Data Protection Rules You Must Follow

If your business handles personal information (such as employee records or customer details), you must follow rules set out in the General Data Protection Regulation (GDPR). These rules prevent you from processing personal data without a lawful basis and give people control over how their personal data is collected, stored and used.

In this guide, we will introduce the GDPR and explain what you must do to comply with it.

What is personal data?

‘Personal data’ means any information relating to an identified or ‘identifiable’ person. Even if the information you hold does not include the individual’s name, it is still personal data if it is possible to use the information to work out who they are.

Examples of the types of information that might make it possible for you to identify an individual include:

  • Date of birth.
  • Postal address.
  • IP address.
  • A computer cookie.
  • Any ‘anonymised’ identifier that can be traced back to an individual, such as an account code or an online username.

‘Processing’ personal data means carrying out tasks such as collecting, recording, organising, storing, altering, accessing, using, sharing or destroying it.

Principles of the GDPR

Under the GDPR, you must comply with the following data protection principles if you process personal data.

  • Transparency, fairness and lawfulness in the handling and use of personal data. You must make sure that the people whose data you process have easy access to information about the processing you carry out and your purposes for doing so.
  • Limiting the processing of personal data to the purposes that you have stated.
  • Ensuring that personal data is adequate, relevant and limited to what you need for the purposes for which you process it.
  • Making sure that personal data is kept accurate and up to date.
  • Keeping personal data only for as long as is necessary for the purposes that you collected it for.
  • Keeping personal data secure.

The GDPR makes you accountable for what you do with personal data. You must be able to show that you process it in accordance with the principles listed above.

Data Protection Rules You Must Follow

Lawful bases for processing personal data

Under the GDPR, you can only process personal data if you have one or more of six ‘lawful bases’ for doing so.

Let’s look at each of these lawful bases in turn:

  • Consent: If someone has explicitly agreed to your request to process their personal data for a specific purpose, you have a lawful basis to process the data for that purpose.
  • Contract: If you have a contract with someone (including unwritten verbal contracts), you have a lawful basis to process their personal data to the extent that is necessary for you to carry out the contract.
  • Legal obligation: This applies to processing that you are legally required to carry out. For example, keeping employee records for statutory purposes such as taxation, right to work checks and criminal record checks.
  • Legitimate interests: If your business has a ‘legitimate interest’ that makes the processing of someone’s personal data necessary, there may be a lawful basis for processing it. This is the most flexible lawful basis, and legitimate interests can cover a wide range of data processing. For example, this could include activities relating (for example) to fraud prevention, IT security and certain types of marketing.
  • Vital interests: This applies where the processing is necessary to protect someone’s life, for example, sharing information from someone’s medical records with hospital staff during a medical emergency.
  • Public task: This usually applies only to public authorities, but it can also apply to other organisations if they are exercising official authority or carrying out a specific task in the public interest that is laid down by law.


Because consent is only one of six lawful bases for processing personal data, it is not always required. You are more likely to need it if you are processing sensitive personal data, such as information about someone’s religious beliefs, ethnicity, sexual orientation or health. The Information Commissioner’s Office (ICO) provides guidance about when organisations should seek consent.

Where consent is required, you must follow strict rules designed to make sure that people have genuine choice and control over the types of processing that they agree to.

When someone gives consent, this must involve a positive action (an ‘opt-in’). The GDPR prohibits pre-ticked opt-in boxes. When seeking consent, you must provide clear information about the data processing that you intend to carry out. If you process data for more than one purpose, you must explain and obtain consent for each purpose separately.

Data Protection Rules You Must Follow

Individuals’ rights

The GDPR gives individuals several rights in relation to their personal data, including:

  • The right to be informed about data relating to them and to access that data.
  • The right to have inaccurate or incomplete data corrected.
  • The right to have data erased in certain circumstances.
  • The right to withdraw consent for their data to be processed.

Complying with the GDPR

The GDPR does not set out a list of specific data protection measures that must always be put in place. Instead, it requires your business to take measures that are “risk-based and proportionate”. For example, if you process large amounts of sensitive personal data, you will need a more extensive data protection framework than an organisation that doesn’t process much personal data.

Here are some examples of data protection measures that you can take to make sure you can demonstrate your compliance with the GDPR if requested to do so by the ICO:

  • Creating a written data protection policy.
  • Displaying a privacy notice on your website.
  • Regularly reviewing and updating data security measures (such as protection against cyberattacks and malicious software).
  • Appointing a data protection officer. This is a legal requirement for certain organisations that carry out extensive or sensitive data processing.
  • Carrying out a data protection impact assessment before beginning any new data processing activity, to identify and reduce any data protection risks. This is a legal requirement for certain categories of processing that involve a high risk to individuals, but is good practice for all data processing activities.
  • Documenting all data processing activities, reviews and decisions.

For more information about the data protection measures that organisations should consider taking to comply with the GDPR, go to

Personal data security breaches

You should record all personal data breaches, and report serious breaches to the ICO within 72 hours. For more information, and to report a breach, go to

Download this guide

DISCLAIMER While all reasonable efforts have been made, the publisher makes no warranties that this information is accurate and up-to-date and will not be responsible for any errors or omissions in the information nor any consequences of any errors or omissions. Professional advice should be sought where appropriate.

Related Resources