A practical guide for businesses that want to stay compliant—and build real trust
Data protection laws aren’t just for tech giants or lawyers. If your business collects personal information—whether it’s client names, staff records, contact forms, or payment details—you’re legally responsible for keeping it safe, using it fairly, and giving people control over it.
The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) are the two main laws that set those rules. They affect almost every organisation in the UK—regardless of size, sector, or tech setup. And in 2024 and beyond, they’re more relevant than ever.
But here’s the problem: too many businesses still treat data protection like a tick-box exercise. They copy-paste a privacy policy, throw in a cookie banner, and assume that’s enough. It isn’t.
The real risk isn’t just regulatory fines—it’s the reputational and operational damage that comes from poor data handling, a mishandled access request, or a breach your team wasn’t trained to respond to.
In this blog, we’ll break down what these laws actually require, why they still matter, and how to make them work in the real world—not just on paper.
What is the Data Protection Act?
The Data Protection Act 2018 (DPA 2018) is the UK’s main data protection law. It sits alongside the UK GDPR and provides additional detail specific to the UK’s legal system.
You can think of it like this:
🔹UK GDPR sets the core principles and rights—how personal data should be handled, stored, and protected.
🔹DPA 2018 builds on that by setting out how the rules apply in specific sectors (like education, law enforcement, and health), giving powers to the Information Commissioner’s Office (ICO), and detailing exemptions or clarifications.
Together, they form the backbone of the UK’s data protection regime.
Even though we left the EU, the UK retained GDPR in the form of UK GDPR. The rules remain largely the same—but they’re now enforced independently by the UK government and the ICO.
While the DUAA introduces newer obligations around data systems and interoperability, it doesn’t replace the UK GDPR or DPA—it builds on them. These core laws still form the legal foundation for how personal data must be handled.
What Counts as Personal Data?
Personal data means any information that relates to an identifiable person. This includes obvious things like:
🔹Names and addresses
🔹Email accounts and phone numbers
🔹Staff records and customer profiles
But it also includes:
🔹IP addresses, usernames, and device IDs
🔹Behavioural data from websites or apps
🔹Opinions, notes, or internal emails that refer to someone
🔹CCTV footage, photographs, and audio recordings
🔹Location data or health information
If someone can be identified directly or indirectly by the data you collect, it’s covered by UK GDPR.
And if you collect special category data—such as health, ethnicity, religion, or biometric data—you face even stricter obligations.
The 7 Principles of UK GDPR — and What They Actually Mean
These seven principles are the foundation of everything GDPR requires. They aren’t just technical checklists—they’re ethical commitments that shape how you handle people’s data.
Let’s break them down.
1. Lawfulness, Fairness and Transparency
You must have a clear and lawful reason for collecting personal data. People should know what you’re doing with it—and why.
Example: If you collect customer emails to send appointment reminders, that’s fine. But you can’t then start using those emails to send marketing without informing them and having the proper legal basis (more on that below).
Transparency means being upfront, not burying key info in legal jargon. Your privacy notice should be clear, honest, and accessible—not something only a solicitor can decode.
2. Purpose Limitation
You can only use personal data for the specific reason you collected it.
Example: If someone gives you their email address to download a free resource, you can’t automatically sign them up to your newsletter unless you told them that upfront and gave them a choice.
Repurposing data without consent or disclosure is one of the most common compliance failures.
3. Data Minimisation
Only collect what you really need. Just because it’s easy to ask for more data doesn’t mean you should.
Example: If you’re running a basic online order form, you probably don’t need to ask for someone’s date of birth or company turnover. It adds risk and complexity with no clear benefit.
Less is often safer—and more respectful.
4. Accuracy
You must take reasonable steps to keep data up to date and correct inaccuracies when they’re found.
Example: If a customer tells you they’ve changed their address or a staff member updates their surname, your systems and processes need to reflect that.
Incorrect data can lead to reputational issues, operational errors—or in regulated sectors, serious safeguarding risks.
5. Storage Limitation
Don’t keep data longer than necessary. Have a clear retention schedule—and stick to it.
Example: If you still have CVs from job applicants five years ago who never worked with you, that’s a problem unless you have a valid reason to retain them (e.g. for legal defence). The same applies to lapsed customer accounts or old marketing lists.
Regular data reviews and automatic deletion schedules help stay on top of this.
6. Integrity and Confidentiality (Security)
You must protect personal data from unauthorised access, accidental loss, or destruction.
Example: Staff should know not to leave sensitive documents on shared drives without access control. Devices should be encrypted. Emails should not include personal data unless sent securely.
This is where data protection meets cybersecurity—and where poor awareness creates serious risk.
