GDPR, data protection & your business: your guide to compliance

laptop login visual overlay

Data protection and its evolving regulations have long been a point of confusion for many businesses across the globe. Whether you’re running a small team, or the entire business by yourself, navigating the various data protection regulations is no easy feat.

Fortunately, we’ve brought together the information and highlighted key points, providing an explanation of what the laws are and what you need to be aware of.

Data protection is an expansive part of business. It’s always best to seek legal advice if you’re unsure about the specifics of your business operations.

What are the data protection laws I need to know about in the UK right now?

If you’re confused about the acronyms and laws when it comes to data protection, there’s no need to worry. We’ve rounded up everything you need to know.

GDPR (General Data Protection Regulation)

GDPR was one of the biggest changes in data legislation since the original data laws were introduced in 1995. With the state of the world having changed so drastically, law needed to keep up with the times.

The low-down on GDPR:

  • Created by the European Commission
  • Covers member states of the EU
  • Applies to anyone processing data of EU persons or transmitting data through the EU/EEA (European Economic Area)
  • Created in 2016, it is the modern version of the 1995 Data Protection Directive
  • Once enforced, GDPR law had to be in place by 25th May 2018

Enforced by: The EDPS (European Data Protection Supervisor), and the wider European Commission

Applies to: Anyone processing data of any living person in the EU, or holding data in an EU company

What part does the UK play? The UK is now considered a third country in GDPR terms. This means that our rights are considered the same as a country outside of the EU.

Confirmed on June 28th, 2021, The UK received status that shows it has “adequate” protection laws. This means transfers of data from the EU can move unrestricted.



The UK GDPR is what most businesses will now use going forward, and in terms of how it works, not much has changed. The main differences are to do with the reporting and hierarchy of courts (i.e., removing the European Court of Justice.)

The lowdown on UK GDPR:

  • The retained version of GDPR has been named UK GDPR simply for clarity.
  • The UK GDPR is “is a single regime for general processing activities.” All this means is that the UK GDPR requires any UK data processing to be done to the same standard as previous GDPR.

Enforced by: The ICO (Information Commissioners Office) and the Secretary of State

Applies to: Anyone processing data in the UK, or an extra-territorial country (anyone in a non-UK country) who processes data of UK persons.

What part does the UK play? As the UK is considered the focus of the UK GDPR, our companies and our data are the key focus. The UK GDPR requires a good level of data protection, that anyone who processes or holds data on UK people must comply with.

DPA (Data Protection Act) 2018

Updated from the 1998 version, the Data Protection Act was created to ensure that data protection is prepared for the digital age.

The lowdown on DPA:

  • Created to help personalise GPDR for the UK, before the UK GDPR was fully finalised
  • Mentions cybersecurity specifically and brings in bespoke UK sectors such as healthcare and academia
  • Introduced the children’s code on data processing to ensure that young people using the internet are safe

Enforced by: The Secretary of State for the DCMS (Department for Digital, Culture, Media & Sport) and the ICO

Applies to: Any UK organisations that process data

What part does the UK play? As this exclusively applies to organisations in the UK, it’s all focussed on us.

PECR (Privacy and Electronic Communications Regulations) 2003

One regulation that hasn’t really changed drastically since its creation is PECR. Demonstrating the UK’s world-leading approach to data protection for many years, PECR set regulations for consent and processing very early on.

The lowdown on PECR:

  • Covers electronic marketing, cookies and tracking technologies, public electronic communications and privacy of people using communications networks
  • You’ll often need to comply with both PECR and UK GDPR
  • PECR dictates a lot of how you market and is often brought into rulings when discussing consent and processing
  • The UK GDPR standard of consent is applied to PECR now that we are past Exit Day (leaving the EU)

Enforced by: The ICO

Applies to: Anyone who provides an electronic communications network or similar service provider and anyone who markets electronically (including phone calls), uses cookies or compiles a telephone or similar public directory.

What part does the UK play? While this is originally an EU directive, the PECR are firmly embedded in UK law, and are regularly updated with technology. Now we’re out of the EU, PECR will continue to be updated to ensure that digital trade can continue.

How can my business comply with data protection laws?

This is the million-dollar question.

Compliance with the data protection laws listed above varies depending on what you do, what data you hold, and the geographical areas you operate in. However, there are some general areas that should always be considered when you look at data protection.

Storing data securely

As well as collecting and processing data, storing data in a secure manner is a huge part of data protection. While law makers understand that hackers can get through almost anything, you must demonstrate that you have taken reasonable measures to ensure the security of your data.

This falls under the umbrella of cybersecurity, something that ramsac is very passionate about.

ramsac’s advice on cybersecurity

  1. Your human firewall is every bit as important as your digital firewall. Educating your staff, from junior to board level, is just as important as putting in software procedures to secure the systems you have.
  2. Creating a secure system requires regular review. As hackers get more intelligent, your systems need to keep up. Out of date software risks vulnerabilities, and the stopping of security updates.
  3. Understand your risks. Conducting a digital risk assessment can help you to understand your weaknesses. ramsac can help you to cover an IT best practice assessment.
gdpr and small business

Does where I operate from change the data requirements?

Yes, the economic and geographic area you operate in determines what laws you need to comply with.

I’m a UK headquartered business, but I have some customers in the EU. What do I need to do?

If you’ve got EU customers, you’ll need to comply with GDPR, UK GDPR and DPA 2018. As well as these three regulations, you may also need to comply with additional laws in the specific country of your customer.

For example, for a customer based in Germany who required you to process their data and transfer it back to them in a case of report creation and analysis, you would need to comply with local German law (Schrems II etc.), EU GDPR and processing laws in the UK.

As you can see, the amount of legislation surrounding data processing means that any decision must be carefully considered before it can continue.

Data protection is such a wide, expansive topic, and something we could discuss for hours. The best thing to do is to evaluate what you’re doing, plan everything, design data protection into your systems from the beginning, execute your plan, and document what you’ve done.

Speak to ramsac today if you want to know what we do to comply with GDPR or if you want to understand more about data protection in your business, and how we can help.

Related Posts

  • How to Password Protect Files on Your Computer

    How to Password Protect Files on Your Computer


    Keep all your files safe and secure by adding password protection. Find out how with our step by step instructions on password-protecting PDFs, Word and Excel documents. [...]

    Read article

  • Celebrating 20 Years of Cybersecurity Awareness Month

    Celebrating 20 Years of Cybersecurity Awareness Month


    October is Cybersecurity awareness month, follow us on LinkedIn or Twitter for daily tips on how you can protect your organisation against Cybercrime. [...]

    Read article

  • Why the cybersecurity industry needs more women

    Why the cybersecurity industry needs more women


    Cybersecurity is a vital and growing field that needs more women to join its ranks. In this blog, we explain why the cybersecurity industry needs more women and how [...]

    Read article

  • ramsac shortlisted for two Surrey Business Awards 2023

    ramsac shortlisted for two Surrey Business Awards 2023


    We have been nominated for two prestigious awards at the Surrey Business Awards 2023, which celebrate the best of the best in the county. Read our blog to find [...]

    Read article

  • How much should businesses invest in cyber resilience? 

    How much should businesses invest in cyber resilience? 


    In this blog we explore how much organisations should invest in cyber resilience to protect against cybercrime [...]

    Read article

  • The European Cyber Resilience Act explained – how it impacts your business

    The European Cyber Resilience Act explained – how it impacts your business


    On the 15th of September 2022, the European Commission published its proposal for new regulation regarding cybersecurity requirements for products with digital elements (such as smart fridges, cameras, TVs [...]

    Read article