Data Protection Provisions

The Data Protection Act 1998 aimed to balance the entitlement of organisations to collect, store and manage various types of personal data, with the privacy rights of the individual about whom the data was held.

The Act covered both manual and computerised records that, when put together with other information, could divulge personal information about an individual. It gave individuals certain rights, and required decision-makers to be open about processing and to comply with the eight data protection principles.

On 25 May 2018, the Data Protection Act was replaced by the General Data Protection Regulation (UK GDPR). There are no exemptions based on a size or sector — all organisations must comply with its requirements in full or face a hefty potential fine. On the whole, the rights individuals enjoy under the UK GDPR are the same as before but with some significant enhancements.

This topic provides information on handling and processing personal data, employees’ rights of access, dealing with data loss and the penalties employers may face for breaches of the UK GDPR.

In the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), the UK Government confirmed that, following the decision to leave the EU, the “UK GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation), as amended by SI 2019/214.