data breaches
• information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018

Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.

4. Data protection by design and default

This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.

The UK GDPR suggests measures that may be appropriate to this, such as:

• minimising the data you collect - both in terms of volume and retention
• storing data no longer than is necessary
• storing data only for the purposes for which it is processed
• applying pseudonymisation techniques
• improving security features

To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.

5. Data protection officers (DPOs)

The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:

• you are a public authority or body
• you carry out certain types of processing activities, including:
  • regular and systematic monitoring of data subjects on a large scale
  • large-scale processing of sensitive personal data or data relating to criminal convictions and offences

This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.

A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.

Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.

6. Codes of conduct and certification

Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.

Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.

Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).

What is a data mapping audit?

A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.

The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.

How to perform a data mapping audit?

To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:

What types of personal data do you hold?

List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?

Why do you hold this data?

List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).

How did you collect this data?

List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?

How do you store it?

Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?

What do you do with this data?

How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?

Who owns and controls the data?

Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?

How long do you keep the data for?

Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?

What do you need to do to make your data processing GDPR compliant?

List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.

It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.

Data audit templates

The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:

• Download documentation template for controllers (Excel, 31K)
• Download documentation template for processors (Excel, 19K)

Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.

A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.

When is an organisation required to carry out a data protection impact assessment?

You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:

• systematic and extensive profiling with significant effects
• large-scale use of special category or criminal offence data
• systematic monitoring of publicly accessible places on a large scale

When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:

• evaluation or scoring
• automated decision-making with legal or similar significant effect
• systematic monitoring
• sensitive data or data of a highly personal nature
• data processed on a large scale
• matching or combining datasets
• data concerning vulnerable data subjects
• innovative use or applying new technological or organisational solutions
• preventing data subjects from exercising a right or using a service or contract

In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present - and it is good practice to do so.

What type of processing is likely to result in high risk?

The ICO maintains a list of processing operations that require a DPIA. These include:

• use innovative technologies (including artificial intelligence)
• use of profiling or special category data to decide on access to services
• profiling individuals on a large scale
• processing biometric data
• processing genetic data, unless by a health professional providing health care directly to the data subject
• matching data or combining datasets from different sources
• collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
• tracking individuals' location or behaviour, including but not limited to the online environment
• profiling children or targeting marketing or online services at them
• processing data that might endanger the individual's physical health or safety in case of data breach

Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to an individual.

If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

How do you do a data protection impact assessment?

Typically, a DPIA will involve the following key steps:

• identify the need for a DPIA
• describe the processing
• consider consultation
• evaluate the necessity and proportionality
• identify data protection and related risks
• identify measures to reduce or eliminate the risks
• sign off and record the outcomes of the DPIA
• integrate data protection solutions into the project
• keep under review

You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.

You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified. 

The ICO offers a summary guidance on DPIA process.

Data protection impact assessment template

You can use or adapt the ICO's sample DPIA template (DOC, 54K), or create your own based on the criteria outlined above.

Consulting the ICO about high risk processing

If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.

In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:

• issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
• impose a limitation or ban on your intended processing

If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.

Failure to carry out data protection impact assessments

DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also support compliance with data protection by design and default obligations.

Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.

The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.

The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.

What level of security is needed under UK GDPR?

The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.

The security measures you put in place should seek to ensure that:

• the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
• the data you hold is accurate and complete in relation to why you are processing it
• the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned

Organisational security measures

Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:

• build security awareness in your organisation
• allocate responsibility for information security within your organisation
• ensure those responsible have the resources and authority to do their job effectively

An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.

Other related matters you will need to consider include:

• co-ordination between key people in your organisation
• access to premises or equipment given to anyone outside your organisation
• business continuity arrangements for the protection and recovery of personal data you hold
• periodic checks on and updates to your security measures

Technical security measures

Technical measures include both:

• physical security, which covers things like
  • protection of premises by means of alarms, lighting, CCTV
  • control of access to premises
  • disposal of paper and electronic waste
  • secure maintenance and disposal of IT equipment, mobile devices, etc
• IT security (or cyber security), extending to the security of
  • your network and information systems
  • the data you hold within your systems
  • your website, online services and applications that you use
  • your devices, including policies on the use of personal devices in the workplace

Encryption

The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:

• widely-available
• relatively low costs to implement
• available in a large variety of solutions

If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.

Password authentication

Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Therefore, any password setup that you implement must:

• be appropriate to the particular circumstances of this processing
• protect against theft of stored passwords
• protect against 'brute-force' or guessing attacks

There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.

The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.

Test your security measures

The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.

Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.

Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.

What is a breach of personal data?

A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:

• if you lose, destroy, corrupt or disclose personal data
• if someone accesses the data or passes it on without proper authorisation
• if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals

When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:

• how serious or substantial these are, and
• how likely they are to happen

In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.

Should I report a data breach?

You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:

• discrimination
• damage to reputation
• emotional distress
• identity theft or fraud
• financial or material loss
• other significant economic or social disadvantages

You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.

Telling individuals about a breach

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.

If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.

The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.

Determine the level of risk accurately

If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.

If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.

What if a processor experiences a data breach?

If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.

How long do organisations have to report data breaches?

You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.

When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:

• the nature of the breach, including:
  • the categories and approximate number of affected individuals
  • the categories and approximate number of affected data records
• the likely consequences of the breach
• the measures taken or proposed to be taken, to deal with and mitigate the breach
• the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained

Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.

How do I notify the ICO of the data breach?

To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.

Recording personal data breaches

As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.

In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.

You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.

Failing to report a data breach

Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.

You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.

Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.

If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.

Are you making a restricted transfer?

You are making a restricted transfer of personal data if:

• the UK GDPR applies to your processing of the personal data you are transferring
• you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
• the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group

Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.

Rules on transferring personal data from the UK

Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:

• Is the restricted transfer covered by adequacy regulations?
• Is the restricted transfer covered by appropriate safeguards?
• Is the restricted transfer covered by an exception?

Adequacy decisions

You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.

Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.

The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:

• an adequacy decision for Gibraltar
• an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
• partial findings of adequacy about Japan and Canada

If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.

Appropriate safeguards

Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.

The safeguards include:

• a legal instrument between public authorities or bodies
• UK Binding Corporate Rules (UK BCRs)
• data protection clauses for restricted transfer
• an approved code of conduct
• certification under an approved certification scheme
• contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
• administrative arrangements between public authorities or bodies

UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.

For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.

You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.

The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.

Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.

Exceptions on restricted transfers

If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.

Specific exemptions, or derogations, for data transfers apply when:

• the data subject explicitly consents to the transfer (and is aware of the risks)
• you have a contract with the individual and:
  • the transfer is needed for the performance of that contract
  • the contract benefits another individual whose data is being transferred
• the transfer is deemed necessary for reasons of public interest
• the transfer is necessary in relation to a legal claim
• the transfer is necessary to protect the data subject's vital interests (eg their life)
• the transfer is made from a public register created under UK law
• the transfer is a one-off and necessary for your competing legitimate interests

If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.

Rules on transferring personal data from the EEA into the UK

Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:

• the country they are sending data to is covered by an EC adequacy decision
• one of the EU GDPR appropriate safeguards is in place
• one of the list of EU GDPR exceptions applies

The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.

