Data Protection Act 2018 (GDPR) - Which? (2023)

The Data Protection Act 2018 brought the EU's General Data Protection Regulation (GDPR) into UK law. It governs your personal data rights, including the way companies handle your data and the compensation you can claim for misuse of your data.


Which?Editorial team

Data Protection Act 2018 (GDPR) - Which? (1)

In this article

  • What is GDPR and how does it affect you?
  • Collecting your personal data
  • Find your data - subject access requests
  • When your consent is needed for marketing
  • Data protection: jargon buster
  • Six legitimate reason to process your data
  • Companies must make it clear to you how your data will be used
  • You can ask for your data to be erased

What is GDPR and how does it affect you?

The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules that have been brought into UK law as the Data Protection Act 2018.

(Video) GDPR explained: How the new data protection act could change your life

Here, we explain some of the most important rights you have to control your data, how these data protection rights could affect you and how you can use them.

Key Information

Will my data rights change when the UK leaves the EU?

The Data Protection Act 2018 remains in place to protect your personal data. All the rules still apply, but once the transition period comes to an end the UK government will be free to change those rules.

Read our Brexit guide for more information on how the UK leaving the EU could impact protection of your personal data.

Collecting your personal data

When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect and process information about you.

This might include your name, address, and telephone number. This type of data, which is capable of identifying a living individual, is called 'personal data'.

Organisations may even ask for data like your date of birth, the school you went to, the job you do, details about your partner or family or the sorts of things you view or buy online.

Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.

GDPR adds in a new range of personal identifiers, reflecting changes in technology and the way companies gather data today.

Online identifiers, such as your IP address, are now included within the definition of personal data.

Read our guide on what counts as personal data if you'd like to know more.

Find your data - subject access requests

The right to make a subject access request existed under the former Data Protection Act 1998.

A subject access request allows you to act on your right to obtain access to your personal data being processed by a company.

Previously you had to pay a small fee to make one, but under the Data Protection Act 2018, it now has to be free of charge in most circumstances.

You might make a subject access request if you think that a company is not processing your data lawfully or to check what information they have about you to ensure it’s accurate and up to date or to ask for job interview notes.

(Video) GDPR Training by Aim - Module 14: Data Protection Act 2018

Companies have to provide you with the information without delay and at the latest within one month of receiving your request.

This is shorter than the previous 40-day timeframe. However, companies are allowed to extend the period by a further two months if the request is complex or if you have made numerous requests.

If this is the case, the company must inform you within a month from the date you made the request and explain why the extension is necessary.

A word of warning: if your request is unfounded or excessive, the controller of the data may charge a fee or refuse to act on the request. If you think the charge is unfair or your request is refused, you can complain to the ICO.

When your consent is needed for marketing

Under GDPR it is usually up to you to make a positive choice to agree to further direct marketing communications by email, such as ticking a box or agreeing over the phone.


Are there any exceptions?

The exception is where you have bought something, given the organisation your details, and did not opt out of marketing messages.

This also applies if you negotiated to buy something, for example by asking for a quote or for more clarity on what it offers, and did not opt out of marketing messages.

In these circumstances, the assumption is that you are probably happy to receive marketing about similar products or services even if you haven’t specifically consented, and the Privacy and Electronic Communications Regulations (PECR) allow organisations to contact you by email for marketing purposes.

Withdrawing your consent should be as easy as giving it. Companies should make it easy for you to do so, for example by providing an unsubscribe link at the bottom of their marketing emails.

If you want companies to stop using your data, make a request to stop processing your data for the purposes of direct marketing.

Data protection: jargon buster

  • Processing is essentially anything that is done to or with personal data. This includes but is not limited to collecting, recording, organising, structuring, storing, adapting, altering, erasing or destroying.
  • A data subject is an identified or identifiable person.
  • A controller determines the purposes and means of the processing of personal data.
  • A processor processes data on behalf of a controller.

Six legitimate reason to process your data

At least one of the following lawful bases set out in Article 6 of GDPR must apply whenever an organisation processes your personal data:

  • Consent: you have given the organisation consent to process your personal data for one or more specific purposes.
  • Contract: the processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.
  • Legal obligation: the processing is necessary to comply with a legal obligation which the organisation is subject to.
  • Vital interests: the processing is necessary to protect someone’s vital interests or those of another person.
  • Public task: the processing is necessary to perform a task in the public interest or an official function with a clear basis in law.
  • Legitimate interests: the processing is necessary for the purposes of pursuing the organisation’s legitimate interests or those of a third party, except where those interests are overridden by the interests or rights of the data subject which require protection.

The Information Commissioner’s Office (ICO) breaks this down into a three part test:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

Companies must make it clear to you how your data will be used

Companies should make it clear what they will do with your data, using plain language that’s easy to understand.

