GDPR & UK Businesses: Most Common Questions Answered

Since its introduction by the European Union (EU) in 2016, General Data Protection Regulations (GDPR) have caused a monumental shift in the way we perceive and treat data in the UK. In particular, large corporations, companies and even small-to-medium-sized businesses have been forced to get on board and understand that the way they collect and process data has to change. And it’s no secret that many businesses still don’t fully understand what GDPR means or what its implications are.


When the UK left the EU, it left the UK market reeling. There was confusion as to what would happen with the EU’s GDPR. Subsequently, the UK used the EU’s GDPR as a basis to create its own GDPR laws. These were put into force in 2018. But UK businesses have had a tough time of it because they’ve had to comply with both UK GDPR and EU GDPR—all but within two years of each other. Naturally, many UK businesses have common questions in regards to GDPR that they need to answer, such as do they need to appoint a GDPR representative and do they need to hire a DPO as a service (Data Protection Officer)?

In this article, we’re going to answer 6 of the most common questions on GDPR and UK business.

1.   What is GDPR?

GDPR stands for the General Data Protection Regulation. It came into effect on 25th May 2018 by the EU as a replacement for the Data Protection Directive (DPD) and The UK Data Protection Act of 1998.

GDPR relates to the protection of personal data and the rights of individuals over their data. It sought to view data as a human right—putting individuals above corporations. Its main goal is to secure and ease the flow of data streams and give individuals rights and control over their data.

2.   Who Does GDPR Apply to?

In terms of the GDPR set by the EU, GDPR applies to any organisation that processes the data of individuals residing within the EU—whether the organisation itself resides in the EU or not. UK GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purpose and means of processing data. And a processor is responsible for processing personal data on behalf of a controller.

If you’re a processor, the UK GDPR has specific legal obligations you must abide by. For example, you’re required to maintain records of personal data and processing activities of those you deal with. You’ll also be responsible and liable for any breaches of this data.

If you’re a controller, the UK GDPR places further obligations on you. You’ll abide by the same rules as you would as a processor and also ensure all your contracts comply with UK GDPR.

UK GDPR applies to organisations operating in the UK that process data and to organisations that offer goods and services to individuals in the UK. The UK GDPR doesn’t apply to certain activities, though, including processing covered by the Law Enforcement Directive, processing for national security purposes and the processing of data done by individuals in personal/household settings.

3.   What Are The Main Responsibilities of GDPR For Businesses?

While there are some differences between EU and UK GDPR, there are many more overlapping duties that businesses must abide by.

Under the GDPR, businesses have to meet six data protection principles whenever they deal with processing personal data. This includes ensuring their use of personal data is lawful, fair and transparent. That data must be collected only for specific and lawful purposes. And that data must be accurate, kept up-to-date and kept only for as long as needed. And organisations that collect personal data must protect it from misuse and exploitation.

Data breaches have been a serious topic and a prevailing problem as data becomes more important. Complying with GDPR means that if a data breach does happen, which includes lost and stolen data, organisations are required to report specific types of breaches to the relevant supervisory authority (in the UK this is ICO) within 72 hours of them becoming aware of the incident.

4.   Do UK Businesses Need to Appoint a GDPR Representative in the EU?

Yes. UK businesses that deal with processing and handling and storing data from individuals residing in any EU country must appoint a GDPR representative. This applies to all organisations, even if they don’t have a physical basis within the EU. GDPR representatives must be seated within one of the EU states in which the organisation processes data. And they will be the ones who are responsible to report and deal with data processing issues on behalf of the business within the EU.

5.   Do Businesses Require a DPO?

Yes. The UK GDPR introduces a duty that you’ll need to appoint a DPO if you are a public authority or body or if you carry out certain types of processing activities. DPOs are knowledgeable in data regulations and assist in monitoring internal compliance. They inform and advise on data protection obligations. And they provide advice in regards to your data protection obligations, among other things. They can work internally or externally, with many businesses opting to hire DPOs as a service externally for the benefits of having them on-call to advise and report to the necessary authorities without interrupting daily business.

6.   How Does Brexit Affect GDPR?

Companies that process data about individuals in the context of selling goods and services to citizens in other EU countries must comply with GDPR. As of 1 January 2021, EU GDPR no longer protects UK citizens. But the UK government has its own set of GDPR which is based on EU GDPR. The GDPR regime applies to most UK businesses and organisations in the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.