The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.

Standard Contractual Clauses (SCCs) for restricted transfers from the EU

In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.

Restricted data transfers from the UK

As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:

• International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
• Addendum to the EU SCCs – most likely to be used for transfers involving EU data

The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.

International Data Transfer Agreement and guidance

The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.

The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.

Find more information on the IDTA and the Addendum.

Transition period for using the IDTA and the Addendum

The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:

• SCCs for controllers to processors (Word, 124K)
• SCCs for controllers to controllers (Word, 112K)

All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.

From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.

Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.

If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).

The ICO can issue sanctions for a breach of the regulation, including:

• warnings and reprimands
• compliance orders
• bans on processing or data transfers (permanent or temporary)
• administrative fines

Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.

Fines for infringement of the UK GDPR

Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:

• a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
• a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation

The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.

How does the ICO determine the level of penalties?

The ICO will consider a number of factors when determining the level of penalties, including::

• the nature, gravity, and duration of the infringement
• the number of people affected and the extent of the damage to them
• whether the breach was intentional or negligent
• any previous history of noncompliance
• any action taken to mitigate the damage
• whether the controller notified the ICO of the infringement and co-operated

See more on reporting serious breaches of personal data.

Impact of GDPR non-compliance

The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.

You may be subject to:

• private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
• reputational damage
• loss of consumer trust

It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.

The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:

• directly to you:
  • if you operate in the European Economic Area (EEA)
  • offer goods or services to individuals in the EEA
  • monitor the behaviour of individuals in the EEA
• to any organisations in Europe who send you data

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.

Data collected before the end of the transition period

Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'. 

What is the UK GDPR?

The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:

• offering goods or services to individuals in the UK, or
• monitoring the behaviour of individuals taking place in the UK

If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.

The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.

The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.

The UK GDPR does not apply to the personal data processed:

• by competent authorities for law enforcement purposes
• for the purposes of safeguarding national security or defence
• in the course of a purely personal or household activity, with no connection to a professional or commercial activity

What is the difference between data controllers and data processors?

Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:

• data controllers decide why and how they process personal data
• data processors hold or process data on behalf of a data controller

You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.

How to determine if you are a processor or a controller

Whether you are a controller or processor depends on who determines:

• the purposes for which the data is being processed
• the means of processing

If you determine the purposes and the means of processing, you will be the controller.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.

GDPR obligations on data processors

Under the UK GDPR, processing refers to any type of handling of personal data, including:

• obtaining, recording or keeping data (electronically or in hard copy)
• organising or altering the data
• retrieving, consulting or using the data
• disclosing the data to a third party (including publication)
• erasing or destroying the data

If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.

GDPR obligations on data controllers

If you are a controller, you will have the highest level of compliance responsibility. This means:

• you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
• you are responsible for the compliance of your processors
• you will be liable for a breach of any of these obligations
• you must pay the data protection fee, unless you are exempt

Data protection fee

Organisations (or sole traders) that determine the purpose for which personal data is processed must pay a data protection fee to the ICO, unless they are exempt.

The cost of your data protection fee depends on your size and turnover. There are three tiers of fees ranging from £40 and £2,900, but for most organisations, it will be £40 or £60. Small discount is available if you choose to pay by direct debit.

Find out more about the data protection fee.

Exemptions from UK GDPR

In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:

• crime, law and public protection
• regulation, parliament and the judiciary
• journalism, research and archiving
• health, social work, education and child abuse
• finance, management and negotiations
• references and exams

Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.

If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.

To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.

What is personal data?

Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:

• name
• date of birth
• identification numbers
• bank details
• addresses, including email addresses
• other location data, such as an IP address
• online identifiers

Other factors, or a combination of factors, may also identify an individual. For example:

• information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
• pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains

If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.

Sensitive personal data

Personal data may also include special categories of personal data, such as:

• data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
• data on criminal conviction and offences

These are considered to be more sensitive and you may only process them in more limited circumstances.

Does your data relate to an individual?

For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:

• the content of the data - is it directly about the individual or their activities
• the purpose you will process the data for
• the results of (or effects on) the individual from processing the data

It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.

The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).

In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.

How long can you keep personal data?

The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.

Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.

The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:

• for the least amount of time that you can
• in accordance with the requirements of your business
• stored securely while it is in your possession
• until it reaches the appointed deletion time

See more on accountability under the UK GDPR.

The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.

1. Lawfulness, fairness and transparency principle

To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:

• identify valid grounds for collecting or using personal data - known as the lawful basis
• ensure that your use of data doesn't breach any other laws
• use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
• be clear, open and honest with people about how you will use their personal data

2. Purpose limitation principle

To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:

• be clear about what your purposes for processing are from the start
• record your purposes as part of your documentation obligations
• inform individuals about your purposes to comply with transparency obligations
• ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent

3. Data minimisation principle

To comply with the third principle, you must ensure that the personal data you are processing is:

• adequate - sufficient to properly fulfil your stated purpose
• relevant - has a rational link to that purpose
• limited to what is necessary - you do not hold more than you need for that purpose

4. Accuracy principle

The accuracy principle requires you to take all reasonable steps to:

• ensure the personal data you hold or process is not incorrect or misleading
• ensure that the source and status of personal data are clear
• consider any challenges to the accuracy of information
• consider if it is necessary to periodically update the information

5. Storage limitation principle

To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:

• think about - and be able to justify - how long you keep the data depending on the purpose you need it for
• set a retention policy or schedule wherever possible, to comply with the documentation requirements
• periodically review the data you hold, and erase or anonymise it when you no longer need it
• carefully consider any challenges to your retention of data, for example when it comes to erasure

6. Integrity and confidentiality (also known as the security principle)

To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:

• against unauthorised or unlawful processing
• against accidental loss, destruction or damage
• using appropriate technical or organisational measures

7. Accountability principle

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.

Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.

To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.

There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.

Conditions for processing data under the UK GDPR

The lawful bases for processing include:

Consent

This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.

Contract

This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.

Legal obligation

This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.

Vital interests

This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.

Public task

This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

Legitimate interest

This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.

Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.

Why must you have a lawful basis for processing?

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.

The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.

Deciding which lawful basis applies

You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:

• check that the processing is necessary for the relevant purpose
• check that there is no other reasonable way to achieve this purpose
• document why you chose a particular lawful basis - to demonstrate compliance
• explain the purpose and the lawful basis for processing in your privacy notice

If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.

Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.

You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

Can you switch lawful basis for processing?

It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.

Documenting lawful basis

To satisfy the UK GDPR's accountability principle, you must keep a record of:

• which basis you are relying on for each processing purpose
• a justification for why you believe the basis applies

There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.

Find out more about documentation requirements in our guidance on accountability.

Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).

What is valid consent under the GDPR?

For consent to be valid under the UK GDPR, it must:

• be freely given - giving people genuine choice and control over how you use their data
• be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
• be obvious that the individual has consented, and what they have consented to
• require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand

Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.

When should you obtain consent under GDPR?

You may need to seek consent in a number of circumstances. For example, if:

• no other legal basis for data processing applies
• you want to use or share someone's data in unexpected or potentially intrusive ways
• you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)

Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.

Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.

When should you not use consent?

You should not use consent as your lawful basis for processing if:

• you can't offer people a genuine choice over how they use their data
• you could process data on a different lawful basis if consent is refused or withdrawn
• you ask for consent as a precondition of accessing your services
• you are in a position of power over the individual, eg an employer processing employee data

Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

How to obtain consent

You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.

You should obtain consent upfront before processing begins. As a minimum, your consent request must include:

• the name of your organisation and of any other controllers who will rely on the consent
• why you want the data (the purposes of the processing)
• what you will do with the data (the processing activities)
• that people can withdraw their consent at any time

You can use different methods to obtain consent, but you must ask people to actively opt in.

Opt-in consent

Examples of active opt-in mechanisms include:

• signing a consent statement on a paper form
• ticking an opt-in box on paper or electronically
• clicking an opt-in button or link online
• selecting from equally prominent yes/no options
• choosing technical settings or preference dashboard settings
• responding to an email requesting consent
• answering yes to a clear oral consent request
• volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box

Explicit consent

If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.

If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.

If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.

If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.

How to record consent

Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:

• who consented
• when they consented
• what they were told at the time
• how they consented
• whether they have withdrawn consent (and if so, why)

An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.

Reviewing consent

Your obligations don't end when you get consent. You should keep your consents under review and refresh them:

• if anything changes, eg if your purposes for processing evolve
• if you rely on parental consent, when children grow up and can consent for themselves
• automatically at appropriate intervals, depending on the context, people's expectations

If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.

How long does GDPR consent last?

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

Managing consent for use of personal data

In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.

You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.

Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.

What happens when someone withdraws their consent?

If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.

Consent and individuals' rights

If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:

• the right to erasure (also known as 'the right to be forgotten')
• the right to data portability
• the right to withdraw consent - which in effect operates as a right to stop the processing

See more on data subject rights under the UK GDPR.

Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.

The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.

Individuals' rights under the UK GDPR

Under the regulation, individuals can exercise:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object to processing
8. The rights in relation to automated decision making and profiling

1. Right to be informed

This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:

• your business
• your purposes and lawful basis for processing their personal data
• who the data will be shared with, including details of international transfers
• your retention periods for that personal data
• the rights available to them in respect of processing
• the right to lodge a complaint

Depending on the type of processing you do, you may need to provide other categories of information as well. For example:

• if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
• if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent

You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.

The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.

2. Right of access (known as subject access request)

Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).

Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.

If you receive a valid SAR:

• you should perform a reasonable search for the requested information
• you should respond without delay and within one month of receipt of the request
• you may extend the time limit by a further two months in certain circumstances
• you should provide the information in an accessible, concise and intelligible format
• you should disclose information securely

You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.

3. Right of rectification

The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.

If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.

4. Right to erasure (also known as the right to be forgotten)

In certain circumstances, individuals have the right to ask you to erase their personal data if:

• you have processed their data unlawfully
• you no longer need the data for the original purpose
• you rely on consent for processing or holding the data, and they withdraw it
• they exercise their right to object to processing, and you can't override their objection
• erasure is necessary for compliance with other legal obligations

If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.

Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.

5. Right to restrict processing

Individuals can ask you to restrict processing their personal data if, for example:

• they believe their data is not accurate and you are verifying the accuracy of the data
• the processing is unlawful but the individual doesn't want the data erased
• you no longer need the data but the individual needs it to exercise a legal claim
• you are taking steps to verify overriding grounds in the context of a request

If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.

If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.

6. Right to data portability

This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:

• your lawful basis for processing this information is consent or contract
• you are carrying out the processing by automated means (ie excluding paper files)

For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.

7. Right to object to processing

The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:

• a task carried out in the public interest
• the exercise of official authority vested in you, or
• your legitimate interests (or those of a third party)

In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.

If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:

• you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
• the processing is necessary in connection with legal rights

See more on the right to object.

8. Right related to automated decision making including profiling

Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:

• automated individual decision-making - ie making a decision solely by automated means without any human involvement
• profiling - automated processing of personal data to evaluate certain things about an individual

You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.

Subject access is a fundamental right of individuals under the UK General Data Protection Regulation (UK GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a subject access request at some point.

What is a subject access request (SAR)?

A subject access request is the right of an individual to request a copy of any personal information you may hold on them. The request:

• can be verbal or in writing
• can be submitted by any means, eg via web form, email, letter, phone call, etc
• can be made to any part of your business, not just a specific department
• doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data

The UK GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.

The Information Commissioner's Office (ICO) offers a free service to assist both individuals and businesses in the SARs process.

Through the 'Make a SAR' service, individuals can submit SAR requests directly through the ICO website. Once submitted, organisations will receive an ICO-branded email containing the request details and guidance on how to respond.

Who can request personal information?

Individuals will only be able to request access to their own personal data, unless:

• they are authorised to act on behalf of someone
• the data that relates to another person also happens to relate to them

Under the UK GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for the minimum information necessary to confirm who they are.

You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.

The ICO has a series of Q&As clarifying requirements for a valid subject access request and the rules around compliance when dealing with SARs. You can find these Q&As on the ICO website.

What should be provided as part of subject access request?

Data subjects are entitled to receive:

• confirmation of whether you are processing their data
• a copy of their personal data
• other supplementary information (including mandatory privacy information)

Before responding to any request, you should establish if the information requested falls within the definition of personal data.

How to respond to a subject access request?

To comply with subject access requests, you have to:

• respond to a request without undue delay and within one month of receipt
• give information in a concise, transparent, intelligible and easily accessible form
• use clear and plain language, especially if you are disclosing information to a child
• respond electronically, if the request was made by the same means - unless asked otherwise

You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.

How long do I have to comply with SAR?

In most cases, you have one calendar month from receiving the request to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the ICO.

You can extend the timescale to respond by a further two months if the request is complex or you have received a number of requests from the individual.

Seeking more information

If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one-month mark for responding to the request begins when you receive the additional information.

If you request information to verify an individual's identity, the timescale for responding to a subject access request does not begin until you have received the requested information.

Can you charge for subject access requests?

In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a 'reasonable fee' for the administrative costs of complying with the request:

• if the request is manifestly unfounded or excessive
• if an individual requests further copies of their data following a request

Can I refuse a subject access request?

In some cases, you may be able to refuse to grant an access request. For example, if you receive a request for information containing personal data of more than one individual.

Where possible, you should comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request unless the other individual consents to the disclosure, or it is reasonable to comply with the request without that individual's consent.

You may also be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria. Find further information on subject access requests.

The UK General Data Protection Regulation (UK GDPR) specifies the types of information that you need to provide individuals with if you're processing personal data that relates to them. This is called 'privacy information'. It's best to have this privacy information written down in a document called a 'privacy notice'.

What are privacy notices under GDPR?

A privacy notice is essentially a public statement that explains - at the point of data collection - how you collect, process and use people's data. It helps people understand what would happen to their data if they decide to share it with you. Individuals are entitled to this information under their right to be informed.

Before you start drafting your privacy notice, you need to know what personal data you have and what you do with it. To help you with this you may need to do an information audit or data mapping exercise. You must also take care that you communicate privacy information clearly, honestly and openly with the individuals.