The purpose of collecting your personal data (for example, for marketing) must also be made clear to you at the point your data is collected.

(Video) Medical Law - GDPR & Data Protection Act 2018

You can ask for your data to be erased

GDPR gives you the right to have your personal data erased. The right to erasure is also known as ‘the right to be forgotten’.

You can make a request for erasure verbally or in writing and the company has one month to respond to a request.

Some reasons you might request a company to erasure your personal data are:

  • you no longer need the service (so they should no longer need to hold your data)
  • you're objecting to the company using your data for direct marketing
  • the company is processing your data without your consent

There are some exemptions where the company or organisation can refuse your request.

These include:

  • the right of freedom of expression and information
  • to comply with a legal obligation
  • for the performance of a task carried out in the public interest or in the exercise of official authority
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
  • for the establishment, exercise or defence of legal claims

You can ask for inaccurate information to be corrected

GDPR includes a right that allows you to request inaccurate or incomplete personal data is rectified or made complete.

You can make a request for rectification verbally or in writing and the company has one month to respond to your request.

A company can refuse to comply with your request for rectification if it thinks the request is unfounded or excessive.

You can ask for data in a format that will help you

If you have provided your personal data to a controller and it is being processed by automated means either on the basis of consent or for the performance of a contract, you’ll have the right to request that data in a machine-readable format and the right to have that transmitted to another data controller.

In theory, the right to personal data portability will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.

This may also enable you to take advantage of applications and services such as price comparison websites, which can use this data to find you a better deal.

You can object to profiling and the use of your data for direct marketing

You now have the right to object to activity from online retailers and companies, including profiling used for direct marketing purposes.

Companies must inform you of your right to object at the point of first communication or in their privacy notice.

In the case of an objection to processing for direct marketing purposes, they must stop processing your personal data for that purpose.

Appeal automated decisions

GDPR gives you the right in certain circumstances not to be subject to decisions which are based solely on automated processing, and which have a legal or other significant effect on you. Some decisions (such as online credit or e-recruiting) may also be subject to additional controls.

If you object, you can ask for a human to review the automated decision that has been made, but it doesn't necessarily mean the result will be any different.

Read our guide for more information on how automated decision making and profiling work, including what you can do to stop it.

(Video) What are the 7 principles of GDPR?

Serious data breaches

If there is a serious breach of your data, you have to be told without undue delay. The GDPR introduced a duty on organisations to report certain types of serious personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of the organisation becoming aware of it, where feasible.

If there has been a breach, the company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of its data protection officer or other contact point that can provide more information
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.

Where a company hasn’t informed affected individuals, the ICO has the power to compel them to do so if it considers there is a high risk to individuals’ rights and freedoms.

If you become aware that an organisation has lost your personal data, read our guide for steps you can take to protect yourself and, in some cases, claim compensation following a data breach.

Huge fines for companies if they break the rules

In the most severe cases where companies have breached the new rules, the ICO could issues fines up to €20m or 4% of annual global revenue – whichever is higher.

In April 2019 the ICO fined pregnancy and parenting advice service Bounty UK Ltd £400,000 for sharing the personal data of over 14 million individuals to a number of organisations including credit reference and marketing agencies without informing the individuals that they would do this.

Multiple routes to claim compensation

You can in certain circumstances make a claim for compensation for both material and non-material damage including, but not limited to, distress and reputational damage, if your data has been misused or if there has been an infringement of the GDPR.

The GDPR broadened who you can make a claim against. You can claim against the data processor, as well as the data controller.

For example, previously you wouldn’t have been able to claim against a misuse of your personal data by a call centre acting as a processor. Instead you would have had to find out who the controller was that the data processor was handling the data for and make a claim against them. But now you can make a claim against either or both entities.

Compensation can be claimed for damage suffered as a result of a breach, including financial losses and also any distress caused. While you can take both a controller and a processor to court, you can only win once and so won’t be able to recover in full against both entities.

Related articles

  • Can I stop companies from using my data?
  • My personal data has been lost after a breach, what are my rights?
  • What counts as personal data?
  • Can I stop a company making automated decisions about me?

Related articles

  • Can I stop companies from using my data?
  • My personal data has been lost after a breach, what are my rights?
  • What counts as personal data?
  • Can I stop a company making automated decisions about me?
(Video) Data Protection Explained SIMPLY | BlackBeltBarrister


What are 3 things you must do to comply with data protection? ›

11 things you must do now for GDPR compliance
  • Raise awareness across your business. ...
  • Audit all personal data. ...
  • Update your privacy notice. ...
  • Review your procedures supporting individuals' rights. ...
  • Review your procedures supporting subject access requests. ...
  • Identify and document your legal basis for processing personal data.

