How-to guide: How to ensure compliance with the GDPR (UK)

Updated as of: 02 March 2025

Introduction

This guide will assist in-house counsel and risk and compliance teams in ensuring compliance by their organisation, and private practitioners advising their clients on compliance, with the key requirements of the GDPR.

The guide is UK-focused but covers:

  • general requirements under the EU GDPR, as these may still be relevant to some UK organisations to which the EU GDPR applies due to the application of the extra-territorial scope provisions in Article 3(2), EU GDPR; and
  • the ICO’s interpretation of such EU GDPR requirements.

However, it does not cover any local EEA data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators.

The guide covers an organisation’s processing activities in respect of customer and user data and internal employee data. It follows the structure of the GDPR and takes you through the following areas:

  1. Principles and lawful processing
  2. Data subject rights
  3. Controller and processor
  4. Security and personal data breaches
  5. Data protection impact assessments and prior consultation
  6. Data protection officer
  7. Codes of conduct and certifications
  8. International data transfers

Different requirements will apply depending on whether the organisation is a controller or a processor. The checklist focuses on mandatory/key issues, but there may be additional measures that an organisation can take as a matter of good practice.

The guide covers the requirements under:

  • Regulation 2016/679 – General Data Protection Regulation (EU GDPR)
  • the EU GDPR as it forms part of the domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR)
  • the UK Data Protection Act 2018 (UK DPA 2018)
  • various UK Information Commissioner’s Office (ICO) guidance
  • various European Data Protection Board (EDPB) (formerly the Article 29 Working Party) guidelines

References to the ‘GDPR’ mean either the EU GDPR or the UK GDPR, unless specified otherwise.

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How to Guide: Understanding key data protection definitions.

The guide can be used in conjunction with How-to guides: How to deal with a data breach and How to reduce the risk of a data breach and Checklists: GDPR compliance self-assessment audit, When it is lawful to process personal data, When and how to appoint a data protection officer (DPO), What information to include in your organisation’s privacy notice and Checklist: Data subject access rights under the GDPR.

Section 1 – Principles and lawful processing

1.1 Data protection principles

The data protection principles for controllers processing personal data are outlined in article 5, GDPR. These are:

  • lawfulness, fairness and transparency – this means identifying a lawful basis to process personal data, not using data in contravention of other laws, using data fairly and being open with people about how you will use their data;
  • purpose limitation – this means collecting personal data only for specific purposes that you tell people about from the start and not using the data for other incompatible purposes;
  • data minimisation – this means only collecting and retaining the personal data you need to satisfy the stated purpose;
  • accuracy – this means ensuring the personal data you create or hold is accurate and up-to-date;
  • storage limitation – this means only retaining personal data for so long as you need to; and
  • integrity and confidentiality – this means putting in place appropriate security, including technical, organisational measures to protect the personal data you hold.

The controller must also be able to demonstrate ‘accountability’ (see Section 1.2).

1.2 Accountability and data protection governance

The controller is responsible for, and must be able to demonstrate compliance with, the data protection principles (see Section 1.1). This is known as ‘accountability’. The best way to do this is to be able to point to an established data protection governance framework, underpinned by effective policies, procedures and management structures. In particular, you should ensure the organisation has:

  • appropriate policies and procedures, in particular regarding data handling, transparency, information security and data breach response and data retention;
  • the required records (eg, records of processing activities (see Section 3.8)) and data breach logs (see Sections 4.2 and 4.3);
  • a DPO if required (see Section 6);
  • DPIAs for all high-risk processing (see Section 5);
  • contracts with all processors and joint controllers (as well as pre-contract due diligence on processors) (see Section 3);
  • determined which data protection regulators have jurisdiction (see Section 3.9);
  • maintained all registrations with and paid all fees to data protection regulators;
  • appointed a representative(s) where it needs to (see Section 3.4);
  • adhered to all codes of conduct and certifications that it has signed up to (see Sections 7.1 and 7.2); and
  • trained staff on data protection with regular refresher training.

