The Data Protection Act 2018 enshrines in law new General Data Protection Regulations (GDPR), giving protection to EU residents on how companies and sole traders manage the collection, process and use of their personal and sensitive data.  

The regulations apply whether you are a sole trader, small business or conglomerate if you process personal data in an automated form, including CCTV.  In the UK, you must register and pay a yearly fee to the Information Commissioners Office (ICO). 

What is personal data?

Personal data can identify a living person, with some degree of accuracy, and includes details such as name, address, email address, IP address, advertising identifiers on your phone, location data and identification card numbers. A special category exists for sensitive data, which if breached could be particularly damaging; information such as racial/ethnic origin, trade union membership, and genetic or biometric data.  If as a business you hold such data, you are required to comply with extra steps to protect it.

Who needs to know about it?

Organisations employing fewer than 250 people are exempt from some regulations, only needing to document processing activities that are more than a one-off occurrence, something you do rarely, or are likely to result in a risk to the freedoms and rights of data subjects, and involve special categories of personal data, or criminal conviction and offence data.

What you need to know

There are six lawful bases for processing personal data, with consent being one. However, complexities of obtaining and maintaining consent make it wise to only use this when none of the other bases apply. To rely on consent, the data subject needs to provide clear permission, no hidden agreements or pre-ticked boxes. You must ensure that you have clear affirmative opt-in action, signed consent statements or dashboard choices.

You are still able to market your business directly to anyone, providing your data processing meets certain requirements and information obtained using a lawful base. Your data use must have minimal impact on their privacy and you must be reasonably sure the subject would not object, you must stop if they do

GDPR gives individuals the right to review their personal data that you process. If you receive a data subject access request (DSAR) from an individual, you have one month to respond.

What if there’s a breach?

You must notify the ICO within 72 hours of you becoming aware of any breach that results in unlawful or accidental destruction, alteration, loss or disclosure of personal data.  This includes cyber attacks, manual processing errors, disclosing information to the wrong person, password breaches or losing laptops or files containing information. You must report all instances that can lead to a potential breach.


You must have a full GDPR policy in place.  You will need to identify and document the type of data you hold, how you use the data, and where it is shared.  Identify the potential risks for breaches and determine ways that you will control these risks.  Ensure that you collect any relevant data subject permissions, and have the legal bases covered for your processing.  You will need to ensure that all members of your organisation are trained and competent in the GDPR requirements and that procedures are in place to protect critical equipment holding such data.

You should continually review and audit your processing activities and security controls, as well as permissions received to ensure that you continue to comply and keep up to date with the regulations and make changes as necessary.