This content is locked!

To access this resource log in or Subscribe to Core.

Get instant access to 3 free resources of your choice. No credit card required.

Sign up now for free access

Data protection


On 25 May 2018, the Data Protection Act was replaced by the General Data Protection Regulation (UK GDPR). There are no exemptions based on a size or sector — all organisations must comply with its requirements in full or face a hefty potential fine. On the whole, the rights individuals enjoy under the UK GDPR are the same as before but with some significant enhancements.

Key points

  • The Data Protection Act 2018 (DPA) is the UK’s third generation of data protection law, aiming to modernise all laws surrounding data protection.
  • It is to be read in conjunction with the General Data Protection Regulation (GDPR), which came into force in May 2018.
  • Under provisions highlighted in both the GDPR and DPA, employees must give consent for their personal data to be processed.
  • Both the DPA and GDPR apply to organisations that process personal data, providing key instructions on the best company policies that should be adopted to protect key individual rights.
  • The GDPR instructs upon a significant fine of €20m, or 4% of the company’s annual turnover, for organisations found to be in breach.
  • Employers should therefore formulate and implement clear company policies on data protection to be followed by management and staff.
  • The DPA instructs upon six key principles which should be referred to by all organisations that process personal data.
  • The Act also outlines specified conditions which can be referred to in the absence of employee consent.
  • Employees have the right to make a ‘subject access request’ to view all information that is held on them from their employer.
  • Employers must seek permission from their employees to request personal medical documents from their relevant health practitioners, as outlined in the Access to Medical Reports Act 1988.
  • When recruiting, employers should be careful not to use information on the candidate from social media unless there is a clear reason to do so and allow the candidate to make representations in relation to the content.
  • Data can be shared with third-party organisations, such as the police, if it relates to an ongoing crime or possible fraud.
  • See our 'how to' guides for practical information on data protection.