What is in a privacy notice?

The UK GDPR prescribes the categories of information and the level of detail you must include in your privacy notice.

The key points you may need to address are:

• Who is collecting the data?
• What type of data are you collecting?
• How and why are you collecting it?
• What is the purpose and the lawful basis for processing the data?
• Who can access the information?
• Will you share the data with any third parties?
• Will you transfer the data abroad?
• What safeguards will you put in place for the security of this data?
• How will you use the information?
• How long will you store the data for?
• What rights does the data subject have, including to withdraw consent?
• How can the individual raise a complaint?
• Will you be making automated decisions about the individual, including profiling?

What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to, or obtain it from another source. The Information Commissioner's Office (ICO) has detailed guidance on privacy information, explaining exactly what information you are required to include.

When should privacy information be issued?

The UK GDPR says that you must provide individuals with privacy information at the point of data collection if:

• you are collecting information directly from individuals (eg when they fill in a form)
• you are collecting data by observation (eg using CCTV or tracking people online)

Often, this happens as part of obtaining consent from the user or telling them about legitimate interests.

If you're obtaining information about an individual from a third party, or from a publicly accessible source, you should provide privacy information within a reasonable period after obtaining the personal data, but at the latest within one month.

If, for instance, you plan on:

• using personal data you obtained from a third party or online source to communicate with the individual it relates to, you must provide personal information when the first communication takes place
• disclosing an individual's personal data to someone else, you must provide a privacy notice that includes details of the sharing before you disclose the data

If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people's attention.

Ways to provide privacy information

You can use a number of techniques to provide people with privacy information. For example:

• a layered approach - short notices containing key privacy information that have additional layers of more detailed information
• just-in-time notices - providing information at certain points of data collection (eg during purchasing or interaction)
• icons and symbols - to indicate that a particular type of data processing is occurring
• dashboards - preference management tools that inform people how you use their data and allow them to manage what happens with it
• mobile and smart device functionalities - eg pop-ups, voice alerts and mobile device gestures

You can also use a blended approach. Using more than one of these techniques is often the most effective way to provide privacy information. See common issues you may encounter around privacy information.

UK GDPR privacy notice templates

You can use our sample privacy notice document and customise it to fit the circumstances of your business and the type of processing that you do.

Alternatively, you can download the ICO's template to help build your own privacy notice (DOC, 38K). The template is especially suitable for small businesses, sole traders and community groups.

Other templates are available on the internet. Make sure that whichever template you use is GDPR-compliant, and that you customise it to reflect exactly what you do with personal data.

Accountability is one of the data protection principles under the UK General Data Protection Regulation (UK GDPR). It gives you an opportunity to demonstrate how you respect people's privacy and comply with data protection laws.

What does accountability mean in UK GDPR?

Accountability means:

• you are responsible for complying with the UK GDPR - ie you are proactive and organised in your approach to data protection
• you must be able to demonstrate your compliance - ie you must provide evidence of the steps you take to comply

For a small business, this means you must:

• ensure a good level of understanding and awareness of data protection amongst your staff
• implement comprehensive but proportionate policies and procedures for handling personal data safely
• keep records of what you do and why

You also need to put in place appropriate technical and organisational measures to meet the requirements of accountability.

How to comply with accountability obligations

The UK GDPR does not specify an exhaustive list of things you need to do to be accountable. However, it does set out several different measures you can take that will help you get there:

1. Data protection policies

The UK GDPR explicitly says that, where proportionate, implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. What you have policies for, and their level of detail, depends on what you do with personal data. It can include:

• privacy procedure and notice
• staff training policy
• information security policy
• data protection impact assessment procedure
• retention of records procedure
• subject access request form and procedure
• international data transfer procedure
• data portability procedure

Review regularly and, where necessary, update your internal policies and procedures to ensure they are fit for purpose.

2. Contracts

If other organisations process personal data on your behalf, you must have a written contract (or other legal act) in place with them. The contract sets out the responsibilities and liabilities of both the controller and the processor. The UK GDPR sets out what needs to be included in the contract.

3. Documentation

By law, most organisations are required to maintain a record of their processing activities, covering:

• name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer)
• the processing purposes
• a description of the categories of individuals and categories of personal data
• the categories of recipients of personal data
• details of your transfers to third countries, including the safeguards in place
• retention schedules
• a description of your technical and organisational security measures

If you have 250 or more employees, you must document all your processing activities. If you have fewer than 250 employees, you only need to document processing activities that are not occasional, could result in a risk to the rights and freedoms of individuals, and involve the processing of special categories of data or criminal conviction and offence data.

As part of your record of processing activities, you may also want to document other aspects of your compliance with the UK GDPR. For instance:

• information required for privacy notices
• records of consent
• controller-processor contracts
• the location of personal data
• Data Protection Impact Assessment reports
• records of personal data breaches
• information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018

Doing an information audit or data-mapping exercise can help you find out what personal data your organisation holds and where it is. You can start this by using our UK GDPR data protection audit: checklist or consult the Information Commissioner's Office's (ICO) guidance and templates on documentation.

4. Data protection by design and default

This requires you to embed data protection into everything you do, throughout all your processing operations. For example, designing new products or services with data protection compliance in mind.

The UK GDPR suggests measures that may be appropriate to this, such as:

• minimising the data you collect - both in terms of volume and retention
• storing data no longer than is necessary
• storing data only for the purposes for which it is processed
• applying pseudonymisation techniques
• improving security features

To comply with the 'by design and default' approach, you should also carry out a data protection impact assessment (DPIA), where necessary. For more, see the ICO's guide on data protection by design and default.

5. Data protection officers (DPOs)

The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if:

• you are a public authority or body
• you carry out certain types of processing activities, including:
  • regular and systematic monitoring of data subjects on a large scale
  • large-scale processing of sensitive personal data or data relating to criminal convictions and offences

This applies to both controllers and processors. Even if you aren't required to, you can voluntarily appoint a DPO.

A DPO can be an existing employee or externally appointed, however they must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO will help you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the ICO.

Find detailed guidance on appointing a DPO or take the ICO's questionnaire to find out if your organisation needs a DPO.

6. Codes of conduct and certification

Certification is a way to demonstrate that your processing activities comply with the UK GDPR requirements. Certification criteria are approved by the ICO and certification is issued by accredited certification bodies. Codes of conduct are voluntary accountability tools within particular sectors, drawn up by trade associations and other representative bodies.

Adhering to ICO-approved codes of conduct and certification schemes can show that you apply the UK GDPR effectively. It can also help you to demonstrate your compliance. Read more about accountability and governance under the UK GDPR.

Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).

What is a data mapping audit?

A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.

The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.

How to perform a data mapping audit?

To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:

What types of personal data do you hold?

List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?

Why do you hold this data?

List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).

How did you collect this data?

List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?

How do you store it?

Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?

What do you do with this data?

How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?

Who owns and controls the data?

Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?

How long do you keep the data for?

Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?

What do you need to do to make your data processing GDPR compliant?

List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.

It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.

Data audit templates

The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:

• Download documentation template for controllers (Excel, 31K)
• Download documentation template for processors (Excel, 19K)

Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.

