GDPR FAQ

The full text of the EU GDPR is available in the Official Journal of the European Union. You can also locate specific articles of the Regulation on our website.

The UK GDPR can be found on the UK Government’s National Archives.

It is a common misconception that because the UK is no longer in the EU, the GDPR does not apply. The truth is a little more complicated.

When the GDPR entered into force, all EU member states were bound by it – and at the time that included the UK. As such, it established the Data Protection Act (DPA) 2018, which brought the GDPR into domestic law alongside processing requirements for law enforcement and national security concerns.

The DPA 2018 is intended to be read alongside the GDPR, clarifying aspects of the Regulation that are left to interpretation or clarification.

As such, almost all of the EU GDPR’s requirements have been carried over to UK law. The only major difference is the scope of these requirements: they apply to organisations based in UK (rather than the EU), regardless of where the personal data originates, and to the personal data of people in the UK, regardless of where the processing occurs.

Indeed, it is important to emphasise that both versions of the GDPR protect the personal data of people in their respective territories regardless of where the processing takes place. This means that UK-based organisations will still be subject to the EU GDPR if their services are available to people in the EU.

The DUAA was passed into law in June 2025 and makes further changes to the UK’s data protection law. It sits alongside the UK GDPR and the DPA 2018.

Learn more about the DUAA

Penalties are split into two tiers based on the nature of the infringement.

• The lower tier carries a maximum penalty of £8.7 million (or €10 million under the EU GDPR) and applies mostly in relation to an organisation’s administrative responsibilities.
• The higher tier carries a penalty of up to £17.5 million (€20 million) or 4% of annual global turnover, and it relates to failures to uphold fundamental requirements of the GDPR, such as data subject rights and lawful processing.

Notably, organisations are not automatically subject to a fine if they suffer a data breach. They will only be penalised if the breach occurred because they didn’t meet their legal requirements.

It’s also worth noting that the maximum penalties in each category are reserved for egregious errors and those concerning many data subjects. In most cases, penalties will be much smaller – although even comparably lenient fines are intended to be proportionate and dissuasive.

Regulators also have the power to issue enforcement actions. This can range from warnings and instructions to implement certain security measures to potential bans on data processing. Organisations might be subject to these actions instead of or in addition to a fine.

Find out more about GDPR penalties

The GDPR gives data subjects significant control over the way their data is processed. They have the right to:

• Be informed about what personal data an organisation is processing and how it is being used;

• Request access to the data that has been processed on them;

• Request that inaccurate or incomplete data is rectified;

• Request the organisation erases their records;

• Instruct the organisation to restrict the processing of their personal data;

• Obtain and reuse their personal data to use for their own purposes and across different services;
• Object to certain processing activities if they believe the processing is not lawful; and

• Be given certain protections about automated decision-making and profiling.

 Find out more about data subject rights

Most organisations and sole traders in the UK that process personal data must register with the ICO (Information Commissioner’s Office) and pay an annual fee. The amount owed depends on the organisation’s type, its size and its turnover.

Organisations are exempt from this requirement if their personal data processing is limited to:

• Staff administration;
• Advertising, marketing and public relations;
• Accounts and records;
• Not-for-profit purposes;
• Personal, family or household affairs;
• Maintaining a public register;
• Judicial functions; or
• Manual processing without an automated system such as a computer.

Sensitive personal data – known as special category data under the GDPR – is a subset of personal data that is subject to stricter requirements due to its sensitive nature. The special categories relate to information about someone’s:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Genetics;
• Biometrics;
• Health;
• Sex life; and
• Sexual orientation.

Because sensitive data poses a high risk if it’s compromised, organisations must process it only where specific conditions apply. They must also take extra precautions to keep it secure.

Learn more about special category data

This is the overarching term for any activity an organisation performs on personal data. This includes collecting and using it, as well as storing, organising, updating and sharing it.

Data controllers and data processors are subject to different rules under the GDPR, but they are both responsible for protecting personal data.

A data controller decides what personal data to use, the way it should be handled and how to keep it secure. Controllers might collect personal information themselves or outsource the task to a third party – i.e. a data processor.

A data processor is therefore acting on behalf of a controller. It processes personal data based on instructions it’s been given, and it does not make any decisions on how to use the data.

These are not always mutually exclusive categories; an organisation can be a processor for some activities and a controller for others.

You are required to report a data breach if it poses a risk a risk to individuals’ rights or freedoms.

Organisations are therefore expected to immediately investigate the incident to gauge the potential risk. Things to consider include how much personal data has been breached, what types of data are involved and where it has gone – e.g. was it compromised by a malicious actor, accidentally destroyed or lost?

With this information, you should then identify whether there is a possibility that affected individuals face potential negative consequences. For instance, could they be subject to fraud or could the loss of information affect their access to services?

