Data Protection and Privacy: UK GDPR Guide for Businesses

UK GDPR: The Fundamentals

The UK General Data Protection Regulation (UK GDPR) — retained and adapted from the EU GDPR following Brexit — sets out how organisations must collect, store, process and protect personal data. It applies to virtually every UK business that handles data about customers, employees, suppliers or any other identifiable individuals.

The Information Commissioner's Office (ICO) enforces UK GDPR and can issue fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious violations. In practice, the ICO focuses enforcement on material harm to data subjects and failures of transparency rather than purely technical non-compliance, but the financial and reputational consequences of a breach remain significant.

The Seven Principles

UK GDPR is built around seven principles that apply to all personal data processing:

• Lawfulness, fairness and transparency: You must have a lawful basis for processing, be honest about how you use data and not use it in ways people would not reasonably expect.
• Purpose limitation: Data collected for one purpose cannot be used for an unrelated purpose later.
• Data minimisation: Only collect the data you genuinely need.
• Accuracy: Keep personal data accurate and up to date.
• Storage limitation: Do not retain personal data longer than necessary for its purpose.
• Integrity and confidentiality: Process data securely, protecting against unauthorised access, loss or destruction — this is the security requirement.
• Accountability: You must be able to demonstrate compliance, not just claim it.

Lawful Bases for Processing

Every act of processing personal data requires a lawful basis. The six bases under UK GDPR are:

• Consent: Freely given, specific, informed and unambiguous. Cannot be bundled with terms and conditions.
• Contract: Processing necessary to fulfil a contract with the data subject.
• Legal obligation: Processing required by law (e.g., payroll for HMRC).
• Vital interests: Rare — for life-or-death situations.
• Public task: Applicable primarily to public authorities.
• Legitimate interests: The most commonly misused basis — processing must be necessary, balanced against the data subject's rights, and a Legitimate Interests Assessment (LIA) should be documented.

Many businesses default to consent as their lawful basis when legitimate interests or contract would be more appropriate and proportionate. Consent-based processing creates ongoing obligations around managing withdrawals that other bases do not.

Article 32: The Security Requirement

Article 32 of UK GDPR requires organisations to implement appropriate technical and organisational measures to ensure security appropriate to the risk. This is intentionally non-prescriptive, but in practice the ICO expects measures proportionate to the sensitivity of the data and the likelihood and severity of potential harm.

Technical measures typically expected include:

• Encryption of personal data at rest and in transit
• Ongoing confidentiality, integrity and availability of processing systems
• The ability to restore access to personal data after an incident
• Regular testing and evaluation of security measures

Organisational measures include staff training, access controls, data processing agreements with suppliers and documented policies.

Data Breach Obligations

Under UK GDPR, a personal data breach that is likely to result in risk to individuals must be reported to the ICO within 72 hours of becoming aware of it. Breaches that are likely to result in high risk to individuals must also be communicated to the affected individuals without undue delay.

Key points businesses often misunderstand:

• A breach is not just hacking — lost laptops, misdirected emails and unauthorised access by employees all qualify
• The 72-hour clock starts when you become aware, not when the breach occurred
• You do not need to have all the facts within 72 hours — a partial notification followed by updates is acceptable
• You should maintain a register of all breaches, even those not reportable to the ICO

Common Compliance Mistakes

Based on ICO enforcement trends and practical experience across UK SMEs, the most frequent compliance failures are:

• No lawful basis documentation: Organisations process data without recording their legal basis or conducting the required assessments.
• Excessive data retention: Data held indefinitely because no one has defined retention periods or created a deletion schedule.
• Third-party processors without contracts: Using cloud services, marketing platforms or payroll providers without Data Processing Agreements (DPAs) in place.
• Inadequate security for the data held: Unencrypted laptops, shared passwords or cloud storage with no access controls protecting databases of customer personal data.
• Privacy notices not updated: A copied privacy notice that does not reflect actual processing activities.

Practical Steps for UK SMEs

Compliance does not require a large compliance department. The following steps cover the majority of what most UK SMEs need to have in place:

1. Complete a data mapping exercise — what personal data do you hold, where is it, why, and with whom is it shared?
2. Document a lawful basis for each category of processing
3. Update your privacy notice to accurately reflect your data processing
4. Define and implement retention schedules for each data category
5. Put DPAs in place with all processors (cloud providers, marketing tools, payroll, etc.)
6. Implement technical security measures appropriate to your risk level — encryption, access controls, MFA
7. Train staff on data protection basics and how to identify a potential breach
8. Create an incident response procedure that includes the 72-hour ICO notification process

The accountability principle means you should document all of the above. The ICO expects to see evidence of compliance, not just assurances.