1.3 Lawful bases

The controller must ensure that each processing activity has a valid lawful basis for processing under article 6, GDPR. Broadly, these are:

  • data subject consent;
  • where the processing is necessary for performance of or entering into a contract;
  • where the processing is necessary for compliance with a legal obligation;
  • where the processing is necessary for protection of vital interests;
  • where the processing is necessary for performance of a task in the public interest or in the exercise of official authority (subject to section 8, UK DPA 2018); and
  • where the processing is necessary to further the 'legitimate interests' of the controller or a third party - which requires identifying a legitimate interest, showing the processing is necessary to achieve it and carrying out a balancing test (to balance yours or the third party's interest against the individual's rights, freedoms and interests) or a legitimate interests assessment (LIA).

Additional elements may need to be satisfied to be able to rely on each ground.

The lawful bases relied on by the controller to process personal data should be established by carrying out a lawful basis assessment. This means documenting your rationale for relying on particular lawful bases for accountability purposes.

These will then need to be set out in the controller’s privacy notice and records of processing activities. The controller may not process data inconsistently with what individuals have been told about use of their data.

Article 7, GDPR outlines further conditions applicable to consent. Article 8, GDPR and section 9, UK DPA 2018 set out conditions concerning children’s consent for online services.

1.4 Special category data

Special categories of personal data’, under article 9 GDPR, means the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

This type of more sensitive data is given special protection under the GDPR and cannot be processed unless a relevant exemption or condition under article 9, GDPR is met. These exemptions include broadly:

  • explicit data subject consent;
  • obligations and rights of the controller or of the data subject related to employment and social security and social protection law;
  • where the processing is necessary for protection of vital interests;
  • processing of certain not-for-profit bodies that relates solely to its members or regular contacts;
  • processing relating to personal data manifestly made public by the data subject;
  • where processing is necessary in relation to legal claims or by courts acting in their judicial capacity;
  • where processing is necessary for reasons of substantial public interest;
  • where processing is necessary for the purposes of preventive or occupational medicine, to assess employee working capacity, medical diagnosis, providing health or social care or treatment or managing health or social care systems and services or pursuant to a contract with a health professional;
  • where processing is necessary for reasons of public interest in the area of public health; and
  • where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Additional elements may need to be satisfied to be able to rely on each ground. For example, where processing is for reasons of 'substantial public interest', you need to look to meet a condition in Part 2, Schedule 1, UK DPA 2018.  As well, an appropriate policy document may be required in many instances where special category data is processed under one of the above conditions – this is set out in Schedule 1, UK DPA 2018. 

The exemptions relied on by the controller to process special category data should be established by carrying out a lawful basis assessment.

These will then need to be set out in the controller’s privacy notice and records of processing. The controller may not process data inconsistently with what individuals have been told about use of their data.

Schedule 1 of the UK DPA 2018 sets out additional provisions regarding processing of special category data, including in some instances needing to have an appropriate policy document.

1.5 Criminal data processing

Criminal data’ describes ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, GDPR).

Processing of criminal data must only be carried out under the control of an official authority or when authorised under laws that provide for appropriate safeguards for individuals’ rights and freedoms. A comprehensive register of criminal convictions can only be kept under the control of an official authority.

Schedule 1 of the UK DPA 2018 sets out additional provisions regarding processing of criminal data, including in some instances needing to have an appropriate policy document.

This may be relevant, for instance, where an organisation carries out pre-employment criminal records checks.

Details of criminal data processing should be set out in the controller’s privacy notice (unless an exemption applies) and records of processing.

1.6 De-identified/anonymous data

Under article 11, GDPR, if the purposes for which a controller is processing personal data no longer require them to identify an individual, the controller need no longer process that information in an identifiable format if their only reason for doing so is to comply with the GDPR. In those circumstances, the controller need not give effect to certain data subject rights (under articles 15 to 20, GDPR) unless the data subject provides additional information allowing themselves to be identified.

In line with the data minimisation principle, and as a matter of good data governance, you should aim to use anonymisation techniques wherever possible. This will reduce your regulatory compliance burden, as properly anonymous data is not ‘personal data’ and, as such, data protection laws do not apply to it. However, be aware that true anonymisation is difficult to achieve in practice. If anonymisation of the personal data is not possible or practical, then pseudonymisation techniques should be used, where possible as these will reduce the risk of harm to the data subjects, as well as enhance the security measures you take to protect the personal data.

Section 2 – Data subject rights (DSRs)

2.1 Privacy information / transparency

To fulfil the controller’s ‘transparency’ obligations, the information outlined in articles 13 and 14, GDPR must be provided to individuals whose data is processed. This is usually done in privacy notices. Consider providing external notices to customers, clients, website users, product or service users and other relevant individuals whose information you handle, and internal notices to staff.