A data protection impact assessment (DPIA) is a process to help you identify, assess and minimise the data protection risks of a project. A DPIA should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.

When is an organisation required to carry out a data protection impact assessment?

You must carry out a DPIA for processing that is likely to result in a high risk to individuals. In particular, the UK GDPR says three categories of processing will always require a DPIA:

• systematic and extensive profiling with significant effects
• large-scale use of special category or criminal offence data
• systematic monitoring of publicly accessible places on a large scale

When considering if your processing is likely to result in high risk, you should check against the nine indicators of likely high risk processing outlined in the relevant European guidelines*:

• evaluation or scoring
• automated decision-making with legal or similar significant effect
• systematic monitoring
• sensitive data or data of a highly personal nature
• data processed on a large scale
• matching or combining datasets
• data concerning vulnerable data subjects
• innovative use or applying new technological or organisational solutions
• preventing data subjects from exercising a right or using a service or contract

In most cases, a combination of two of these factors indicates the need for a DPIA. However, this is not a strict rule. In some cases, you may need to do a DPIA if only one factor is present - and it is good practice to do so.

What type of processing is likely to result in high risk?

The ICO maintains a list of processing operations that require a DPIA. These include:

• use innovative technologies (including artificial intelligence)
• use of profiling or special category data to decide on access to services
• profiling individuals on a large scale
• processing biometric data
• processing genetic data, unless by a health professional providing health care directly to the data subject
• matching data or combining datasets from different sources
• collecting personal data from a source other than the individual without providing them with a privacy notice ('invisible processing')
• tracking individuals' location or behaviour, including but not limited to the online environment
• profiling children or targeting marketing or online services at them
• processing data that might endanger the individual's physical health or safety in case of data breach

Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other factors, or any of the nine criteria in the EU guidelines referred to above. See examples of processing that is likely to result in a high risk to an individual.

If in doubt, you can use the ICO's screening checklist to help you decide if you need to do a DPIA. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.

How do you do a data protection impact assessment?

Typically, a DPIA will involve the following key steps:

• identify the need for a DPIA
• describe the processing
• consider consultation
• evaluate the necessity and proportionality
• identify data protection and related risks
• identify measures to reduce or eliminate the risks
• sign off and record the outcomes of the DPIA
• integrate data protection solutions into the project
• keep under review

You must seek the advice of your data protection officer (if you have one), and consult with individuals and other stakeholders throughout this process.

You should carry out a DPIA as early as possible within any new project or product. This will allow you to incorporate its findings and recommendations into the design of the data processing.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to indicate that all risks have been eradicated, but it should help you document them and assess whether or not any remaining risks are justified. 

The ICO offers a summary guidance on DPIA process.

Data protection impact assessment template

You can use or adapt the ICO's sample DPIA template (DOC, 54K), or create your own based on the criteria outlined above.

Consulting the ICO about high risk processing

If, through your DPIA, you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing. You need to send them a copy of your DPIA. They will then advise you whether the risks are acceptable, or if you need to take further action.

In some cases, they may also issue an official warning alongside any advice. If the ICO is concerned that your intended processing is likely to contravene UK GDPR, they may:

• issue a warning, explaining the reasons for concern and the steps you need to take to avoid breaching the law
• impose a limitation or ban on your intended processing

If you are able to mitigate the high risk you identified through the DPIA, then you won't need to contact the ICO.

Failure to carry out data protection impact assessments

DPIAs are an essential part of your accountability obligations and a legal requirement for processing likely to result in a high risk to the rights and freedoms of individuals. They also support compliance with data protection by design and default obligations.

Failure to carry out a DPIA when required may leave you open to enforcement action, including UK GDPR penalties and fines.

The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.

The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.

What level of security is needed under UK GDPR?

The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.

The security measures you put in place should seek to ensure that:

• the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
• the data you hold is accurate and complete in relation to why you are processing it
• the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned

Organisational security measures

Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:

• build security awareness in your organisation
• allocate responsibility for information security within your organisation
• ensure those responsible have the resources and authority to do their job effectively

An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.

Other related matters you will need to consider include:

• co-ordination between key people in your organisation
• access to premises or equipment given to anyone outside your organisation
• business continuity arrangements for the protection and recovery of personal data you hold
• periodic checks on and updates to your security measures

Technical security measures

Technical measures include both:

• physical security, which covers things like
  • protection of premises by means of alarms, lighting, CCTV
  • control of access to premises
  • disposal of paper and electronic waste
  • secure maintenance and disposal of IT equipment, mobile devices, etc
• IT security (or cyber security), extending to the security of
  • your network and information systems
  • the data you hold within your systems
  • your website, online services and applications that you use
  • your devices, including policies on the use of personal devices in the workplace

Encryption

The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:

• widely-available
• relatively low costs to implement
• available in a large variety of solutions

If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.

Password authentication

Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Therefore, any password setup that you implement must:

• be appropriate to the particular circumstances of this processing
• protect against theft of stored passwords
• protect against 'brute-force' or guessing attacks

There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.

The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.

Test your security measures

The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.

Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.

Under the UK General Data Protection Regulation (UK GDPR), businesses must report a personal data breach if it's likely to result in a risk to people's rights and freedoms.

What is a breach of personal data?

A personal data breach can be any type of security incident, deliberate or accidental, which affects the confidentiality, integrity or availability of personal data. For example, a breach may happen:

• if you lose, destroy, corrupt or disclose personal data
• if someone accesses the data or passes it on without proper authorisation
• if the data is made unavailable (eg through ransomware, or accidental loss or damage) and this unavailability has a significant negative effect on individuals

When a security incident takes place, you should quickly establish whether a personal data breach has occurred. The focus of your assessment should be the potential adverse consequences for individuals, based on:

• how serious or substantial these are, and
• how likely they are to happen

In some cases, you will have to tell the Information Commissioner's Office (ICO) about the breach or inform the individuals affected by it.

Should I report a data breach?

You do not need to report every data breach to the ICO. However, if the data breach is likely to pose risk to people's rights and freedoms, you will have to report it. This may be, for example, if the situation is likely to cause:

• discrimination
• damage to reputation
• emotional distress
• identity theft or fraud
• financial or material loss
• other significant economic or social disadvantages

You may also have to report the breach under other laws, such as the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation.

Telling individuals about a breach

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. You should do this as soon as possible - particularly if there is a need to mitigate an immediate risk.

If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.

The ICO has the power to compel you to inform affected individuals if they consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the GDPR accountability principle.

Determine the level of risk accurately

If you can't tell whether the situation poses a significant risk, or who is affected by the breach, the ICO will be able to advise you.

If you consider the incident low risk and unlikely to affect individuals adversely, you may choose not to report it to the ICO. However, in this case, you should document your decision and actions so that you can justify them later, if the need arises.

What if a processor experiences a data breach?

If your organisation uses a data processor, and this processor suffers a breach, they must inform you without undue delay as soon as they become aware of the breach. You should set out the requirements on breach reporting in your contract with them, as required by the UK GDPR. See more on contracts and liabilities between controllers and processors.

How long do organisations have to report data breaches?

You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give the ICO reasons for the delay.

