top of page

FAQ

Find answers to the most common questions about GDPR and Data Protection and additional resources. 

Question: Do I need a DPO (Data Protection Officer)?

Not every organisation is legally required to appoint a DPO. Under UK GDPR, you must have one if:

  • You are a public authority or body (except for courts acting in their judicial capacity)

  • Your core activities involve large-scale, regular, and systematic monitoring of individuals (for example, online tracking)

  • Your core activities involve large-scale processing of special category data (such as health information) or data relating to criminal convictions and offences

Even if you are not legally required to appoint a DPO, many organisations choose to do so voluntarily for peace of mind, to show accountability, and to have expert guidance on hand.

You can check whether your organisation needs a DPO by using the ICO’s self-assessment tool: ICO DPO Self-Assessment

Question: Do I need to register with the ICO? 

Most organisations that process personal data must register with the Information Commissioner’s Office (ICO) and pay a data protection fee. This applies to businesses, charities, and most public sector bodies — whether you’re handling customer details, employee records, or donor information.

 

There are some exemptions (for example, if you only process personal data for staff administration, advertising your own business, or keeping accounts), but these are limited.

You can check if your organisation needs to register by using the ICO’s self-assessment tool: ICO Registration Checker

Question: How do I know what I must have in place to protect people's data?

The law expects you to take proportionate steps to protect personal data. What you need in place depends on the type of data you hold, the risks involved, and how your organisation operates.

At a minimum, you should:

  • Be clear about your lawful basis for processing personal data

  • Provide a privacy notice explaining how you use people’s data

  • Put policies and procedures in place for data breaches, subject access requests, and individual rights

  • Keep data secure with appropriate IT, access controls, and training

  • Only keep data for as long as it’s needed and dispose of it safely

 

Some organisations also need to go further:

  • Records of Processing Activities (RoPA): Required if you have over 250 employees, or if you process personal data that could risk people’s rights, process sensitive data, or share data with others regularly

  • Data Protection Impact Assessments (DPIAs): Required before starting any high-risk processing, such as using new technologies, monitoring individuals, or processing sensitive health or criminal data.

Risk depends on the data and the context:

  • B2B organisations usually hold lower-risk data (names, emails, job titles), though security and transparency still matter

  • B2C organisations hold more personal information (home addresses, payment details, purchase history), which carries higher risk if breached

  • Special category data, such as health, ethnicity, religion, political opinions, or safeguarding data, is classed as particularly sensitive under the law. Processing this type of information requires extra safeguards and conditions under UK GDPR.

All of this can sound like a foreign language, but it only takes a quick call with me to find out what really applies to your organisation. The call is free, and it could save you a lot of time and worry.

Question: What are the main data protection laws in the UK?

It can be confusing to hear so many acronyms, so here’s what they mean in simple terms:

  • GDPR (General Data Protection Regulation)
    This is the European law that came into force in 2018. It sets out rules on how organisations must handle personal data, covering things like lawful basis, rights for individuals, and accountability.

  • UK GDPR
    After Brexit, the UK kept GDPR but made it a UK-specific version. It applies to any organisation that handles the personal data of people in the UK, whether you are based here or overseas.

  • Data Protection Act 2018 (DPA 2018)
    This sits alongside the UK GDPR. It fills in the detail, such as how the law applies to law enforcement, intelligence services, and special categories of data. It also sets out the powers of the ICO (Information Commissioner’s Office).

  • Data Use and Access Act 2025
    This is the UK’s new legislation focusing on how data can be accessed and shared, particularly across government and regulated sectors. It introduces new governance structures, including the Information Commission, and aims to modernise how data is used while safeguarding rights.

  • PECR (Privacy and Electronic Communications Regulations)
    These rules sit next to the Data Protection Act and GDPR. They specifically cover electronic marketing (emails, texts, calls), cookies, and electronic communications security. In practice, PECR is the law that decides whether you can send marketing emails or set website cookies.

All of these laws go hand in hand. The UK GDPR sets the core rules, while the Data Protection Act 2018 adds detail for specific areas such as law enforcement or sensitive data. PECR covers marketing and cookies, and the Data Use and Access Act focuses on how data can be shared and accessed.

Sometimes there are exemptions in certain laws, for example, where safeguarding, crime prevention, or regulatory duties apply. But no single law overrides another. They are designed to work alongside each other, and organisations must consider all of the laws that apply to their organisation when handling personal data.

bottom of page