2.2 Right of access

Under article 15, GDPR, if an individual requests access to their data being processed by the controller, the controller must:

  • confirm whether it is processing their personal data;
  • if so, provide access to a copy of the data; and
  • provide certain information about the data and how this is used – some of this information is the same as that required in the controller’s privacy notice (see Section 1.3 to 1.5).

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify subject access requests (SARs) and verify these as valid;
  • assess any exceptions or exemptions to disclosure;
  • pull the data you need to respond from your systems;
  • redact any information that should not be disclosed; and
  • provide any information you are required to disclose to the data subject in an appropriate format.

The request must be responded to within tight time frames (usually one month).

2.3 Right of rectification / correction

Under article 16, GDPR, if an individual requests rectification (correction) of their personal data, the controller must action this request by correcting inaccurate data or completing incomplete data without undue delay.

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify rectification requests and verify these as valid;
  • assess any exceptions or exemptions;
  • isolate the data you need to respond from your systems and make the necessary corrections; and
  • respond to the individual confirming that the correction has (or has not) been made.

The request must be responded to within tight time frames (usually one month).

2.4 Right to erasure / to be forgotten

Under article 17, GDPR, if an individual requests erasure of their personal data, the controller must do so without undue delay if any of the specified grounds has been met (eg, the data has been unlawfully processed).

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify erasure requests and verify these as valid;
  • assess any exceptions or exemptions;
  • isolate the data you need to respond from your systems and make the necessary deletions; and
  • respond to the individual confirming that the data has (or has not) been erased.

The request must be responded to within tight time frames (usually one month).

2.5 Right to restriction of processing

Under article 18, GDPR, if an individual requests restriction (or ‘blocking’) of processing of their personal data, the controller must action this request if one of certain specified grounds applies. Restriction of processing is usually temporary.

Check that proper policies, processes and procedures are in place to ensure you can quickly:

identify restriction requests and verify these as valid;

  • assess any exceptions or exemptions;
  • isolate the data you need to respond from your systems and impose the necessary controls to restrict processing; and
  • respond to the individual confirming that the restriction has (or has not) been made, and let them know in advance of any restriction being lifted.

The request must be responded to within tight time frames (usually one month).

2.6 Communication of requests to third parties

Article 19, GDPR requires the controller to implement a process for communicating rectification, erasure and restriction requests to third parties that hold relevant data. The exceptions to this are where such communication proves impossible or involves disproportionate effort. (However, that is a high threshold to meet.) If the data subject requests rectification, erasure or restriction, the controller will inform them about those third-party recipients.

2.7 Right to data portability

Under article 20, GDPR, an individual may have a right to receive their personal data, in a structured, commonly used and machine-readable format or to have that data transmitted to another controller (where technically feasible). This portability right only applies where:

  • the data is information that has been provided by the individual to the controller;
  • the processing is based on consent, explicit consent or performance of contract; and
  • the processing is automated.

Check that proper policies, processes and procedures are in place to ensure you can quickly:

identify portability requests and verify these as valid;

  • assess any exceptions or exemptions;
  • isolate the data you need to respond from your systems and make the necessary transmission of data; and
  • respond to the individual confirming that the data has (or has not) been ported.

The request must be responded to within tight time frames (usually one month).  

2.8 Right to object

Under article 21, GDPR, an individual may object to processing on certain grounds of personal data being processed for the performance of a task in the public interest or in the exercise of official authority or ‘legitimate interests’. If the individual objects to processing for direct marketing purposes (article 21(2) and 21(3), GDPR), the processing must stop (including any related profiling), unless the controller can demonstrate that it can meet a balancing test to show compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or that processing is required for the establishment, exercise or defence of legal claims (article 21(1), GDPR). 

Under Article 21(6) GDPR, where the data subject personal data are processed for scientific or historical research purposes, he/she has the right to object on grounds; (i) relating to his/her particular situation; and (ii) where such processing concerns him/her, unless the controller can demonstrate that such processing is necessary for the performance of a task carried out for reasons of public interest.

Check that proper policies, processes and procedures are in place to ensure you can quickly:

  • identify objection requests and verify these as valid;
  • assess any exceptions or exemptions;
  • isolate the data you need to respond from your systems;
  • restrict processing while the balancing test is being carried out;
  • make any necessary deletions if the objection is upheld; and
  • respond to the individual confirming that the objection has (or has not) been acted on.