When reporting a breach, the UK GDPR requires you to provide the ICO with a description of:

• the nature of the breach, including:
  • the categories and approximate number of affected individuals
  • the categories and approximate number of affected data records
• the likely consequences of the breach
• the measures taken or proposed to be taken, to deal with and mitigate the breach
• the name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained

Even if you don't have all the details available within the prescribed 72 hours, you should contact the ICO about the breach as soon as possible. You will be able to give them additional information later, as long as you are doing all you can to prioritise the investigation and deal with the breach appropriately.

How do I notify the ICO of the data breach?

To notify the ICO of a personal data breach, follow their self-assessment tool and guidance on reporting a breach.

Recording personal data breaches

As part of your obligation to comply with the accountability principle under the UK GDPR, you should ensure that you record all breaches, regardless of whether or not they need to be reported to the ICO. You should document the facts regarding the breach, its effects and the remedial action taken.

In addition to reporting and recording breaches, you may have additional notification obligations under other laws if you experience a personal data breach. For example, if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider.

You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.

Failing to report a data breach

Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO's other corrective powers under the UK GDPR.

You can avoid fines and penalties if you are open and honest about the breach, report it without delay and show that you are taking personal data security seriously.

Make sure that you have a robust process in place to detect and notify breaches on time, and that you are able to provide the necessary details, if you experience a notifiable breach. If you decide you don't need to report the breach, make sure that you can justify this decision and document it.

If you are subject to the UK General Data Protection Regulation (UK GDPR) and are transferring personal data outside of the UK, you are making what is known as a 'restricted transfer'. There are strict rules on such transfers. These apply to all data transfers, no matter the size of the transfer, or how often you carry them out.

Are you making a restricted transfer?

You are making a restricted transfer of personal data if:

• the UK GDPR applies to your processing of the personal data you are transferring
• you are sending personal data (or making it accessible) to a receiver to which the UK GDPR does not apply (usually located in countries outside the UK)
• the receiver is a separate organisation or individual - this includes transfers to another company within the same corporate group

Before making a restricted transfer, you should consider whether you can achieve your aims without actually sending personal data. For example, anonymising the data (so that it cannot be used to identify an individual) would take it outside of the scope of the restrictions.

Rules on transferring personal data from the UK

Restricted transfers of personal data from the UK to other countries, including to the European Economic Area (EEA), are subject to transfer rules under the UK regime. To comply with rules on transferring data outwards from the UK, you must consider the following factors:

• Is the restricted transfer covered by adequacy regulations?
• Is the restricted transfer covered by appropriate safeguards?
• Is the restricted transfer covered by an exception?

Adequacy decisions

You may make a restricted transfer if you are sending the data to a receiver in a country, territory or organisation covered by UK adequacy regulations.

Adequacy decisions confirm that a particular country or territory (or a specified sector in a country or territory) or international organisation, has an adequate data protection regime.

The UK has adequacy decisions in relation to the EEA countries and the EU/EEA institutions, bodies, offices or agencies. This means data can continue to flow freely from the UK into the EEA. The UK also has:

• an adequacy decision for Gibraltar
• an adequacy decision for countries, territories and sectors covered by the European Commission's adequacy decisions (in force on 31 December 2020)
• partial findings of adequacy about Japan and Canada

If no adequacy decision covers your restricted transfer, you should consider putting in place one of a list of appropriate safeguards to cover the restricted transfer.

Appropriate safeguards

Appropriate safeguards ensure that both you and the receiver of the restricted transfer are legally required to protect individuals' rights and freedoms in respect of their personal data.

The safeguards include:

• a legal instrument between public authorities or bodies
• UK Binding Corporate Rules (UK BCRs)
• data protection clauses for restricted transfer
• an approved code of conduct
• certification under an approved certification scheme
• contractual clauses authorised by the ICO, including those on the basis of the new International Data Transfer Agreement (IDTA) and the EU SCCs Addendum
• administrative arrangements between public authorities or bodies

UK BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.

For most businesses, the simplest way to provide an appropriate safeguard for a restricted transfer to a country not covered by an adequacy decision will be through agreeing the data protection clauses with the sender.

You can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.

The IDTA and Addendum replaced standard contractual clauses (SSCs) for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as 'Schrems II'.

Find guidance from the Information Commissioner's Office (ICO) on the international data transfer agreement and Addendum.

Exceptions on restricted transfers

If you are making a restricted transfer that is not covered by UK adequacy regulations, nor an appropriate safeguard, then you can only make that transfer if it is covered by one of the exceptions set out in the UK GDPR.

Specific exemptions, or derogations, for data transfers apply when:

• the data subject explicitly consents to the transfer (and is aware of the risks)
• you have a contract with the individual and:
  • the transfer is needed for the performance of that contract
  • the contract benefits another individual whose data is being transferred
• the transfer is deemed necessary for reasons of public interest
• the transfer is necessary in relation to a legal claim
• the transfer is necessary to protect the data subject's vital interests (eg their life)
• the transfer is made from a public register created under UK law
• the transfer is a one-off and necessary for your competing legitimate interests

If the UK adequacy regulations, appropriate safeguard provisions, nor exceptions apply to your transfer of data, you will be unable to make the transfer in accordance with the UK GDPR.

Rules on transferring personal data from the EEA into the UK

Under the EU GDPR, an EEA controller or processor will only be able to make a restricted transfer of personal data to countries outside of the EU/EEA if:

• the country they are sending data to is covered by an EC adequacy decision
• one of the EU GDPR appropriate safeguards is in place
• one of the list of EU GDPR exceptions applies

The EU has formally adopted 'adequacy decisions' for the UK. These allow for the ongoing free flow of personal data from the EU/EEA to the UK. Third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.

The most common method of complying with the data transfer requirements under the General Data Protection Regulation is the use of standard data protection clauses. Standard data protection clauses make the data transfer between two businesses subject to a legally binding agreement guaranteeing the rights of individuals whose personal data is being transferred.

Standard Contractual Clauses (SCCs) for restricted transfers from the EU

In June 2021, the European Commission adopted new Standard Contractual Clauses which are used to provide safeguards for restricted transfers of personal data from the EU. These were not valid for restricted transfers under the UK GDPR. UK data transfers continued to rely on the older EU SCCs until new UK-specific transfer mechanisms were put in place.

Restricted data transfers from the UK

As of 21 March 2022, businesses subject to the UK General Data Protection Regulation can use new UK equivalents in place of the SCCs for international transfers. These are:

• International Data Transfer Agreement (IDTA) – most likely to be used for transfers of personal data to a single country
• Addendum to the EU SCCs – most likely to be used for transfers involving EU data

The IDTA and the Addendum take into account the data protection concerns raised by the Schrems II case, and require data exporters to carry out a risk assessment before making the transfer to ensure that it is adequately protected.

International Data Transfer Agreement and guidance

The IDTA, the Addendum and a document setting out transitional provisions came into force on 21 March 2022. Exporters are now able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers to third countries, such as the United States.

The IDTA operates on a standalone basis and is substantially similar to the new EU SCCs. The Addendum on the other hand operates in conjunction with the new SCCs by amending them to allow for their use for transfers from the UK.