What are the 8 main important principles of data protection? ›

What are the Eight Principles of the Data Protection Act?
1998 ActGDPR
Principle 2 – purposesPrinciple (b) – purpose limitation
Principle 3 – adequacyPrinciple (c) – data minimisation
Principle 4 – accuracyPrinciple (d) – accuracy
Principle 5 - retentionPrinciple (e) – storage limitation
5 more rows

What are the 4 important principles of GDPR? ›

Accuracy. Storage limitation. Integrity and confidentiality (security) Accountability.

What are the 3 main acts when dealing with personal data? ›

Lawfulness, fairness, and transparency: Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed.

How do I make sure I comply with GDPR? ›

Take the right approach to GDPR compliance
  1. Access. The first step toward GDPR compliance is to access all your data sources. ...
  2. Identify. Once you've got access to all the data sources, the next step is to inspect them to identify what personal data can be found in each. ...
  3. Govern. ...
  4. Protect. ...
  5. Audit.

What are the 3 rights under GDPR? ›

The right to receive the data they have provided in a structured, commonly-used and machine readable format. The right to transmit this data to another controller without hindrance. The right, where technically feasible, to have this data transmitted directly from one controller to the other.

What does GDPR not apply to? ›

Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR's scope.

What are the 3 rights of GDPR? ›

The right to rectification. The right to erasure. The right to restrict processing.

What are the main rules in the Data Protection Act? ›

What Are the Eight Principles of the Data Protection Act?
  • Fair and Lawful Use, Transparency. The principle of this first clause is simple. ...
  • Specific for Intended Purpose. ...
  • Minimum Data Requirement. ...
  • Need for Accuracy. ...
  • Data Retention Time Limit. ...
  • The right to be forgotten. ...
  • Ensuring Data Security. ...
  • Accountability.
12 Oct 2020

What GDPR principle requires you to collect and use only what you need? ›

Data minimization

Only collect the smallest amount of data you'll need to complete your purposes. This is the GDPR principle of data minimization.

What are the five key privacy and data protection requirements? ›

These principles arrive early in the legislation at Article 5(1) and include:
  • Lawfulness, Fairness, and Transparency.
  • Limitations on Purposes of Collection, Processing, and Storage.
  • Data Minimization.
  • Accuracy of Data.
  • Data Storage Limits.
  • Integrity and Confidentiality.
1 Jul 2022

What are the two rules of GDPR? ›

Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption). Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

What is GDPR simple? ›

GDPR stands for General Data Protection Legislation. It is a European Union (EU) law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person).

What data is protected under GDPR? ›

These data include genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership.

What is the golden rule of personal data? ›

Golden rule 1: Handle all information with care

Most data is lost through human error. Any loss of data can have significant financial and reputational implications for the University. Think carefully about how you collect, handle and share data.

What are three personal data examples? ›

Examples of personal data
  • a name and surname;
  • a home address;
  • an email address such as;
  • an identification card number;
  • location data (for example the location data function on a mobile phone)*;
  • an Internet Protocol (IP) address;
  • a cookie ID*;
  • the advertising identifier of your phone;

What are the 6 lawful reasons for processing personal data? ›

GDPR requires any organization processing personal data to have a valid legal basis for that processing activity. The law provides six legal bases for processing: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.

How do I follow GDPR at work? ›

There are 7 key steps you need to follow in order to comply with GDPR.
  1. Appoint a Data Protection Officer (if you need one) ...
  2. Review GDPR. ...
  3. Information audit. ...
  4. Determine your lawful basis for processing data. ...
  5. Implement processes. ...
  6. Establish documentation. ...
  7. Implement training and policies.
3 Mar 2020

Who does the GDPR apply to answer? ›

Increased territorial scope: The GDPR applies to all companies processing the personal data of data subjects residing in the EU/EEA, regardless of the company's location.

Do you have to prove you are GDPR compliant? ›

As well as your record of processing activities under Article 30, you also need to document other things to show your compliance with the UK GDPR. For instance, you need to keep records of consent and any personal data breaches.

What data rights always apply? ›

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

What's an example of sensitive data? ›

genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.

Does GDPR apply to all data? ›

The EU's GDPR only applies to personal data, which is any piece of information that relates to an identifiable person. It's crucial for any business with EU consumers to understand this concept for GDPR compliance.

What is an example of a personal data breach? ›

Examples of a breach might include: loss or theft of hard copy notes, USB drives, computers or mobile devices. an unauthorised person gaining access to your laptop, email account or computer network. sending an email with personal data to the wrong person.

Does GDPR apply to personal use? ›

Meaning that if you were only to use personal data, such as an address or name, for writing to friends or family, GDPR in this case would not be applicable to the given individual.

When can you share data without consent? ›

Under the GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful reason to do so, such as where safety may be at risk. You will need to base your judgment on the facts of the case.