The request must be responded to within tight time frames (usually one month).

2.9 Automated decision-making, including profiling

Under article 22, GDPR, individuals have the right not to be subject to decisions based on solely automated decision-making, including profiling, which produce legal or similarly significant effects for the individual. There are exceptions to this linked to the lawful basis that underpins the decision. If such processing is permitted, additional safeguards need to be put in place to protect individuals’ rights, namely the right for the individual to:

  • obtain human review by the controller; and
  • express their point of view and to contest the decision.

Even stricter controls apply to making solely automated decisions in respect of special category personal data and children’s data.

2.10 Technical and organisational measures by processors to support DSRs

When acting as a processor on behalf of a controller organisation, you are required to implement technical and organisational measures to support the controller in meeting its obligations to respond to Data Subject Requests (DSRs) (article 28(3)(e), GDPR). This includes measures to:

  • identify DSRs; and
  • depending on the process agreed with the controller:
    • refer all DSRs to the controller as soon as possible; or
    • deal with DSRs as instructed by the controller, for example to:
      • verify the DSRs as valid;
      • assess any exceptions or exemptions;
      • isolate the data needed to respond and action the request; and
      • respond to the individual and action the request or respond confirming that no action is required.

Section 3 - Controller and processor

3.1 Technical and organisational measures for compliance with GDPR

The controller must implement and maintain appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR (article 24(1), GDPR). In doing so, the controller can consider ‘the nature, scope and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons’. Where proportionate in relation to processing activities, this includes the controller putting in place appropriate data protection policies. You need to review and update these measures, as required.

3.2 Data protection by design and by default

Under article 25(1), GDPR, the controller must implement appropriate technical and organisational measures (such as pseudonymisation), which are designed to implement data protection principles (such as data minimisation) effectively:

  • at the time of determining the means for processing; and
  • at the time of the processing itself.

The necessary safeguards must be integrated into the processing to comply with the GDPR and to protect individuals’ rights. This ‘data protection by design’ needs to consider the state of the art, cost of implementation, and nature, scope, context and purposes of processing, and the risks to individuals posed by the processing.

The International Organisation for Standardisation ‘ISO’ adopted a new ISO standard for privacy by design for consumer goods and services, ISO 31700, in February 2023. The privacy by design ISO standard includes detailed guidance and requirements on how to operate an undertaking in a manner compatible with individuals' data protection and privacy rights. The ISO standard seeks to further incentivise companies to take a best practice approach when considering their obligations under applicable data legislation, by offering certification to companies that comply with the standard’s requirement.

In a similar vein, the controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data that is necessary for each specific processing purpose is used. This ‘data protection by default’ applies to the volume of personal data collected, the extent of the processing of that data, its storage period and its accessibility.

3.3 Joint controller arrangements

Under article 26, GDPR, arrangements between joint controllers need to be determined transparently and properly documented, in particular as regards exercising rights of data subjects and provision of privacy information.

The essence of the relationship needs to be made available to data subjects. This is typically done in the privacy notice.

3.4 Representatives

Under article 27, EU GDPR, controllers and processors not established in the EEA but otherwise caught within the territorial scope provisions of the relevant legislation (ie, under article 3(2), GDPR) will need to appoint an EEA representative.

The UK GDPR imposes an equivalent requirement on controllers and processors not established in the UK that are within the territorial scope of the UK GDPR to appoint a UK representative. There are exemptions for occasional, low-risk processing. Public authorities or bodies do not need to appoint a representative.

3.5 Pre-contract due diligence on processors

It is not enough that a contract is in place when appointing a processor as required by article 28(3), GDPR – article 28(1), GDPR also requires that controllers only appoint processors that give ‘sufficient guarantees’ to implement appropriate technical and organisational measures to ensure processing will comply with the GDPR and that data subjects’ rights are protected. In practice, this means that controllers must carry out pre-contract due diligence on all processors before entrusting them to process personal data.

Some examples given in the ICO's controller and processor guidance of factors that controllers should take into account when assessing whether the processor provides “sufficient guarantees” include:

  • the extent to which the processor complies with industry standards (if applicable)
  • whether the processor has sufficient technical expertise to provide the required assistance to the controller
  • provision of relevant policy documentation regarding personal data handling and security, and
  • adherence to an approved code of conduct or a certification scheme (once available).