Find more information on the IDTA and the Addendum.

Transition period for using the IDTA and the Addendum

The Information Commissioner's Office (ICO) has introduced a grace period for implementing the UK's IDTA and Addendum. You may continue to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. You can access the ICO's versions of these SCCs templates here:

• SCCs for controllers to processors (Word, 124K)
• SCCs for controllers to controllers (Word, 112K)

All contracts on the basis of the old EU SCCs will continue to provide 'appropriate safeguards' for the purpose of UK GDPR until 21 March 2024.

From that date, if your restricted transfers continue, you must enter into a contract on the basis of the IDTA or the Addendum, or find another way to make the restricted transfer under the UK GDPR.

Contractual clauses are most likely to be appropriate for small and medium-sized businesses. If you are part of a multinational group of companies, and receiving data from within that group, you may not need EU SCCs or IDTAs if your group has approved Binding Corporate Rules in place. Find out about other mechanisms for restricted transfers of personal data.

If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).

The ICO can issue sanctions for a breach of the regulation, including:

• warnings and reprimands
• compliance orders
• bans on processing or data transfers (permanent or temporary)
• administrative fines

Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.

Fines for infringement of the UK GDPR

Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:

• a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
• a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation

The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.

How does the ICO determine the level of penalties?

The ICO will consider a number of factors when determining the level of penalties, including::

• the nature, gravity, and duration of the infringement
• the number of people affected and the extent of the damage to them
• whether the breach was intentional or negligent
• any previous history of noncompliance
• any action taken to mitigate the damage
• whether the controller notified the ICO of the infringement and co-operated

See more on reporting serious breaches of personal data.

Impact of GDPR non-compliance

The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.

You may be subject to:

• private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
• reputational damage
• loss of consumer trust

It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.

The EU General Data Protection Regulation (GDPR) is a European Union regulation. As such, it no longer applies to businesses operating solely within the UK. However, the EU GDPR still applies:

• directly to you:
  • if you operate in the European Economic Area (EEA)
  • offer goods or services to individuals in the EEA
  • monitor the behaviour of individuals in the EEA
• to any organisations in Europe who send you data

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, you may need to appoint an EU representative.

Data collected before the end of the transition period

Personal data about individuals located within the EEA, which was gathered by UK businesses before 1 January 2021, will be subject to the EU GDPR as it stood on 31 December 2020. This is known as the 'frozen GDPR'. 

What is the UK GDPR?

The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). In practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:

• offering goods or services to individuals in the UK, or
• monitoring the behaviour of individuals taking place in the UK

If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.

The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.

The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.

The UK GDPR does not apply to the personal data processed:

• by competent authorities for law enforcement purposes
• for the purposes of safeguarding national security or defence
• in the course of a purely personal or household activity, with no connection to a professional or commercial activity

What is the difference between data controllers and data processors?

Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:

• data controllers decide why and how they process personal data
• data processors hold or process data on behalf of a data controller

You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.

How to determine if you are a processor or a controller

Whether you are a controller or processor depends on who determines:

• the purposes for which the data is being processed
• the means of processing

If you determine the purposes and the means of processing, you will be the controller.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.

GDPR obligations on data processors

Under the UK GDPR, processing refers to any type of handling of personal data, including:

• obtaining, recording or keeping data (electronically or in hard copy)
• organising or altering the data
• retrieving, consulting or using the data
• disclosing the data to a third party (including publication)
• erasing or destroying the data

If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.

GDPR obligations on data controllers

If you are a controller, you will have the highest level of compliance responsibility. This means:

• you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
• you are responsible for the compliance of your processors
• you will be liable for a breach of any of these obligations
• you must pay the data protection fee, unless you are exempt

Data protection fee

Organisations (or sole traders) that determine the purpose for which personal data is processed must pay a data protection fee to the ICO, unless they are exempt.

The cost of your data protection fee depends on your size and turnover. There are three tiers of fees ranging from £40 and £2,900, but for most organisations, it will be £40 or £60. Small discount is available if you choose to pay by direct debit.

Find out more about the data protection fee.

Exemptions from UK GDPR

In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:

• crime, law and public protection
• regulation, parliament and the judiciary
• journalism, research and archiving
• health, social work, education and child abuse
• finance, management and negotiations
• references and exams

Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.

If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.

To understand if the UK General Data Protection Regulation (UK GDPR) applies to your activities, you must know whether or not you are processing personal data.

What is personal data?

Personal data is information that relates to an identified or identifiable individual. An individual is 'identified' or 'identifiable' if you can distinguish them from other individuals. Common means of identifying someone may include, for example:

• name
• date of birth
• identification numbers
• bank details
• addresses, including email addresses
• other location data, such as an IP address
• online identifiers

Other factors, or a combination of factors, may also identify an individual. For example:

• information about sole traders, employees, partners and company directors, that identifies and relates to them as an individual
• pseudonymised data, ie data where identifiers have been removed or replaced, but a residual risk of re-identification remains

If it is possible to identify an individual directly or indirectly from the information you are holding or processing, then that information may be personal data.

Sensitive personal data

Personal data may also include special categories of personal data, such as:

• data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person's sex life or sexual orientation
• data on criminal conviction and offences

These are considered to be more sensitive and you may only process them in more limited circumstances.

Does your data relate to an individual?

For data to be 'personal data', it must relate to a living, identifiable individual. To decide if data relates to an individual, you may need to consider:

• the content of the data - is it directly about the individual or their activities
• the purpose you will process the data for
• the results of (or effects on) the individual from processing the data

It is possible that the same information is personal data for one controller's purposes but is not personal data for the purposes of another controller.

The UK GDPR does not extend to information about a deceased person, information about companies or public authorities (except for personal data relating to individuals within), or anonymised data (if it is truly anonymous).

In some cases, it may be difficult to determine if data is personal data. The Information Commissioner's Office (ICO) has published detailed guidance on determining what is personal data. If in doubt, treat the information with care, ensure that you have a clear reason for processing the data and make sure you hold and dispose of it securely.

How long can you keep personal data?

The UK GDPR explicitly states that you must keep personal data 'no longer than is necessary' for the purposes for which the personal data is processed. It doesn't, however, specify how long is 'longer than necessary'.

Statutory retention periods may apply to some types of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.

The regulation puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:

• for the least amount of time that you can
• in accordance with the requirements of your business
• stored securely while it is in your possession
• until it reaches the appointed deletion time

See more on accountability under the UK GDPR.

The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.