What are the 10 key requirements of GDPR? ›

The 10 Key Requirements of the GDPR
  • Recordkeeping: ...
  • Data Protection Officers. ...
  • Data Protection Impact Assessments. ...
  • Privacy by Design and Default. ...
  • Transparency and GDPR. ...
  • Informed Consent or another Basis for Processing. ...
  • Third Party Processing. ...
  • Data Subject Access Requests.

Which two of the following must always be true when we process personal data? ›

GDPR Article 5 starts by saying that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. So, lawfulness, fairness and transparency.

What must personal data be protected from? ›

Personal data must be protected against "unauthorised or unlawful processing," as well as accidental loss, destruction or damage.

What are the top 3 Big Data privacy risks? ›

In most cases, data breaches are the result of out-of-date software, weak passwords, and targeted malware attacks.

What are 8 ways you can protect personal data? ›

8 Smart Ways to Protect Your Personal Data
  • Make It Harder for Other People to Get Credit in Your Name. ...
  • Put Passwords on Your Devices. ...
  • Use Stronger Passwords. ...
  • Set up Two-Factor Authentication on Your Financial and Email Accounts. ...
  • Don't Do Your Online Shopping and Banking at the Local Cafe. ...
  • Update Your Software Regularly.
2 May 2022

What is the most important data privacy principles? ›

Generally, these principles include: Purpose limitation. Fairness, lawfulness, and transparency. Data minimization.

What is the real purpose of GDPR? ›

One of the purposes of the General Data Protection Regulation (GDPR) is to protect individuals' fundamental rights and freedoms, particularly their right to protection of their personal data. The right to one's private life is laid down in the European Convention on Human Rights (ECHR).

Why is GDPR so important? ›

GDPR is important because it improves the protection of European data subjects' rights and clarifies what companies that process personal data must do to safeguard these rights. All companies and organisations that deal with data relating to EU citizens must comply by the new GDPR.

What types of data are protected? ›

Top 5 Types of Data Protection
27 Dec 2021

What is data protection answer? ›

The principle of data protection is to deploy methodologies and technologies to protect and make data available under all circumstances. Storage technologies can be used to protect data by using disk, tape or cloud backup to safely store copies of the data that can be used in the event of data loss or interruption.

What kind of data is protected? ›

Protected data, sometimes called Personally Identifiable Information or PII, is an umbrella term for information about a person that can be used to facilitate identity theft and other criminal acts.

What is Principle 3 of the data protection Act? ›

The third principle requires that the personal data you are processing is adequate, relevant and not excessive. This means the data must be limited to what is necessary for the purpose(s) you are processing it.

What are 3 tips to protect the security of your computer or your private information? ›

Only install apps from trusted sources (Apple AppStore, Google Play). Keep the device's operating system up-to-date. Don't click on links or attachments from unsolicited emails or texts. Avoid transmitting or storing personal information on the device.

Who does GDPR not apply to? ›

The GDPR only applies to organizations engaged in “professional or commercial activity.” So, if you're collecting email addresses from friends to fundraise a side business project, then the GDPR may apply to you. The second exception is for organizations with fewer than 250 employees.

What is an example of sensitive data? ›

genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.

What data is not protected by GDPR? ›

Information which is truly anonymous is not covered by the UK GDPR. If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.

What pieces of information should be kept private? ›

High Sensitivity. The most sensitive information to protect includes your bank account numbers, social security number, pin numbers, credit card numbers, and passwords.

How do you keep data confidential? ›

Here are some of the 7 effective ways to ensure data confidentiality in your organization.
  1. Restrict access to data. ...
  2. Encrypt your data. ...
  3. Implement a confidentiality policy. ...
  4. Implement a data retention policy. ...
  5. Develop and implement a cybersecurity program. ...
  6. Take physical security measures. ...
  7. Non-disclosure agreements.


1. Data Protection Act | 8 Principles under GDPR
(Cyphere - Securing Your Cyber Sphere)
2. Everything You Need to Know About the UK Data Protection Act 2018
3. Data Protection Act 2018
(Data Protection People)
4. Data Protection Act 2018
(Trainer Leeds)
5. GDPR The Data Protection Act And EU Regulation Policy
(Whitehat SEO)
6. GDPR: What Is It and How Might It Affect You?
(Wall Street Journal)
Top Articles
Latest Posts
Article information

Author: Tuan Roob DDS

Last Updated: 12/28/2022

Views: 6708

Rating: 4.1 / 5 (42 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Tuan Roob DDS

Birthday: 1999-11-20

Address: Suite 592 642 Pfannerstill Island, South Keila, LA 74970-3076

Phone: +9617721773649

Job: Marketing Producer

Hobby: Skydiving, Flag Football, Knitting, Running, Lego building, Hunting, Juggling

Introduction: My name is Tuan Roob DDS, I am a friendly, good, energetic, faithful, fantastic, gentle, enchanting person who loves writing and wants to share my knowledge and understanding with you.