If your initial investigation reveals there is a risk to data subjects, you should report it to your data protection authority – which in the UK is the ICO. If it extends to a high risk, you must also notify affected individuals directly.

It is the data controller’s responsibility to report a data breach, and they must do so within 72 hours of learning about the incident. If the breach was discovered by the data processor, it must notify the data controller without undue delay.

For UK-based organisations, the notification can be made to the ICO via a dedicated online form.

Where you are also required to notify individuals, you can use existing contact information or, if this is impractical, issue a public notification on your website.

A GDPR privacy notice explains to individuals how an organisation collects and uses their personal data. The requirements for producing a privacy notice are outlined in Articles 13 and 14 of the GDPR, and thanks to these clear requirements it’s possible to create a privacy notice using a template.

Learn more about GDPR privacy notice templates

A data protection policy outlines your organisation’s commitment to its GDPR compliance practices and its overall data protection objectives.

It should be easy to understand and appropriate to your organisation’s size, culture and activities. Crucially, the document doesn’t need to specify how you will comply with your legal requirements – this should be outlined in your processes and procedures.

As a high-level document, many organisations will benefit from customising a template policy.

Learn more about data protection policy templates

Because data subjects can submit a DSAR without completing a formal process (they can, for instance, simply say to an employee that they would like a copy of any data the organisation stores on them), the DSAR response procedure must be flexible and aligned to your organisation’s specific operations.

You need to consider how you might receive a DSAR, determine who within your organisation can suitably verify and fulfil the request, and identify the most efficient way to gather the necessary information.

Learn more about the DSAR response procedure

The GDPR expects organisations to notify authorities and, where relevant, individuals of a data breach without unduly delay, so it makes sense to have a procedure in place and ready to be deployed.

In practice, this would probably involve a template that prompts you to list the necessary details about the incident. The types of information you must document are outlined in Articles 33 and 34 of the GDPR.

Learn more about personal data breach notification procedure templates

Risk assessments are an essential part of GDPR compliance, in part because the Regulation doesn’t prescribe specific security measures that you must implement. It instead says that your defences should be “appropriate” – and the only way to know what is appropriate is to assess your working practices.

By performing a risk assessment, you’ll understand the ways data breaches and other privacy issues might occur, how likely these scenarios are and the damage they might cause. With this information, you can be sure that you’re implementing security controls that are best suited to your needs and that you are not doing any unnecessary work.

The GDPR’s data processing principles state that personal data must be:

• Processed lawfully, fairly and in a transparent manner in relation to the data subject;
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (this does not apply to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes);
• Adequate, relevant and limited to what is necessary;
• Accurate and, where necessary, kept up to date;
• Stored for only as long as is necessary to meet the purposes for which it was processed; and
• Subject to appropriate technical and organisational measures to prevent unauthorised or unlawful processing, accidental loss, destruction and damage.

The GDPR also has an accountability principle that requires organisations to take responsibility for what they do with personal data and to demonstrate how they are meeting their legal requirements.

Consent is only one of six lawful bases that organisations can use to process personal data – and because the rules for obtaining and maintaining consent are so strict, it’s usually the least preferable option.

For instance, consent must be given using a clear, affirmative action (organisations can’t rely on pre-ticked boxes or an opt-out choice), and it is valid only for the purpose specified in the request. If an organisation wants to use someone’s personal data for a new purpose, they need to again verify a lawful basis.

As such, where an organisation can justify an alternative method, it should use one of those instead. The other lawful bases cover processing that is necessary for:

• The performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract;
• Compliance with a legal obligation to which the controller is subject;
• To protect the vital interests of the data subject or of another natural person;
• For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Pursuing the legitimate interests of the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data.

The GDPR states that a DPO must have an expert knowledge of data protection law and practices, but they do not necessarily need any specific qualifications. That knowledge can be gained from practical experience in data protection tasks or through training and qualifications.

Organisations must appoint a DPO if:

• They are a public authority or body;

• Their core activities require regular and systematic monitoring of data subjects on a large scale; or

• Their core activities involve large-scale processing of special category data or data relating to criminal convictions or offences.

However, many organisations choose to appoint a DPO – or someone to fulfil a similar role – even if they aren’t legally required to. It can be useful to have a dedicated expert on board with whom you can consult on data processing and other compliance questions.

Importantly, the role has the same legal status whether the appointment is voluntary or mandatory.

Find out more about DPOs

Yes. The GDPR provides a great deal of flexibility when appointing a DPO, which is useful as it can be difficult to find suitably qualified and independent experts.

You can outsource the role to an external provider, who will perform the DPO role across multiple organisations, or you can appoint an internal candidate to perform the tasks alongside their existing role, provided it doesn’t present a conflict of interest.

Find out more about outsourcing the DPO role