• Data Protection
two women standing in a hallway looking at tablets
Peninsula Logo

Peninsula Group, HR and Health & Safety Experts

(Last updated )

In this guide, we'll provide a UK GDPR overview, outline data protection rules, and advise your legal obligations when processing personal data.

With the increase in online visibility, it's important that every individual's personal data is protected. This is why the EU introduced the General Data Protection Regulation (GDPR) - its own set of data protection rules.

As a business owner, you must demonstrate UK Data Protection and GDPR compliance. This means data processing awfully, appointing a data protection officer if necessary, and following the UK's Data Protection law.

In this guide, we'll provide a UK GDPR overview, outline data protection rules, and advise your legal obligations when processing personal data.

What is GDPR?

The General Data Protection Regulation (GDPR) is a set of European data protection rules that the European Union (EU) enforced in 2018. Its purpose is to allow individuals more control over how their personal data is collected and processed.

It also sets certain data privacy laws businesses must follow, so they can process data lawfully. As more and more people are asked to trust large organisations with their personal data, it's vital that businesses follow The Data Protection Act now more than ever.

Who does EU GDPR apply to?

EU GDPR applies to EU citizens and organisations. But, it also applies to international organisations and non-EU companies - if they transfer and process the personal data of citizens of the European Union.

For example, if a company from Japan collects data from EU citizens. In this instance, they would still have to comply with EU GDPR.

Does EU GDPR still apply to the UK?

EU GDPR does not apply to the UK, since leaving the European Union in 2021. But, in 2018 it introduced its own security law - The Data Protection Act. This national law is similar to EU GDPR, as it outlines that companies have a legal obligation to process and collect data lawfully.

For example, companies must implement appropriate safeguards in regard to the processing of personal data. This includes all businesses, public authorities and other organisations. No matter if they operate on a small or large scale.

Like EU GDPR, its purpose is to ensure that an individual's personal data is always protected and secure. For more information on The Data Protection Act, check out our guide.

What are the key definitions of UK GDPR?

There are several key definitions of UK GDPR that you should be aware of. For example, understanding what is meant by data processing. Let's explore them in more detail:

Data processing

Data processing is the collection of personal data. This includes any data that a business records, organises, structures, stores, alters and retrieves. Essentially, any operations performed on an individual's personal data constitutes data processing.

Data controllers

A data controller is an individual or party that determines the purposes of why a business is processing personal data. For example, this could be a charity that requires data for donations. This also includes determining how they plan to process a customer, client, or employee's personal data on a legal basis. Data controllers also responsible for complying with UK GDPR.

Data processors

A data processor is the individual, party or public authority who gathers and processes personal data - typically on behalf of the data controller. Processing personal data is usually something an external third party would conduct. But sometimes the data processor and the data controller are the same party.

Data subjects

A data subject is any identified individual that personal data relates to, but this only refers to people who are alive. Data that could identify a person includes their name, telephone number, or address.

What constitutes personal data under UK GDPR?

Personal data constitutes any information that relates to an identified or identifiable data subject. Some examples include:

  • Names.
  • Phone numbers.
  • Email addresses.

Some personal data is more sensitive than other types, and therefore needs more protection. The law refers to these as special categories of data.

What are examples of special categories of data?

Ensure you're aware of the examples of special category data, such as a person's race or ethnic origin. This will help you understand whether you need to implement further data security measures. Other examples of special category data include:

  • Political opinions.
  • Religious beliefs.
  • Location data.
  • Sexual orientation.
  • Health data.
  • Trade union memberships.

This also includes biometric data, which are measurements that relate to an individual's unique physical characteristics. For example, a person's fingerprints, height or weight.

Similarly, personal data relating to an individual's criminal convictions and offences also requires more protection. But the legislation still allows businesses to conduct criminal background checks when recruiting.

What is not personal data under GDPR?

Information about companies, public authorities and organisations is not considered personal data. For example, a company registration number or email address (which identifies an individual). In addition, information that has been anonymised is also not considered personal data.

What are the fundamental rights of a data subject?

The EU GDPR outlines several fundamental rights of a data subject. These include the:

  • Right to be informed.
  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to restrict processing.
  • Right to data portability.
  • Right to object.
  • Rights related to automated decision-making, including profiling.

It's important to note that the application of these rights must not affect the freedom and rights of others. Ultimately, the above gives the individual more control over - and easier access to their personal data.

How long does GDPR consent last?

The UK GDPR doesn't specify a timeframe for how long consent lasts, as it depends on the context of the consent being given. As well as the expectations of the data subject. Most likely, the validity of this consent will diminish over time, so ensure you regularly request renewal of consent.

What are the main principles of GDPR?

There are seven main principles of GDPR. Each one is as equally important as the other, and will help you avoid unlawful processing of personal data. The seven principles are:

Lawfulness, fairness and transparency

Under GDPR, when a party performs data processing, they must do it on a lawful, fair and transparent basis. Companies must collect data fairly, and have the best interest of their data subjects in mind. For example, businesses cannot lie to their data subjects about why or how they plan to process their data.

