GDPR, data protection & your business: your guide to compliance

laptop login visual overlay

Data protection and its evolving regulations have long been a point of confusion for many businesses across the globe. Whether you’re running a small team, or the entire business by yourself, navigating the various data protection regulations is no easy feat.

Fortunately, we’ve brought together the information and highlighted key points, providing an explanation of what the laws are and what you need to be aware of.

Data protection is an expansive part of business. It’s always best to seek legal advice if you’re unsure about the specifics of your business operations.

What are the data protection laws I need to know about in the UK right now?

If you’re confused about the acronyms and laws when it comes to data protection, there’s no need to worry. We’ve rounded up everything you need to know.

GDPR (General Data Protection Regulation)

GDPR was one of the biggest changes in data legislation since the original data laws were introduced in 1995. With the state of the world having changed so drastically, law needed to keep up with the times.

The low-down on GDPR:

  • Created by the European Commission
  • Covers member states of the EU
  • Applies to anyone processing data of EU persons or transmitting data through the EU/EEA (European Economic Area)
  • Created in 2016, it is the modern version of the 1995 Data Protection Directive
  • Once enforced, GDPR law had to be in place by 25th May 2018

Enforced by: The EDPS (European Data Protection Supervisor), and the wider European Commission

Applies to: Anyone processing data of any living person in the EU, or holding data in an EU company

What part does the UK play? The UK is now considered a third country in GDPR terms. This means that our rights are considered the same as a country outside of the EU.

Confirmed on June 28th, 2021, The UK received status that shows it has “adequate” protection laws. This means transfers of data from the EU can move unrestricted.



The UK GDPR is what most businesses will now use going forward, and in terms of how it works, not much has changed. The main differences are to do with the reporting and hierarchy of courts (i.e., removing the European Court of Justice.)

The lowdown on UK GDPR:

  • The retained version of GDPR has been named UK GDPR simply for clarity.
  • The UK GDPR is “is a single regime for general processing activities.” All this means is that the UK GDPR requires any UK data processing to be done to the same standard as previous GDPR.

Enforced by: The ICO (Information Commissioners Office) and the Secretary of State

Applies to: Anyone processing data in the UK, or an extra-territorial country (anyone in a non-UK country) who processes data of UK persons.

What part does the UK play? As the UK is considered the focus of the UK GDPR, our companies and our data are the key focus. The UK GDPR requires a good level of data protection, that anyone who processes or holds data on UK people must comply with.

DPA (Data Protection Act) 2018

Updated from the 1998 version, the Data Protection Act was created to ensure that data protection is prepared for the digital age.

The lowdown on DPA:

  • Created to help personalise GPDR for the UK, before the UK GDPR was fully finalised
  • Mentions cybersecurity specifically and brings in bespoke UK sectors such as healthcare and academia
  • Introduced the children’s code on data processing to ensure that young people using the internet are safe

Enforced by: The Secretary of State for the DCMS (Department for Digital, Culture, Media & Sport) and the ICO

Applies to: Any UK organisations that process data

What part does the UK play? As this exclusively applies to organisations in the UK, it’s all focussed on us.

PECR (Privacy and Electronic Communications Regulations) 2003

One regulation that hasn’t really changed drastically since its creation is PECR. Demonstrating the UK’s world-leading approach to data protection for many years, PECR set regulations for consent and processing very early on.

The lowdown on PECR:

  • Covers electronic marketing, cookies and tracking technologies, public electronic communications and privacy of people using communications networks
  • You’ll often need to comply with both PECR and UK GDPR
  • PECR dictates a lot of how you market and is often brought into rulings when discussing consent and processing
  • The UK GDPR standard of consent is applied to PECR now that we are past Exit Day (leaving the EU)

Enforced by: The ICO

Applies to: Anyone who provides an electronic communications network or similar service provider and anyone who markets electronically (including phone calls), uses cookies or compiles a telephone or similar public directory.

What part does the UK play? While this is originally an EU directive, the PECR are firmly embedded in UK law, and are regularly updated with technology. Now we’re out of the EU, PECR will continue to be updated to ensure that digital trade can continue.

How can my business comply with data protection laws?

This is the million-dollar question.

Compliance with the data protection laws listed above varies depending on what you do, what data you hold, and the geographical areas you operate in. However, there are some general areas that should always be considered when you look at data protection.

Storing data securely

As well as collecting and processing data, storing data in a secure manner is a huge part of data protection. While law makers understand that hackers can get through almost anything, you must demonstrate that you have taken reasonable measures to ensure the security of your data.

This falls under the umbrella of cybersecurity, something that ramsac is very passionate about.

ramsac’s advice on cybersecurity

  1. Your human firewall is every bit as important as your digital firewall. Educating your staff, from junior to board level, is just as important as putting in software procedures to secure the systems you have.
  2. Creating a secure system requires regular review. As hackers get more intelligent, your systems need to keep up. Out of date software risks vulnerabilities, and the stopping of security updates.
  3. Understand your risks. Conducting a digital risk assessment can help you to understand your weaknesses. ramsac can help you to cover an IT best practice assessment.
gdpr and small business

Does where I operate from change the data requirements?

Yes, the economic and geographic area you operate in determines what laws you need to comply with.

I’m a UK headquartered business, but I have some customers in the EU. What do I need to do?

If you’ve got EU customers, you’ll need to comply with GDPR, UK GDPR and DPA 2018. As well as these three regulations, you may also need to comply with additional laws in the specific country of your customer.

For example, for a customer based in Germany who required you to process their data and transfer it back to them in a case of report creation and analysis, you would need to comply with local German law (Schrems II etc.), EU GDPR and processing laws in the UK.

As you can see, the amount of legislation surrounding data processing means that any decision must be carefully considered before it can continue.

Data protection is such a wide, expansive topic, and something we could discuss for hours. The best thing to do is to evaluate what you’re doing, plan everything, design data protection into your systems from the beginning, execute your plan, and document what you’ve done.

Speak to ramsac today if you want to know what we do to comply with GDPR or if you want to understand more about data protection in your business, and how we can help.

Related Posts

  • What do we know about the Data Protection and Digital Information (DPDI) Bill?

    What do we know about the Data Protection and Digital Information (DPDI) Bill?


    The Data Protection and Digital Information (DPDI) Bill is a significant legislative proposal currently undergoing scrutiny in the House of Lords [...]

    Read article

  • Understanding Microsoft 365 Business Premium: A smart choice for your organisation

    Understanding Microsoft 365 Business Premium: A smart choice for your organisation

    Microsoft 365

    Explore how Microsoft 365 Business Premium can elevate your organisation's productivity and security in this comprehensive blog. [...]

    Read article

  • Embrace the future: The opportunities and challenges of AI in your organisation

    Embrace the future: The opportunities and challenges of AI in your organisation


    AI training is vital to use AI responsibly and securely in this blog we explain how you can claim government funding to help finance your AI training [...]

    Read article

  • What is data theft and how do you prevent it?

    What is data theft and how do you prevent it?


    In any size organisation, data theft can be a huge issue. From disgruntled employees to large scale cyberattacks, data theft can severely impact your business. According to a report [...]

    Read article

  • 6 steps to designing an Identity Access Management strategy

    6 steps to designing an Identity Access Management strategy


    An IAM strategy is a powerful mechanism for controlling and monitoring access to your company’s IT network and assets, ensuring robust protection against cyber threats. [...]

    Read article

  • Getting your IT project approved: The benefits of monthly payments 

    Getting your IT project approved: The benefits of monthly payments 


    Monthly payment plans can make project approval easier and more financially sound, along with some tips for overcoming common internal objections. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?