At a glance
- Data protection is about ensuring people can trust you to use their data fairly and responsibly.
- If you collect information about individuals for any reason other than your own personal, family or household purposes, you need to comply.
- The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.
- The ICO regulates data protection in the UK. We offer advice and guidance, promote good practice, carry out audits and advisory visits, consider complaints, monitor compliance and take enforcement action where appropriate.
- What is data protection?
- Does it apply to me?
- Why don't you tell me exactly what to do?
- What is 'personal data'?
- What is 'processing'?
- What is a 'controller'?
- What is a 'processor'?
- What is a 'data subject'?
- What is the ICO's role?
Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.
It’s also about removing unnecessary barriers to trade and co-operation. It exists in part because of international treaties for common standards that enable the free flow of data across borders. The UK has been actively involved in developing these standards.
Data protection is essential to innovation. Good practice in data protection is vital to ensure public trust in, engagement with and support for innovative uses of data in both the public and private sectors.
The UK data protection regime is set out in the DPA 2018 and the GDPR (which also forms part of UK law).
Yes, if you have information about people for any business or other non-household purpose. The law applies to any ‘processing of personal data’, and will catch most businesses and organisations, whatever their size.
You will not need to comply if you only use the information for your own personal, family or household purposes – eg personal social media activity, private letters and emails, or use of your own household gadgets.
Every organisation is different and there is no one-size fits-all answer. Data protection law doesn’t set many absolute rules. Instead it takes a risk-based approach, based on some key principles. This means it’s flexible and can be applied to a huge range of organisations and situations, and it doesn’t act as a barrier to doing new things in new ways.
However, this flexibility does mean that you need to think about - and take responsibility for - the specific ways you use personal data. Whether and how you comply depends on exactly why and how you use the data - and there is often more than one way to comply.
This guide includes examples, checklists and other tools to help you ask the right questions, and understand your options. However, you know your organisation best, so it’s up to you to decide on – and be able to justify – your answers. This is a key principle of data protection law, known as the accountability principle.
In short, personal data means information about a particular living individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public official or member of the public.
It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
It doesn’t cover truly anonymous information – but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.
It only includes paper records if you plan to put them on a computer (or other digital device) or file them in an organised way. If you are a public authority, all paper records are technically included – but you will be exempt from most of the usual data protection rules for unfiled papers and notes.
Further reading – Guide to the GDPR
We have more guidance on what is personal data in the Guide to the GDPR key definitions section.
Almost anything you do with data counts as processing; including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.
A controller is the person that decides how and why to collect and use the data. This will usually be an organisation, but can be an individual (eg a sole trader). If you are an employee acting on behalf of your employer, the employer would be the controller. The controller must make sure that the processing of that data complies with data protection law.
In this guide, we generally use the term ‘organisation’ or ‘you’ to mean the controller.
A processor is a separate person or organisation (not an employee) who processes data on behalf of the controller and in accordance with their instructions. Processors have some direct legal obligations, but these are more limited than the controller’s obligations.
Further reading – Guide to the GDPR
We have more guidance on controllers and processors in our Guide to the GDPR key definitions section.
This is the technical term for the individual whom particular personal data is about. In this guide we generally use the term ‘individuals’ instead.
The ICO is the supervisory authority for data protection in the UK. We offer advice and guidance, promote good practice, monitor breach reports, conduct audits and advisory visits, consider complaints, monitor compliance and take enforcement action where appropriate.
We also cooperate with data protection authorities in other countries. We are currently a member of the European Data Protection Board (EDPB), which includes representatives from data protection authorities in each EU member state, and we contribute to EDPB guidelines and other joint activities.