Purpose limitation

GDPR also determines that businesses must not collect data, other than for the already specified intended purpose. For example, if a company collects email addresses for a competition, they cannot then send marketing emails without asking for the data subject's consent.

Data minimisation

Companies in member states that have GDPR must only collect data that are adequate, relevant, and limited to what's necessary. For example, businesses cannot gather data that isn’t relevant to the already specified purpose.


Under GDPR, businesses must also take necessary steps to ensure the data they collect is accurate, as well as up-to-date. For example, if a business collects the home address of an employee, they must ensure that they update the information if the employee moves.

Storage limitation

Businesses are also not allowed to keep data longer than specified. For example, if you tell data subjects their personal information will be kept for a year and it isn’t - this is a breach of GDPR.

Integrity and confidentiality

GDPR dictates that businesses must implement significant data protection when storing personal data. This means auditing their current data control measures, and figuring out what others they might need to protect personal data.


Data controllers must also take accountability for their own data protection. This means complying with the preceding principles, and being transparent with each data subject. In essence, businesses must be able to prove they are GDPR compliant.

What is GDPR compliance?

GDPR compliance is when a business, organisation or other party follows the data privacy laws of their member state. If a company is GDPR compliant, they have met the requirements of this legislation and are processing data lawfully.

Why is GDPR compliance important?

GDPR is important for several reasons. For instance, it provides data subjects with fundamental rights that ensure the protection of their personal data. Let's explore a few more reasons why your business must comply with GDPR.

Ensures legal compliance

The main reason why following GDPR is important is because it means you’re legally compliant. If you fail to follow GDPR, it can have severe repercussions. This includes hefty fines to the supervisory authority, as well as reputational damage.

Prevents a data breach

Another reason why GDPR compliance is important is because it prevents data breaches. If you fail to implement appropriate safeguards, not only do you not comply with GDPR, but it could also result in the accidental loss of data. For example, if this data includes confidential information about your products or services, competitors might steal it.

Increases trust and credibility

GDPR is also important because it increases your clients’ trust in you. If they can see your business is legally compliant, and concerned about protecting their data, they will develop more trust in you. As a result, you might develop longer-term relationships with both customers and clients.

What happens if your business breaches EU GDPR?

If your business breaches GDPR, it can have serious consequences. You will have to pay a fine of up to £17.5 million, or 4% of their global turnover in the previous financial year. This can also cause damage to your company's reputation, and possibly result in customer or client loss.

How to be GDPR compliant

There are several ways you can ensure your business is GDPR compliant. For example, having a lawful basis for processing data. Let's take a look at some other ways you can avoid non-compliance.

Use appropriate security measures

Another way to ensure GDPR compliance is to use appropriate security measures. This is especially the case if you transfer data to international organisations, and operate on a large scale. For example, one security measure you might implement is using a private VPN.

It's also important to regularly audit your data protection measures. This means reviewing your current practices, and ensuring that the data you process still complies with GDPR.

Ensure software is up-to-date

Another way to ensure your business complies with GDPR is to maintain up-to-date software. To do so, you should perform regular checks of your current software. If you don't, it could result in a data breach.

For example, if you are still using software from five years ago, one day it might fail to work. If this happens, it might result in the accidental loss of data. As a result, you could breach GDPR.

Appoint a data protection officer

To be GDPR compliant, you could appoint a data protection officer. Data protection officers provide systematic monitoring when your company uses data processing. This includes monitoring your current practices, as well as advising you on the best data privacy measures.

Your company is not required to appoint a data protection officer unless your core activities involve storing, collecting or processing data on a large scale. For example, if you regularly gather special category data of a vast amount of data subjects - such as a GP practice. But appointing a person to ensure data is protected within your business is good practice.

Get expert advice on GDPR from Peninsula

You must ensure your business complies with GDPR. This means following the data protection principles, taking appropriate data protection measures, and ensuring you process data lawfully.

Failure to do so could have serious consequences for your business, including hefty fines, legal costs, and even reputational damage.

Peninsula offers expert advice on GDPR. Our teams offer 24/7 HR advice which is available 365 days a year. We take care of everything when you work with our HR experts.

Want to find out more? Contact us on 0800 029 4377 and book a free consultation with an HR consultant today.



Got a question? Check whether we’ve already answered it for you…

Related articles

  • a man and woman in supermarket uniform


    HR in Retail

    In this guide, we'll discuss why HR in retail can be difficult, the challenges you might face, and how to manage them.

    Peninsula TeamPeninsula Team
    • Business Advice
  • a man and woman in hard hats outside warehouse looking at computer


    Night Workers

    In this guide, we'll discuss night work, the rights of night workers, and what you must do to comply with the law.

    Peninsula TeamPeninsula Team
    • Employment Law
  • a woman sat at a desk and computer


    What is HR Software?

    In this guide, we'll discuss HR systems, the benefits of using HR software, and how Peninsula can make your HR processes easier.

    Peninsula TeamPeninsula Team
    • Business Advice
Back to resource hub

Try Brainbox for free today

When AI meets 40 years of Peninsula expertise... you get instant, expert answers to your HR and Health & Safety questions

Sign up to our newsletter

Get the latest news & tips that matter most to your business in our monthly newsletter.