By Ellen Temperton
Updating author: Nicky Stibbs | Brightmine editor: Laura Merrylees
The EU General Data Protection Regulation (2016/679 EU) (EU GDPR) is an EU Regulation and applies to all EU member states.
Following Brexit, most of the EU GDPR was retained in UK law by the European Union (Withdrawal) Act 2018 and is known as the “UK GDPR”.
The Data Protection Act 2018 supplements the UK GDPR and has been amended by the Data (Use and Access) Act 2025.
The Information Commissioner’s Office (ICO) is the supervisory authority for UK GDPR compliance and publishes relevant guidance (see UK GDPR Guidance and resources). When determining whether an organisation has complied with its duties under the UK GDPR when sharing personal data, the ICO will take into account its Data sharing statutory code of practice.
The ICO’s Accountability Framework sets out its expectations and ways for organisations to meet those expectations. It also includes tools to help employers comply with their obligations.
This guide is designed to help employers understand their core obligations under UK data protection law and apply them in an employment context.
In this guide, learn about:
- Scope of the UK GDPR
- Territorial scope
- Material scope
- Definitions
- Principles for processing personal data
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
- Legal grounds for processing personal data
- Consent
- Performance of a contract
- Compliance with a legal obligation
- Protecting a data subject’s vital interests
- Performance of a task carried out in the public interest
- Legitimate interests
- Special categories of personal data
- Conditions for processing special categories of personal data
- Health information
- Equal opportunities monitoring
- Racial and ethnic diversity at senior level
- Right to work documents
- Trade union membership
- Prevention of crime/protection against dishonesty
- Information about criminal offences
- Policy document requirement
- Data protection by design and default
- Data controllers
- Joint data controllers
- Representatives of data controllers not established in the UK
- Data controller obligations with respect to data processors
- Privacy notices
- General approach
- Timing
- Contents of the privacy notice
- Records of processing activities
- Security of processing
- Handling personal data breaches
- What is a data breach?
- Notifying a personal data breach to the ICO
- Communicating personal data breach to the data subject
- Data privacy impact assessments
- What does a data privacy impact assessment involve?
- Consultation with the ICO prior to processing
- Voluntary data privacy impact assessments
- Data protection officer
- Data protection officer’s position
- Data protection officer’s tasks
- Employment protection
- No obligation to appoint a data protection officer
- Transferring personal data outside the UK
- General principles for transfers
- Transfers on the basis of adequacy regulations
- Transfers subject to appropriate safeguards
- Transfers under derogations
- Transferring personal data into the UK
- Data subject rights
- Right to make a data subject access request
- Right to rectification
- Right to be forgotten (“erasure”)
- Right to restriction of processing
- Right to data portability
- Right to object to the processing of personal data
- Automated decision-making and profiling
- Data subject rights – common conditions
- Response to data subject rights request
- Time limit for response to data subject requests
- Confirming identity of data subject
- “Manifestly unfounded or excessive” requests
- Refusing data subject right requests
- Fees
- Notification of right to complain
- Notifying recipients of changes to data that has been rectified, erased or restricted
- Data subject rights – exemptions
- References
- Access to references
- References and retention of personal data
- Enforced subject access to medical records
- Enforced subject access to records of convictions and offences
- Enforcement
- Supervisory authority (ICO)
- ICO fines
- Offences
- Fines for criminal convictions
- Complaints
- Compensation and liability
- Representation of data subjects
- Future developments
Want to see more?
For full access to Data protection, sign up to a HR and Compliance Centre subscription today.
You may also be interested in…
About the author
Ellen Temperton
Ellen is joint head of Lewis Silkin’s data and privacy practice and has many years’ experience working with clients on all aspects of workplace privacy, which includes advising them on reporting and other ramifications of data breach. This involves responding to and liaising with the ICO, representing clients in defending claims for breach of the “old” DPA, and advising clients on the remedies available to them when confidential information and personal data is lost or stolen. As an employment lawyer with many years’ experience she is also a practised litigator of workplace disputes more generally.
Her work also covers advising on transfers of workers’ data outside the EEA and data sharing with processors; background checks and vetting; data sharing issue with service and benefits providers; monitoring of worker’s communications and investigations; BYOD; data protection policies in a variety of workplace contexts; advising on the issues and risks around retention of employee data; and on compliant but strategic responses to DSARs. More recently, she has been supporting various multinational companies with their preparation for, and compliance towards, GDPR.
About the author
Nicky Stibbs
Nicky Stibbs has many years’ experience in employment law having worked in the field since 2002. Her experience includes eight years as an associate at Bevan Brittan LLP. She also worked for several years as a senior employment lawyer at a unitary local authority. She has a broad range of experience in defending employers in the employment tribunal, advising employer appeal panels and on day-to-day employee relations, as well as TUPE and organisational change.
Nicky is a freelance writer of employment law articles for law firms. She works for Bevan Brittan LLP as a consultant solicitor and is an associate at Collingridge Employment Law, where she advises SMEs and individuals.
About the author
Laura Merrylees
Having qualified as a solicitor in private practice, Senior Legal Editor Laura Merrylees spent fourteen years working in-house for a large telecommunications organisation, specialising in employment law. Laura advised on a broad range of employment law matters, both contentious and advisory. During her time in practice, Laura worked closely with HR professionals and senior management and delivered training to HR teams.
Start your free trial today
Register today to gain free 7-day access to the Brightmine HR & Compliance Centre and stay up to date, compliant and save valuable time