3.6 Processor contracts

Article 28, GDPR imposes certain requirements on the appointment of processors to process personal data on behalf of controllers. These include requirements regarding authorisation of sub-processors by the controller and the flow-down of data protection terms in the processor contract (article 28(2) and (4)).

There are also mandatory terms that need to be included in all processor contracts (article 28(3)), including:

  • the subject matter and duration of the processing, its nature and purpose, the type of personal data and categories of data subjects and the obligations and rights of the controller; and
  • obligations that the processor:
    • processes the personal data only on documented instructions from the controller, including with regard to international data transfers; if there is a legal requirement that would require the processor to deviate from those instructions, the processor must inform the controller (unless that law precludes this on important public interest grounds);
    • ensures that persons authorised to process the personal data have committed to keep the data confidential;
    • takes all security measures required pursuant to article 32, GDPR;
    • complies with certain conditions when engaging another processor;
    • assists the controller by appropriate technical and organisational measures with the controller’s obligations to respond to data subject requests;
    • assists the controller to comply with the obligations relating to security (article 32, GDPR), notifying data breaches (articles 33 and 34, GDPR), DPIAs (article 35) and prior consultations (article 36, GDPR);
    • at the controller’s option, deletes or returns all personal data to the controller after ceasing to provide services and deletes existing copies; and
    • makes available to the controller all information necessary to demonstrate compliance with the obligations in article 28 and allows for and contributes to audits, including inspections, conducted by the controller or its auditors.

Controllers should regularly monitor processors’ compliance with their contractual as well as other obligations under data protection law.

3.7 Controller’s instructions

A processor, or anyone under the authority of the controller or of the processor, who has access to personal data, must not deviate from the processing instructions given by the controller, unless applicable law requires them to do so (article 29, GDPR).

3.8 Records of processing

The controller and the processor must maintain records of processing containing certain mandatory information. For the controller, this is as set out in article 30(1), GDPR; for the processor this is as set out in article 30(2), GDPR. Some smaller organisations that only carry out lower-risk processing are exempt (article 30(5), GDPR).

3.9 Cooperation with the ICO and other data protection regulators

Article 31, GDPR requires the controller and the processor, and their representatives to cooperate on request with the data protection regulator, namely the ICO, in the performance of its tasks. A lack of cooperation is an aggravating factor that can be taken into account when setting fines (article 83, GDPR).

Section 4 – Security and personal data breaches

4.1 Technical and organisational security measures

Article 32, GDPR sets out the requirements in relation to security. These apply to controllers and processors.

In particular, the organisation must implement appropriate technical and organisational measures in relation to personal data to ensure a level of security appropriate to the risk, including, as appropriate:

  • pseudonymisation and encryption;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.

The organisation can consider the state of the art (ie the most advanced technology available at the time), costs of implementation, the nature, scope, context and purposes of processing, and the risks to individuals. In deciding the appropriate level of security, the risks of sustaining a personal data breach in particular should be considered.

4.2 Unresolved personal data breaches

A ‘personal data breach’ is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (article 4(12), GDPR).

Check that there are no unresolved personal data breaches as these could result in regulatory, legal, and other risks for your organisation. You should also ensure that preventative measures are in place to guard against breaches recurring – breaches that are easily preventable, or of which the organisation has already been put on notice by the data protection regulators but failed to address, tend to attract higher fines.

Article 33(5), GDPR requires the controller to document any personal data breaches, including the relevant facts, its effects and the remedial action taken.  This means maintaining a data breach log.

4.3 Reporting personal data breaches (controllers)

See the definition of ‘personal data breach’ in section 4.2. Controllers and processors have different responsibilities in respect of breach reporting. (See also 4.4 for processor breach notification requirements.)

The controller must ‘without undue delay and, where feasible, not later than 72 hours after having become aware of a personal data breach’, notify the ICO or other relevant data protection regulator of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals (article 33(1), GDPR). If the 72-hour time frame is not met, you must explain why. Certain prescribed information must be included in the notification and provision of this information may be phased, if necessary (article 33(1)(3) and (4), GDPR).

Article 33(5), GDPR requires the controller to document any personal data breaches, including the relevant facts, its effects and the remedial action taken. This means maintaining a data breach log.

The ICO provides a guide on personal data breaches and the European Data Protection Board (EDPB) data breach examples guidance provides examples of when an organisation is and isn’t required to notify the data protection regulator. 

