We use 'cookies' to ensure that we give you the best experience on our website and if you continue to use this site we will assume that you are happy with this. If you would like to know about 'what a cookie is' and how we look after your data privacy here, follow the 'Learn More' link to read our Privacy Notice.

Okay, I'm happy with that.More about cookies

Data Protection

All businesses will handle personal data as part of their day to day business operations (such as employee, customer or supplier information, records and details). All businesses are required to comply with the Data Protection Act 2018 (DPA) and the General Data Protection Regulation 2018 (GDPR).

Data Protection Act 2018

The DPA determines some details of how GDPR is applied in the UK, and established data protection rules for specific types of data processing that are not covered by GDPR. 
For example:

  • The police and other criminal law enforcement authorities
  • Immigration authorities
  • Government intelligence services

The DPA grants powers to the Information Commissioners Office (ICO) so that it can regulate data processing in the UK in accordance with GDPR and the Freedom of Information Act 2000.

General Data Protection Regulation 2018

GDPR sets out the fundamental data protection principles and prohibits businesses from processing personal data without a lawful basis to do so and ensure that data is processed fairly and securely. 

Any information relating to an identified or identifiable person is categorised as personal data. Even if this information does not contain the names of individuals, it will still be personal data if it is possible to work out the identity of the individual the information relates to. 

Examples of personal data include: 

  • Date of birth
  • Postal address
  • IP address
  • Computer Cookies
  • Any anonymised identifier such as a username or account code

When the regulation refers to 'processing' data, it means any operation that is carried out using the data; such as collecting, recording, organising, storing, altering, accessing, using, sharing or destroying it.


Under GDPR businesses can only process personal data if they have one or more of the six lawful bases for doing so:

  1. Consent - where an individual has given explicit consent for a business to process their data for a specific purpose. 

  2. Contract - when a business has a contract with an individual where processing personal data is necessary for the performance of the contract. This also includes pre-contract services, such as providing quotations.

  3. Legal Obligation - when a business is required to process personal data for statutory purposes; such as taxation, right to work checks and criminal record checks.

  4. Legitimate Interests - This is the broadest lawful base of the six and covers a wide range of activity from fraud prevention and IT security to certain types of marketing activity. However legitimate interests as a lawful base does not cover any marketing activities that require consent under the Privacy and Electronic Communications Regulations 2003. The legitimate interests lawful base legally requires businesses to balance their interests against the individual’s rights and the impact upon their privacy.

  5. Vital Interests - when processing data is necessary to save someone's life. For example, sharing medical records with hospital staff during a medical emergency.

  6. Public Task - when a business is exercising official authority or carrying out specific activity in the public interest laid down by law. Normally this base only applies to public authorities.

For further information on lawful bases for processing data, please see https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/

Privacy and Electronic Communications Regulations 2003

The Privacy and Electronic Communications Regulations (PECR) apply to any business who wish to send electronic marketing messages (phone, fax, email, text) or use cookies or similar technology. 
PECR framework ensures that businesses comply to:

  • keep their communication services secure
  • ensure customer privacy relating to, traffic and location data, itemised billing, line identification, directory listings etc.

The only exemptions to PECR are national security, law enforcement, or compliance with other laws. 

For further guidance on PECR, please visit the ICO PECR Guide.