Group 139

[email protected]

Navigating the Digital Frontier: Understanding Data Privacy Compliance under GDPR and the Data Protection Act 2018

Data protection

What is data privacy?

In an era where digital data has become the lifeblood of business and personal interactions, ensuring robust data privacy practices is imperative. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018, serve as cornerstones in establishing comprehensive frameworks for safeguarding personal information. These regulatory measures set forth stringent guidelines, dictating how organisations collect, process, and protect individuals’ data. Compliance with GDPR and the Data Protection Act 2018 not only reflects a commitment to legal obligations but also fosters a culture of transparency and trust. As organisations navigate the complexities of data privacy, understanding the nuances of these regulations becomes paramount in securing sensitive information, mitigating risks, and building resilient data protection strategies.

What does the language mean?

The definitions, shown below, explain what the main terms mean.  In short, a controller says how and why personal data is processed.  The controller must have in place contracts with processors which comply with the legislation.  The processor acts on the controller’s behalf but the legislation places specific legal obligations on the processor.


  •  Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • Data subject means the identified or identifiable living individual to whom personal data relates.
  • Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • Processor, means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • Processing means an operation or set of operations which is performed on information, or on sets of information, such as collection, recording, organisation, structuring or storage, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, or restriction, erasure or destruction,

Under the Data Protection Act 2018, an individual’s rights cover the following:-

  • The right to informed;
  • The right of access;
  • The right of rectification;
  • The right of erasure (i.e. the right to be forgotten)*;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object; and
  • Rights in relation to automated decision making and profiling.

*This right has a potential headache for businesses particularly if an employee or customer specifically asks for their data to be removed.  Most firms would retain such information for around six years; which is the limitation for contract claims.  However the law does not permit the retention of data (if such an erasure request was made) unless there is legal action likely / contemplated / ongoing.  

What does this mean for your business?

Businesses will need to review their data protection policies (which apply not only in respect of employees but for customers as well) and ensure compliance with the GDPR and Data Protection Act 2018.

Presently the GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover in the UK, whichever is greater, for infringements.  However, not all infringements lead to data protection fines. The ICO (Information Commissioner’s Office) can take a range of other actions, including:

  • Issuing warnings and reprimands;
  • Imposing a temporary or permanent ban on data processing;
  • Ordering the rectification, restriction or erasure of data; and
  • Suspending data transfers to third countries.

Swan Craig Solicitors are a locally trusted and thoroughly regulated law firm, housing qualified solicitors and experienced legal professionals well-versed in UK employment law. With the knowledge, training and expertise to advise you on issues with your employer or working environment, we are authorised and insured to give you legal guidance. With over 18 years of experience, our dedicated team are available at your convenience, so simply contact us today, on everything from disciplinaries to changes in contract.

Our blogs and articles are prepared for general interest and it is important to obtain professional advice on specific issues. Swan Craig believe the information contained in these blogs and articles to be correct at the time of publication. While all possible care is taken in the preparation of these blogs and articles, no responsibility or liability for loss occasioned by any person acting or refraining from acting as a result of the material contained herein can be accepted by Swan Craig, the author, or the publisher.

Scroll to Top