Data Protection & Privacy FAQs: Frequently Asked Questions

What is the UK Data Protection Regime?

The UK’s data protection regime consists of the UK General Data Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

The UK GDPR is the retained EU law version of the General Data Protection Regulation (GDPR) which became directly applicable to all EU member states from the 25 May 2018. Following Brexit, it was amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (DP Brexit Regulations) to integrate the EU GDPR into UK law.

The DPA, enacted alongside the GDPR, aimed to ensure the UK’s data protection regime remained aligned with the EU's post-Brexit. It too was amended by the DP Brexit Regulations. Together, the UK GDPR and DPA 2018 form the core of the UK’s data protection framework.

PECR is domestic law which continues to apply post-brexit. It sits alongside the UK GDPR and DPA, providing individuals with specific privacy rights in relation to electronic communication and includes specific rules on:

1. marketing calls, emails, and texts;
2. cookies;
3. security of communications; and
4. customer privacy in relation to traffic and location data, itemised billing, line identification, and directory listings.

Importantly, the PECR apply even if a business is not processing personal data.

The Data (Use and Access) Act 2025 (DUUA), which received Royal Assent in June 2025, introduces substantial amendments to the UK data protection regime. Its amendments are intended to promote innovation and economic growth for businesses, whilst continuing to protect data subject rights. The majority of the provisions are not yet in effect and will require secondary legislation to bring them into effect. The Secretary of State will implement this secondary legislation by June 2026.

‍

Which businesses does the UK data protection regime apply to?

The regime applies to UK controllers and processors processing personal data in the UK. It also applies to controllers and processors in the EU if their processing activities involve offering goods or services to UK residents, or monitoring the behaviour of data subjects, to the extent that such behaviour takes place within the UK.

‍

Does the EU data protection regime apply to any UK businesses?

The EU GDPR will also apply to UK controllers or processors if they have an establishment in the European Economic Area (EEA), have customers in the EEA, or monitor the behaviour of data subjects, to the extent that such behaviour takes place within the EEA.

‍

What does it mean to process personal data?

The regime defines processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘personal data’ means any information relating to an identified or identifiable natural person (data subject).

A person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Certain types of personal data are further categorised as special category data because it is considered more sensitive and therefore subject to stricter protections. This category includes information relating to an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), health, sex life, or sexual orientation.

‍

What is the difference between a controller and processor?

A business may be a controller, a processor, or both. It is important for businesses to understand the distinction as different legal obligations apply depending on the role.

A ‘controller’ is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, A retail company that collects and decides how to use customers’ personal data for marketing and sales purposes would fall under the definition of controller.

A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For example, a cloud storage provider that stores personal data on behalf of the retail company would fall under the definition of processor.

‍

When can a business process personal data?

A business can only process personal data if they have a legal basis for doing so under Article 6 of the UK GDPR. Article 6 sets out the following legal bases for processing:

1. consent from the data subject;
2. the processing is necessary for performance of a contract;
3. the processing is necessary for compliance with legal obligations;
4. the processing is necessary to protect the vital interest of an individual;
5. the processing is necessary for performance of a task carried out in the public interest; and/or
6. the processing is necessary for a legitimate interest of the business.

The DUAA has also introduced a new lawful basis which allows processing that is necessary for reasons specified in an annex of “recognised legitimate interests”. This lawful basis differs to the standard legitimate interest basis by removing the requirement for a business to carry out an additional balancing test which assesses the benefits of processing against the impacts on the rights and freedoms of a data subject. However, a necessity test still applies - i.e. is the processing necessary to fulfil one of the recognised legitimate interests.

For any special category data, a business must also be able to demonstrate that one of the conditions in Article 9 of the UK GDPR apply. For example, processing special category data is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

‍

What are the principles under the UK GDPR and how do they apply to a business?

Article 5 of the UK GDPR sets out seven key principles that should lie at the heart of a business’s approach to processing personal data. These include:

1. lawfulness, fairness, and transparency – personal data should be processed lawfully, fairly and in a transparent manner;
2. purpose limitation – personal data should be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. data minimisation – personal data should be adequate, relevant and limited to what is necessary to fulfil the purpose for which the data is being processed;
4. accuracy – personal data should be accurate and up to date and businesses should take reasonable steps to ensure that any inaccurate personal data is erased or rectified without delay;
5. storage limitation – personal data should not be retained for longer than is necessary for the purpose for which it is processed;
6. integrity and confidentiality – personal data should be processed in a way that ensures the appropriate security of the personal data; and
7. accountability – businesses should take responsibility for what they do with the personal data and how they comply with the other principles.

‍

What rights do data subjects have?

Data subjects have a number of rights under the UK GDPR including the:

1. right to be informed – data subjects have a right to be informed about the collection and use of their personal data;
2. right to access – data subjects have the right to access and receive a copy of their processed personal data and other supplementary information;
3. right to rectification – data subjects have the right to have any inaccurate personal data rectified, or completed if incomplete;
4. right to erasure – data subjects have the right to request the erasure of the personal data in instances such as if the data is no longer necessary for the purpose it was collected for;
5. right to restrict processing – data subjects have a right to request the restriction of their personal data in circumstances such as where the data subject contests the accuracy of the data;
6. right to data portability – data subjects have the right to transmit data to another controller;
7. right to object – data subjects have the right object to processing in certain circumstances such as for direct marketing purposes; and
8. rights related to automated decision making – data subjects have the right to object to decisions based solely on automated decision making if those decisions have a legal or other similarly significant effect.

‍

How To Get In Contact

If you require assistance with any aspect of data protection and privacy law, or have questions about your legal obligations, please contact our Data Protection and Privacy team on +44 204 600 9907 or email info@culbertellis.com.

‍