Data protection for businesses

In the UK, the main legislation governing the collection, processing and distribution of personal data is the Data Protection Act 2018 (the DPA) which is enforced by the Information Commissioner's Office (ICO). The DPA is the legislation that implements the UK General Data Protection Regulations (the GDPR). Businesses that process personal data are subject to a number of legal obligations to protect that data.

Personal data is information relating to individuals who can be personally identified from that data (on its own or with other data held). Personal data can be held electronically or physically and includes names, addresses (including email addresses), dates of birth and online identifiers (eg IP addresses).

There is a further 'special category' of 'sensitive personal data' which is awarded greater protection under the law and includes information about racial or ethnic origin, sexual life and physical or mental health or condition.

Criminal offence data (ie personal data relating to criminal convictions and offences or related security measures) is treated separately to personal data and special category special data but is subject to even tighter controls.

For more information, read Data protection.

Businesses will only be able to process personal data if they have a lawful basis for processing the data. There are six grounds for the lawful processing of personal data, which include (but are not limited to) data subject (ie the individual the data relates to) having consented to the processing, the processing being necessary for the performance of a contract and the processing being necessary for the organisation’s or a third party’s legitimate interests.

For more information on these grounds, read Processing personal data.

A business can only process special category sensitive data if, in addition to having a lawful basis for processing, it can demonstrate that it meets a so-called ‘condition for processing’. These conditions for processing include (but are not limited to) where the processing relates to personal data that has been made public by the data subject, the processing is necessary for reasons of substantial public interest and the processing is necessary for health or social care purposes. The condition for processing (in addition to the lawful basis for processing) needs to be recorded in a Data protection impact assessment (DPIA).

For more information on these conditions for processing, read Compliance for DPIAs.

A business can only process criminal offence data if, in addition to having a lawful basis for processing, it is either processing the data under the control of official authority or is authorised to process the data under UK law.

Processing under the control of official authority means that the business has the authority to process criminal offence data under the law, and is able to pinpoint specific legislation that provides them with such authority. For example, the courts have specific official authority to process criminal offence data.

Businesses are authorised to process the data under UK law if they can meet one of the 28 conditions in the DPA, which include (but are not limited to) processing criminal offence data for reason of fraud prevention, suspicion of terrorist financing or money laundering and insurance. For more information, read Criminal offence data for DPIAs.

The condition for processing (in addition to the lawful basis for processing) needs to be recorded in a DPIA.

A DPIA is a process designed to help organisations (often known as ‘data controllers’) identify and minimise the data protection risks of a project. It’s an essential component of an organisation’s accountability obligation under the GDPR and helps organisations assess and demonstrate how they comply with their data protection obligations. 

A DPIA needs to be completed where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. A ‘risk’ is the potential for any significant physical, material or non-material harm to individuals. To determine whether a risk is ‘high risk’, the likelihood and severity of any potential harm to individuals need to be considered.

Read Data protection impact assessments for more information.

A Legitimate interest assessment (LIA) is needed when a business is processing personal data on the basis of legitimate interest. An LIA is used to identify the legitimate interest in question, the benefits of processing the personal data and whether such processing is necessary. For more information, read Legitimate interest assessments.

An Appropriate policy document (APD) is a document outlining the business’ compliance measures and retention policies for special category sensitive data and criminal offence data. When a business processes special category sensitive data or criminal offence data they may need to have such an APD in place, depending on the conditions for processing relied on. For more information, read Appropriate policy documents.

Businesses must follow the legal rules on data protection in relation to any data they process in relation to staff members. Failure to comply with data protection laws in relation to staff could automatically breach other duties employers owe them (eg a serious breach of data protection could amount to a breach of contract as a result of failure in the duty to maintain trust and confidence).

Employers should inform staff about the types of data they may collect about them and what they do with it in an Employee privacy notice or a Consultant privacy notice for consultants.

Employers should consider putting in place a Data protection and data security policy to follow a set process that gives confidence to employees and help avoid any potential claims. Where any data processing of staff data is likely to result in a high risk to individuals (eg denial of work opportunities), employers must conduct a DPIA.

For more information, read Data protection and employees.

Transfers of personal data to recipients outside the UK (ie a 'third country') is prohibited under data protection laws unless certain safeguards are put in place. This affects all businesses that engage in international transfers (eg cloud-based services). Such businesses need to implement lawful data transfer mechanisms (such as standard contractual clauses) in order to be compliant. Read International transfers of personal data for more information.

A Data processing agreement (DPA) is an agreement between a data controller (eg a company) and a data processor (eg a third-party service provider). A DPA regulates any personal data processing conducted for business purposes. Having a DPA in place helps data controllers ensure that any processors they use have implemented appropriate technical and organisational measures in order to meet the requirements of the GDPR, and protect the rights of the data subjects. For more information, read Data processing agreements.