UK General Data Protection Regulation (UK GDPR)

The UK General Data Protection Regulation (UK GDPR) applies to 'data controllers' and 'data processors' within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.

The UK GDPR does not apply to the personal data processed:

• by competent authorities for law enforcement purposes
• for the purposes of safeguarding national security or defence
• in the course of a purely personal or household activity, with no connection to a professional or commercial activity

What is the difference between data controllers and data processors?

Your obligations under the UK GDPR will vary depending on whether you are a controller or a processor. In short:

• data controllers decide why and how they process personal data
• data processors hold or process data on behalf of a data controller

You can be both a controller and a processor in respect of different information that you process, depending on the circumstances.

How to determine if you are a processor or a controller

Whether you are a controller or processor depends on who determines:

• the purposes for which the data is being processed
• the means of processing

If you determine the purposes and the means of processing, you will be the controller.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they will be joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

The Information Commissioner's Office (ICO) has produced detailed guidance on controllers and processors.

GDPR obligations on data processors

Under the UK GDPR, processing refers to any type of handling of personal data, including:

• obtaining, recording or keeping data (electronically or in hard copy)
• organising or altering the data
• retrieving, consulting or using the data
• disclosing the data to a third party (including publication)
• erasing or destroying the data

If you are a processor, the UK GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a data breach.

GDPR obligations on data controllers

If you are a controller, you will have the highest level of compliance responsibility. This means:

• you must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements
• you are responsible for the compliance of your processors
• you will be liable for a breach of any of these obligations
• you must pay the data protection fee, unless you are exempt

Data protection fee

Under the Data Protection (Charges and Information) Regulations 2018, organisations that handle personal information electronically, such as people's names and addresses, must register with the ICO and pay an annual data protection fee, unless exempt.

Whether you need to pay the fee depends on how your organisation uses personal information for work purposes. For example, if you store personal information on a computer or phone, you must check if the fee applies. If you use CCTV or dashcams, you will likely need to pay.

The cost of your data protection fee depends on your size and turnover. For those with 10 or fewer employees, the fee is currently £40 per year. It's important to pay if you need to, to avoid a fine.

You can use the ICO's online self-assessment to pay or check if you're exempt. It will guide you through some questions about how your organisation uses data to determine whether you need to pay.

Find out more about the data protection fee.

Exemptions from UK GDPR

In some circumstances, the Data Protection Act 2018 (DPA 2018) provides an exemption from particular UK GDPR provisions. There are several different exemptions, including for:

• crime, law and public protection
• regulation, parliament and the judiciary
• journalism, research and archiving
• health, social work, education and child abuse
• finance, management and negotiations
• references and exams

Whether or not you can rely on an exemption often depends on why you process personal data. For more information, see ICO's guidance on exemptions.

If an exemption applies, you may not have to comply with all the usual rights and obligations. If no exemption covers what you do with personal data, you will need to comply with the UK GDPR as normal.