7. Accountability
You must be able to demonstrate that you’re complying with the principles above.
That means having clear policies, keeping records of data processing, training your staff, documenting consent, and showing how you’ve assessed and reduced risk.
If you can’t prove it, the ICO will assume you haven’t done it.
The 6 Lawful Bases for Processing Personal Data
To collect or use someone’s personal data, you need a lawful basis. You must identify this before you collect the data—not after the fact.
Let’s look at each one—and when it applies.
1. Consent
You’ve asked for permission, and the person has clearly agreed to it.
Consent must be:
🔹Freely given (no pressure or conditions)
🔹Specific (not a blanket agreement)
🔹Informed (they understand what they’re consenting to)
🔹Unambiguous (no pre-ticked boxes)
🔹Easy to withdraw
Example: A visitor signs up to your email newsletter and ticks a box confirming they agree to receive marketing emails. That’s valid consent. But if you add them to the list without asking—because they downloaded a guide—that’s not.
Consent isn’t always the best or easiest basis. But when used correctly, it gives people control.
2. Contract
You need the data to deliver a contract or prepare for one.
Example: A customer gives you their address so you can deliver a product. Or a freelancer provides their bank details for payment. This doesn’t require consent because it’s necessary for the agreement.
This is often the most appropriate basis for sales, fulfilment, or hiring processes.
3. Legal Obligation
You’re required to process the data by law.
Example: Employers must retain payroll records for HMRC. Or you might need to check ID to comply with anti-money laundering (AML) regulations. Consent is irrelevant here—you’re legally required to process it.
This basis applies most often in HR, finance, and regulated sectors.
4. Vital Interests
Processing is necessary to protect someone’s life.
Example: In a medical emergency, a school shares a pupil’s health details with paramedics. Or a care worker discloses key medical info to prevent serious harm.
This basis is used rarely and only when there’s no other lawful way to act fast.
5. Public Task
You’re carrying out a task in the public interest or exercising official authority.
Example: A local authority processes resident data to issue council tax notices. Or a school collects pupil data for statutory safeguarding reporting.
This applies mainly to public sector bodies and organisations acting under a legal duty.
6. Legitimate Interests
You’re processing data for a legitimate business reason, and it doesn’t override the individual’s rights.
This is the most flexible basis—but also the most misunderstood.
Example: A business collects IP addresses to prevent fraud on its website. Or it contacts existing clients about a similar service they’ve already purchased. As long as the use is necessary and balanced, this can be lawful without consent.
You must carry out a Legitimate Interests Assessment (LIA) and document why your interests are fair and proportionate.
Choosing the Right Basis
Each processing activity must have one lawful basis—and you must tell people what it is.
You can’t swap later. And you can’t collect data “just in case” you need it. Understanding lawful bases helps avoid unlawful processing—and gives your customers clarity and control.
Do You Need a Data Protection Officer (DPO)?
A Data Protection Officer is a specialist role required in certain organisations. You must appoint a DPO if:
🔹You’re a public authority
🔹Your core activities involve large-scale monitoring of individuals
🔹You process large amounts of special category or criminal offence data
Most small businesses won’t need a formal DPO—but you still need someone who understands your data protection obligations and is responsible for overseeing them.
Whether it’s a compliance manager, IT lead, or someone working with external support—data protection can’t be left to chance or covered with vague job descriptions.
Even if you don’t need a DPO, the ICO expects you to assign clear responsibility for data protection within your organisation.
What Is a Subject Access Request (SAR)?
Under UK GDPR, individuals have the right to access their personal data. A Subject Access Request (SAR) is when someone asks:
🔹What data you hold on them
🔹Why you’re holding it
🔹Who it’s been shared with
🔹How long you’ll keep it
🔹Where you got it from
You’re legally required to respond within one month. And unless the request is clearly unfounded or excessive, you can’t charge a fee.
This is where many businesses fall short—not because they’re hiding anything, but because they don’t have a clear process in place. If your team panics when someone asks for their data, or doesn’t know where to look, that’s a problem.
SARs are increasingly used by customers, employees, and even suppliers—and mishandling one can damage your reputation just as much as a breach.
Other Rights You Need to Know
Under UK GDPR, people also have the right to:
🔹Rectify inaccurate data
🔹Erase data (the “right to be forgotten”)
🔹Restrict processing
🔹Object to how their data is used
🔹Move their data to another provider (data portability)
🔹Challenge automated decisions
Your privacy policy should explain these rights clearly. But more importantly—your staff need to understand them too.
Because rights aren’t theoretical. They’re being exercised every day. And if your team isn’t ready to respond, you’re exposed.