4.4 Notifying breaches to controller when acting as a processor

The processor has to notify the controller ‘without undue delay after becoming aware of a personal data breach’ (article 33(2)), GDPR. Controllers often seek to impose a time frame on this contractually.

4.5 Communicating personal data breaches to affected individuals

When a personal data breach is likely to result in a ‘high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay’ (article 34(1), GDPR).

The communication needs to be clear and disclose certain prescribed information and measures (article 34(2), GDPR). There are certain limited exceptions to making the communication, such as where the data that has been breached has been securely encrypted and is inaccessible to unauthorised persons (article 34(3), GDPR).

4.6 Assisting the controller with notifying breaches to regulators and affected individuals when acting as a processor

Article 28(3)(f), GDPR requires processors to assist controllers with notifying data breaches to data protection regulators and affected individuals.

Section 5 – Data protection impact assessments (DPIAs) and prior consultation

5.1 Data protection impact assessments (DPIAs) for high-risk processing

A DPIA is a risk-assessment methodology to examine and mitigate the impact of processing operations on the protection of personal data. The controller must carry out a DPIA in advance of starting processing where ‘a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons’ (article 35(1), GDPR). The GDPR states that a DPIA is required in particular for:

  • a systematic and extensive evaluation of personal aspects relating to individuals that is based on automated processing, including profiling, and on which decisions are based that produce legal or similarly significant effects for individuals;
  • large-scale processing of special categories of data (article 9, GDPR) or criminal data (article 10, GDPR); or
  • a systematic monitoring of a publicly accessible area on a large scale (eg, CCTV or drones).

The Article 29 Working Party’s Guidelines on Data Protection Impact Assessment (DPIA) list criteria that may act as indicators of probable high-risk processing.

The European data protection regulators can issue further guidance on situations where processing is likely to be high-risk and therefore requires a DPIA. The UK ICO lists the following in their DPIA guidance:

  • innovative technology – a DPIA is required where this processing is combined with any criteria from the European guidelines;
  • denial of service – where based on automated decision-making (including profiling) or involving the processing of special category data;
  • large-scale profiling – any profiling of individuals on a large scale;
  • biometrics – where biometric data is processed, a DPIA is required where this processing is combined with any criteria from the European guidelines;
  • genetic data – (subject to an exception for direct healthcare by an individual GP or health professional) a DPIA is required where processing of genetic data is combined with any criteria from the European guidelines;
  • data matching – combining, comparing or matching personal data obtained from multiple sources;
  • invisible processing – where third-party personal data is processed and the controller considers giving a privacy notice would be impossible or involve disproportionate effort, a DPIA is required where this processing is combined with any criteria from the European guidelines;
  • tracking – where processing involves tracking an individual’s geolocation or behaviour (online or offline), a DPIA is required where this processing is combined with any criteria from the European guidelines;
  • targeting of children or other vulnerable individuals – using the personal data of children or other vulnerable individuals for marketing, profiling or other automated decision-making, or if you intend to offer online services directly to children (the ICO has published guidance particular to data processing activities concerning the personal data of children -  see Guidance on Children and the UK GDPR; 10 Step Guide to Sharing Information to Sharing Information to Safeguard Children; and Guidance on ‘Likely to be assessed by Children’); and
  • risk of physical harm – where processing is such that a personal data breach could endanger the physical health or safety of individuals.

5.2 Processors supporting DPIAs

Processors must assist controllers in ensuring compliance with the controller’s obligations in relation to DPIAs (article 28(3)(f), GDPR). The level of assistance given can take into account the nature of the processing and the information available to the processor.

5.3 Prior consultation

Where a DPIA is carried out and ‘indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk’, the controller must consult with the ICO and other relevant data protection regulators before data processing commences (article 36(1), GDPR). A detailed consultation process follows where the regulator decides whether the intended processing would infringe the GDPR, in particular where the controller has insufficiently identified or mitigated the risk (article 36(2) and (3), GDPR).  

5.4 Processors supporting prior consultations

Processors must assist controllers in ensuring compliance with the controller’s obligations relating to prior consultations (article 28(3)(f), GDPR). The level of assistance can take into account the nature of the processing and the information available to the processor.

