Data Protection FAQs

Data protection is the legal framework that governs how organisations collect, use, store and share personal data. In the UK, this framework is set by the UK GDPR and the Data Protection Act 2018 (DPA 2018), which require organisations to process personal data lawfully, fairly and transparently.

Compliance with this legal framework matters because it helps you to:

• Uphold individuals’ rights.
• Minimise legal and financial risk.
• Avoid reputational damage.
• Prevent ICO enforcement action.

Yes, you must have a privacy policy if you collect any personal data from your customers or users. 

This must always reflect your current data processing activities and should explain your lawful bases for collecting and using any personal data, as well as how individuals can exercise their rights over their personal data or make a complaint. 

Organisations have a legal obligation under the UK GDPR to keep their privacy policy and underlying processing records up to date, particularly where activities, systems or purposes change.

We can help you to draft or review your privacy policy and ensure that it remains current by supporting you with regular reviews and updates to your data protecting activities and documentation. 

Personal data is any information that identifies or could identify a living individual, either directly (such as a name or email address) or indirectly (such as location data, online identifiers or device IDs) and includes both ordinary personal data and more sensitive ‘special category’ data such as health, biometric or race and ethnic origin data under the UK GDPR and DPA 2018.

We help organisations to understand what constitutes personal data in practice, including when information may fall outside scope or become personal data once it’s combined with other datasets.

Under the UK GDPR, you must identify one of the six lawful bases in order to process personal data:

1. Contract.
2. Legal obligation.
3. Vital interests.
4. Public task.
5. Consent.
6. Legitimate interests.

The DPA 2018 supplements this by setting out specific requirements for special category (highly sensitive) and criminal offence data processing.

Organisations must keep Records of Processing Activities (ROPAs) to set out processing activities, lawful bases and purposes for processing personal data. We can advise your organisation on mapping its processing activities, assessing which lawful bases apply and drafting or updating ROPAs. 

No. Consent is only one lawful basis that can be relied upon for processing personal data. 

Other lawful bases may apply depending on your activities and what you intend to do with the personal data. However, where you’re relying on consent as the lawful basis, you must still meet the UK GDPR standards for ensuring that valid consent has been given (i.e., consent must be freely given, specific, informed and unambiguous).

Many organisations can lawfully process personal data by relying on other bases such as performance of a contract, compliance with a legal obligation, legitimate interests or the performance of a task carried out in the public interest. 

We help organisations to identify the correct lawful basis for their processing activities, ensure that these are properly documented and avoid over‑reliance on consent where it may be unsuitable or difficult to manage.

Under the UK GDPR, individuals have a right to:

• be informed
• request access
• request correction
• request deletion (‘right to be forgotten’)
• restrict processing
• object to processing
• request data portability
• challenge automated decision‑making.

Where an individual makes a data subject access request (DSAR), we regularly support organisations with the full DSAR process — from undertaking an initial review to understanding the scope of the request and providing a thorough and clear response. 

Yes, though this heavily depends on what data you want to transfer and where the data is being transferred to — and only if specific safeguards are in place to ensure that a similar level of protection will be given to the personal data as under the UK GDPR. 

Options include:

• Data can be transferred freely to countries that have an adequacy decision. EU Member States automatically all have an adequacy decision.
• In the absence of an adequacy decision, you can implement EU Standard Contractual Clauses, which are pre-approved model clauses that make the transfer lawful. Additionally, a UK Addendum can also be incorporated here if data is being transferred from the UK to a country outside of the EEA.
• Binding Corporate Rules can also be relied on and are commonly used to dictate data sharing between group entities. This mechanism requires ICO approval. 

We advise on UK and international data transfers including the use of appropriate safeguards such as the UK International Data Transfer Agreement, Addendum to the EU SCCs and transfer risk assessments. We also provide strategic advice on cross‑border data flows.

Under the UK GDPR, you may only keep personal data for as long it’s as necessary for the purposes for which it was collected.

You must set defined retention periods and apply them consistently, implement secure deletion or anonymisation of the data and document retention decisions. 

Keeping personal data ‘just in case’ isn’t permitted.

We can help with this and draft retention schedules and policies that are appropriate for your organisation. 

A DPO is mandatory under UK GDPR only if:

• You’re a public authority.
• Your core activities involve systematic, large‑scale monitoring of individuals.
• You process large volumes of special category or criminal offence data.

It’s important to note that if an organisation doesn’t meet these criteria, appointing a DPO isn’t a legal requirement and doing so may trigger additional employment rights and obligations that wouldn’t otherwise apply. Other staff appointments may suffice here (for example, a ‘Data Protection Manager’ instead of a DPO). 

We regularly support organisations that require ongoing data protection expertise, providing DPO‑level support alongside in‑house teams. This flexible approach allows organisations to access specialist advice without the cost of a full‑time internal role.

Under the UK GDPR, you must:

• Contain the breach immediately.
• Assess the risk to individuals’ rights and freedoms.
• Notify the ICO within 72 hours of becoming aware of the breach, but only if the breach is likely to risk an individual’s rights and freedoms.
• Notify affected individuals where the risk is high.
• Document the breach, its effects and any remedial actions.

The DPA 2018 requires you to maintain records of all breaches, even where notification isn’t required.

The UK GDPR requires “appropriate technical and organisational measures” (TOMs) based on the level of risk. The following list refers to examples of security measures that may be appropriate depending on the context:

• Multi‑factor authentication.
• Encryption.
• Access controls and role‑based access.
• Regular patching and vulnerability management.
• Supplier and third‑party risk assessments.
• Backup and incident response planning.

Assessing what’s appropriate requires a risk‑based approach, taking into account the nature of the data, the purpose of processing and potential impact. We can support organisations in carrying out these risk assessments for their processing activities.

The ICO already holds extensive enforcement powers under the UK GDPR and DPA 2018, including the ability to conduct audits and assessments and enforce orders and fines. These powers are being further strengthened by the Data Use and Access Act 2025 which has provided the ICO with further powers including the ability to compel witnesses to attend interviews and request organisations to commission and pay for independent technical reports to assist in investigations. These new ICO powers are being phased-in, with full enforcement expected by mid-2026. 

We assist organisations in preparing for regulatory engagement by reviewing compliance documentation, advising on risk areas and supporting responses to ICO enquiries, investigations or audits. Our aim is to help clients demonstrate accountability and reduce regulatory risk.