The Real Risks of Getting It Wrong
When it comes to data protection, the stakes are higher than many businesses realise—and they’re not just theoretical.
Let’s start with the basics: every UK organisation that processes personal data must be registered with the Information Commissioner’s Office (ICO), unless you qualify for a very specific exemption. That includes small businesses, sole traders, charities, schools, and online-only operations. Registration fees range from £40 to £60 per year for most SMEs. If you haven’t registered, or if you’ve let your registration lapse, you’re already on the ICO’s radar—and you can be fined.
But registration is just the start. The ICO is responsible for enforcing the Data Protection Act 2018 and UK GDPR. That means investigating complaints, auditing organisations, and issuing penalties when laws are broken. While they don’t jump straight to fines, they do expect organisations to prove they’re meeting their responsibilities—and if they’re not, the consequences can be significant.
Fines can be as high as £17.5 million or 4% of annual global turnover, whichever is greater. And while the largest penalties make headlines, the ICO regularly issues smaller fines and enforcement notices to SMEs, schools, local businesses, and charities. Common reasons include:
🔹Failing to respond to subject access requests (SARs)
🔹Sending unsolicited marketing without a lawful basis
🔹Holding on to personal data without a retention policy
🔹Inadequate security leading to a data breach
🔹Not being transparent about how data is used
But the financial penalty isn’t always the worst part.
A data breach—or even a complaint—can trigger an ICO investigation, press coverage, customer churn, and internal disruption. If your staff can’t explain what data you hold, who’s responsible for it, or what your lawful basis is, that alone can raise red flags.
Reputational damage is often more expensive than the fine. Once customers or clients lose trust in how you handle their data, they may not come back. And in some industries—like healthcare, finance, legal, or education—a damaged reputation can shut doors permanently.
Even a small incident, like emailing the wrong file or storing sensitive data unprotected, can spiral fast if the organisation isn’t trained, transparent, and prepared.
That’s why compliance isn’t about red tape—it’s about resilience. It protects your team from mistakes, your business from backlash, and the people you serve from harm.
Where Cybersecurity Comes In
Cybersecurity isn’t separate from data protection—it’s built into it.
Under the UK GDPR and Data Protection Act, every organisation has a legal duty to protect personal data through both technical safeguards and organisational controls. That includes having proper access restrictions, protecting data in transit and at rest, maintaining up-to-date systems, and ensuring staff know how to respond if something goes wrong.
This isn’t a theoretical requirement. If personal data is exposed—whether through unauthorised access, theft, or internal systems being compromised—you may be legally obliged to report the breach to the ICO within 72 hours. Depending on the severity, you might also need to notify the individuals affected.
In many organisations, however, there’s still a gap between the policy and the practice. Security tools might be in place, but staff often aren’t clear on what constitutes a breach, how to spot signs of malicious activity, or how to report an incident internally.
That creates a serious compliance risk. Not because people are careless, but because cybersecurity hasn’t been made real in day-to-day operations. And when staff don’t have the right knowledge, even small issues can escalate.
Data protection law doesn’t just expect you to have systems in place—it expects those systems to be supported by awareness, accountability, and documented evidence that risks are being managed effectively.
Cybersecurity awareness training is one of the most practical ways to meet that requirement.
Bringing It All Together
Understanding the UK GDPR and Data Protection Act isn’t just about ticking legal boxes. These laws exist to protect people—your customers, your staff, and the wider public. Whether you’re responding to a subject access request, reviewing a privacy notice, or securing access to sensitive data, the law expects you to do it with care, purpose, and accountability.
What’s changed in recent years isn’t the legislation—it’s the context. Expectations are higher. The public is more aware. And the line between legal compliance and operational risk is increasingly blurred.
Many organisations have written policies in place, but those policies don’t always translate into day-to-day practice. Teams are unsure how to handle real-world requests. Data is collected without a clear lawful basis. Decisions are made with good intent—but little confidence. That’s where things start to unravel.
If your staff don’t understand how these laws apply to their roles—or if you don’t have the in-house capacity to monitor compliance, manage SARs, or assess risk—it’s not a weakness. It’s a sign that you need the right support.
And with new frameworks like the DUAA layering in broader data responsibilities, the need for clarity, training, and expert guidance has never been greater.
At Cyber Rebels, we provide live, practical training that helps teams understand what the law means in plain terms—and how to apply it in the situations they face every day. We also offer a DPO as a Service option for organisations who need ongoing, expert-level guidance without hiring a full-time officer.
From awareness sessions to tailored compliance programmes, we help businesses build confidence—not just policies.
Because data protection is too important to leave to guesswork.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