Section 6 – Data protection officer (DPO)

Organisations meeting the specified criteria set out in article 37, GDPR must appoint a DPO. Where a statutory DPO is appointed, their appointment must fulfil the requirements in article 38, GDPR and they must fulfil the tasks listed in article 39, GDPR. The ICO and other relevant data protection regulators must be notified of their appointment and their details must be included in privacy notices.  

Section 7 – Codes of conduct and certifications

7.1 Codes of conduct

Under article 40, GDPR, relevant data protection regulators and EU bodies encourage drawing up of codes of conduct to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the needs of micro, small and medium-sized enterprises. Trade associations and representative bodies take the lead on developing and monitoring compliance with codes of conduct.  The ICO or other data protection regulators approve such codes. A specific approval process is involved, as set out in article 40. 

At the time of publication, there are no approved UK GDPR codes of conduct. Once approved, these will be published on the ICO website: ICO register of UK GDPR codes of conduct | ICO

Adherence to codes of conduct can also be used as part of demonstrating compliance (articles 24(3) (technical and organisational measures) and 25(3) (data protection by design and by default), GDPR).

7.2 Certifications

Under article 41, GDPR, relevant data protection regulators and EU bodies encourage the establishment of data protection certification mechanisms and data protection seals and marks to demonstrate compliance with the GDPR of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises must be considered.

Details on certification criteria or accredited certification bodies for issuing UK GDPR certificates can be found on the ICO’s website.

Adherence to approved certification mechanisms can also be used as part of demonstrating compliance (articles 24(3) (technical and organisational measures) and 25(3) (data protection by design and by default), GDPR).

Section 8 – International data transfers

For international data transfers, under the EU GDPR, in the absence of an adequacy decision (article 45(3), GDPR), a ‘controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available’.  Under the EU GDPR, a ‘third country’ means a jurisdiction outside the EEA which, after Brexit, includes the UK. Under the equivalent provision of the UK GDPR, a ‘third country’ means a country or territory outside the UK.

For now at least, there is an EU adequacy decision in place for the UK and a UK adequacy decision in place for the EEA countries. The European Commission has granted various other countries adequacy and the UK has adopted this list.

Whilst the EU uses the terminology ‘adequacy’ the UK government uses ‘data bridges’. The UK Government has concluded data bridges with the Republic of Korea (December 2022) and the United States of America (US) (October 2023) since leaving the EU. The data bridge with the Republic of Korea is broader than the EU adequacy decision with South Korea, in that it covers personal data transfers but also financial services data transfers such as credit information to facilitate payment verification processes. The data bridge with the US is an extension of the EU-US Data Privacy Framework (EU adequacy decision for safe EU-US data flows adopted by the European Commission during July 2023). This Data Privacy Framework is a bespoke, opt-in certification scheme for US companies and includes as set of enforceable principles and requirements that must be certified and complied with in order for US organisations to be able to join the Framework. US organisations certified under the Framework can opt in to receive data from the UK (only when the relevant US organisations have been certified and publicly placed on the Data Privacy Framework List).  

Additional requirements, including ‘appropriate safeguards’ and transfer adequacy assessments, need to be met if personal data is to be transferred to a third country from the UK or the EEA if there is not an adequacy decision in place.  ‘Appropriate safeguards’ include standard contractual clauses together with supplementary measures as appropriate, binding corporate rules and specific derogations. In the UK, the international data transfer agreement (IDTA) and the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) can be used as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers. The IDTA and Addendum replaced standard contractual clauses for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as Schrems IIAll existing contracts entered into on or before 21 September 2022 which rely on the old EU SCCs as a valid transfer tool were required to be amended to incorporate the IDTA/Addendum by 21 March 2024. See also Checklist: GDPR compliance self-assessment audit for more information.

In the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the conditions set out in Article 49.

Additional resources

Related Lexology Pro content

How-to guides:

Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the UK
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with an ICO dawn raid

Checklists:

GDPR compliance self-assessment audit
Lawful processing of personal data under the GDPR
Assessing whether an organisation is a controller or processor under the GDPR
Processor due diligence (data protection and cyber security)
Obtaining and managing consent under the GDPR
What to include in your organisation’s privacy notice
Data subject access rights under the GDPR
When and how to appoint a data protection officer
Making an international transfer of personal data under the UK GDPR
Complying with cookie requirements under the PECR and the GDPR

Reliance on information posted: 

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents. 

Filed under

Topics

Organisations

Laws