1. Lawfulness, fairness and transparency principle

To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:

• identify valid grounds for collecting or using personal data - known as the lawful basis
• ensure that your use of data doesn't breach any other laws
• use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
• be clear, open and honest with people about how you will use their personal data

2. Purpose limitation principle

To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:

• be clear about what your purposes for processing are from the start
• record your purposes as part of your documentation obligations
• inform individuals about your purposes to comply with transparency obligations
• ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent

3. Data minimisation principle

To comply with the third principle, you must ensure that the personal data you are processing is:

• adequate - sufficient to properly fulfil your stated purpose
• relevant - has a rational link to that purpose
• limited to what is necessary - you do not hold more than you need for that purpose

4. Accuracy principle

The accuracy principle requires you to take all reasonable steps to:

• ensure the personal data you hold or process is not incorrect or misleading
• ensure that the source and status of personal data are clear
• consider any challenges to the accuracy of information
• consider if it is necessary to periodically update the information

5. Storage limitation principle

To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:

• think about - and be able to justify - how long you keep the data depending on the purpose you need it for
• set a retention policy or schedule wherever possible, to comply with the documentation requirements
• periodically review the data you hold, and erase or anonymise it when you no longer need it
• carefully consider any challenges to your retention of data, for example when it comes to erasure

6. Integrity and confidentiality (also known as the security principle)

To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:

• against unauthorised or unlawful processing
• against accidental loss, destruction or damage
• using appropriate technical or organisational measures

7. Accountability principle

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.

Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.

To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis for processing personal data.

There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use.

Conditions for processing data under the UK GDPR

The lawful bases for processing include:

Consent

This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.

Contract

This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (eg provide a quote). See more on contracts.

Legal obligation

This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your legal obligation.

Vital interests

This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.

Public task

This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

Legitimate interest

This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.

Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.

Why must you have a lawful basis for processing?

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.

The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.

Deciding which lawful basis applies

You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:

• check that the processing is necessary for the relevant purpose
• check that there is no other reasonable way to achieve this purpose
• document why you chose a particular lawful basis - to demonstrate compliance
• explain the purpose and the lawful basis for processing in your privacy notice

If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.

Commercial businesses may typically seek to rely on consent, contractual obligation and/or legitimate interests as legal bases for processing personal data. Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose.

You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

Can you switch lawful basis for processing?

It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.

Documenting lawful basis

To satisfy the UK GDPR's accountability principle, you must keep a record of:

• which basis you are relying on for each processing purpose
• a justification for why you believe the basis applies

There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations, and will also help you when writing your privacy notices.

Find out more about documentation requirements in our guidance on accountability.

Consent is one of the six lawful basis for processing of personal data under the UK General Data Protection Regulation (UK GDPR).

What is valid consent under the GDPR?

For consent to be valid under the UK GDPR, it must:

• be freely given - giving people genuine choice and control over how you use their data
• be specific and informed - covering the controller's name, the purposes of the processing, the processing activity and the right to withdraw consent at any time
• be obvious that the individual has consented, and what they have consented to
• require a clear positive action to opt in - consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand

Explicit consent must be expressly confirmed in words rather than by any other positive action. In their guidance, the Information Commissioner's Office (ICO) explains in detail what makes consent valid.

When should you obtain consent under GDPR?

You may need to seek consent in a number of circumstances. For example, if:

• no other legal basis for data processing applies
• you want to use or share someone's data in unexpected or potentially intrusive ways
• you are using special category data - you may need explicit consent to legitimise the processing (unless specific conditions apply)

Under e-privacy laws, you may need consent to make certain types of marketing calls and messages, use website cookies and online tracking, or install apps or other software on people's devices. If you need consent under e-privacy laws, then in practice consent is also the appropriate lawful basis under the UK GDPR. If e-privacy laws don't require consent for marketing, you may be able to consider legitimate interests instead.

Consent is one lawful basis for processing, but it won't always be the most appropriate or easiest. If consent is difficult, you should consider the alternatives. Private sector businesses will often be able to consider legitimate interest basis if they find it hard to meet the standard for consent.

When should you not use consent?

You should not use consent as your lawful basis for processing if:

• you can't offer people a genuine choice over how they use their data
• you could process data on a different lawful basis if consent is refused or withdrawn
• you ask for consent as a precondition of accessing your services
• you are in a position of power over the individual, eg an employer processing employee data

Find out when consent may or may not be appropriate. You can also use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

How to obtain consent

You must make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. If the request is vague, difficult to understand or uses language likely to confuse, it will be invalid.

You should obtain consent upfront before processing begins. As a minimum, your consent request must include:

• the name of your organisation and of any other controllers who will rely on the consent
• why you want the data (the purposes of the processing)
• what you will do with the data (the processing activities)
• that people can withdraw their consent at any time

You can use different methods to obtain consent, but you must ask people to actively opt in.

Opt-in consent

Examples of active opt-in mechanisms include:

• signing a consent statement on a paper form
• ticking an opt-in box on paper or electronically
• clicking an opt-in button or link online
• selecting from equally prominent yes/no options
• choosing technical settings or preference dashboard settings
• responding to an email requesting consent
• answering yes to a clear oral consent request
• volunteering optional information for a specific purpose - eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box

Explicit consent

If you need explicit consent, the opt-in needs to involve an express statement confirming consent. Under the UK GDPR, you cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions. See more on what is explicit consent.

If you are seeking consent for various different purposes or types of processing, you should provide a separate opt-in for each unless you are confident it is appropriate to bundle them together.

If you are asking for consent electronically, consent must not be 'unnecessarily disruptive to the use of the service for which it is provided', so make sure that you adopt the most user-friendly method you can.

If you are offering online services to children and want to rely on consent for your processing, you need to adopt age-verification measures and seek parental consent for children under 13. See rules on children's consent.

How to record consent

Where processing is based on consent, you must be able to demonstrate that the data subject has consented to processing of their personal data. You must keep records that demonstrate:

• who consented
• when they consented
• what they were told at the time
• how they consented
• whether they have withdrawn consent (and if so, why)

An effective audit trail of how and when consent was given will provide you with evidence if challenged. Keep this evidence for as long as you are still processing based on the consent, so that you can demonstrate your compliance in line with accountability obligations.

Reviewing consent

Your obligations don't end when you get consent. You should keep your consents under review and refresh them:

• if anything changes, eg if your purposes for processing evolve
• if you rely on parental consent, when children grow up and can consent for themselves
• automatically at appropriate intervals, depending on the context, people's expectations

If in doubt, the ICO recommends you consider refreshing consent every two years. You may be able to justify a longer period, or may need to refresh more regularly to ensure good levels of trust and engagement.

How long does GDPR consent last?

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

Managing consent for use of personal data

In addition to reviewing consents, it is also good practice to offer ongoing choice and control and provide preference-management tools (such as privacy dashboards and opt-out by reply to every contact) to allow people to easily access and update their consent settings.

You must include details of the right to withdraw consent in your privacy information and consent requests. It is good practice to also include details of how to withdraw consent. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.

Individuals must be able to refuse and withdraw consent without suffering any detriment. If there is a penalty for withdrawing consent, the consent would be invalid as it would not be freely given.

What happens when someone withdraws their consent?

If someone withdraws consent, you should stop the processing as soon as possible. Withdrawal does not affect the lawfulness of the processing up to that point, but it does mean you can no longer rely on consent as your lawful basis for processing.

Consent and individuals' rights

If you rely on consent, this will affect individuals' rights. In addition to the right to be informed, they will also have:

• the right to erasure (also known as 'the right to be forgotten')
• the right to data portability
• the right to withdraw consent - which in effect operates as a right to stop the processing

See more on data subject rights under the UK GDPR.

Handling personal data badly - including relying on invalid or inappropriate consent - can damage customer trust and your reputation. It may also leave you open to substantial GDPR penalties and fines.