The UK GDPR and UK Data Protection Law: An Overview

Data is a valuable asset which requires robust protection. In January 2023, the United Nations estimated 68% of the world’s population are mobile phone users and 59.4% are active social media users. Therefore, access to, use of, and the safe disposal of data is a rapidly expanding area of legislation and litigation.

What is the UKGDPR?

Following the UK’s withdrawal from the EU, the GDPR was replaced by the UK GDPR. The UK GDPR is the GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (SI 2020/1586).” (Driver v CPS [2022] EWHC 2500 (KB), per Knowles J at [3])

What role does the Data Protection Act 2018 play?

The Data Protection Act 2018 (“DPA 18”) is the UK’s implementation of the EU’s General Data Protection Regulation (“GDPR”) which ceased to be directly effective in the UK following Brexit. DPA 18 is domestic primary legislation which supplements the UK GDPR.

Section 2 of the DPA 18 concerns the protection of individuals regarding the processing of their personal data by requiring such data to be processed lawfully and fairly with the data subject’s consent or on another specified basis. Similarly, Article 5(1) of the UK GDPR specifies lawfulness, fairness, and transparency as one of the seven key principles relating to the processing of personal data, illustrating the synergy between the two pieces of legislation.

Who is affected by the UK GDPR?

The UK GDPR applies to processing carried out by organisations operating within the UK, or organisations which operate outside of the UK but offer goods or services to individuals within the UK. The legislation applies to both controllers, who determine how and why personal data should be processed, as well as processors, who may hold legal liability for breaches.

It does not apply in some exceptional cases, including:

  • Processing covered by the Law Enforcement Directive
  • Processing for national security purposes
  • Processing carried out by individuals purely for personal/household activities

Not all data is created equal

Personal data is defined in the UK GDPR at Article 4(1): Processing of personal data is defined in the UK GDPR at Article 4(2):

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly (alongside other information), in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This includes, inter alia, an individual’s name, home address and email, photographs of the person, as well as financial information like bank cards or account numbers, or online information such as IP addresses or cookie identifiers. It does not include data relating to deceased persons.

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

For example, a teacher emailing an office manager with a child’s updated address would be a processing activity. By committing the address, as given by the parent orally in the playground, to writing and sending it via email to another person, the teacher is processing the data. By entering the information in the school’s database, the office manager is further processing the data. When the headteacher sends a letter home that a child has behaved well, her act of taking the address from the database and writing it on a letterhead is a further processing activity.

Therefore, it is necessary for organisations to have appropriate policies and security measures in place to comply with Article 5(f) of the UK GDPR which states personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” For example, the database of addresses should be stored on an encrypted device, and it is unlikely to be necessary for all employees to have permanent access to the database.

Article 9 UK GDPR considers special categories of personal data which require enhanced legislative protection. Processing of certain categories of personal data and genetic data shall be prohibited. This includes data revealing:

  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health or data concerning a natural person’s sex life or sexual orientation.

Article 9 is qualified by Article 9(2) UK GDPR which cites limited circumstances in which special categories of personal data can be lawfully processed. For example, a data subject may give their explicit consent to the processing or it may be necessary to process data for reasons of substantial public interest or medical diagnosis.

Bringing a DPA 18 Claim

Damages can be recovered and other remedies obtained for breaches of data protection regulations pursuant to sections 168 and 169 of the DPA 2018, including simply for the distress caused absent specific pecuniary loss (Vidal-Hall v Google [2016] Q.B. 1003).

Due to the low threshold to bring a claim, courts have begun to take a more stringent approach to both liability and assessment of damages in such claims, to discourage claims where there has perhaps been a technical breach but the damage in the form of distress is arguably not significant. Not every data breach, even if it satisfies the legal criteria, is actionable, it must surpass the de minimis threshold, thereby the distress caused must not be trivial in nature (per Sir Geoffrey Vos at [55] in Lloyd v Google [2020] QB 747.)

Geoffrey Driver v CPS [2022] EWHC 2500 (KB)illustrates the potential for low quantum awards in cases where distress marginally surpasses the de minimis threshold:

[168] “I am prepared to accept that the Claimant would have experienced a very modest degree of distress upon discovering that the CPS’s email had been sent to political opponents and the media by someone who had a grievance against him in an effort (as I find) to embarrass him.”

[169] “Given all of the circumstances, I consider that this data breach was at the lowest end of the spectrum. Taking all matters together in the round, I award the Claimant damages of £250. I will also make a declaration that the Defendant breached the Claimant’s rights under Part 3 of the DPA 2018.”

Different Causes of Action

DPA 2018 claims often appear in combination with other causes of action such as:

  • Breach of Confidence
  • Misuse of Private Information
  • Section 6 of the Human Rights Act 1998 / Article 8 ECHR

However, Master Thornett’s decision in Johnson v Eastlight Community Homes [2021] EWHC 3069 cautions Claimants against bringing multiple alternative causes of action which provide for the same relief, where nothing further is added to the claim. The Master also concluded the trite principle of Jameel abuse was not confined to non-statutory torts and remained applicable to Article 82(1) GDPR.

Sophie Mitchell and Ellie Guildford are barristers at St Pauls Chambers, specialising in data protection law, privacy, harassment and defamation. If you would like to discuss your data protection case, please don’t hesitate to contact our clerking team.

Featured insights

What happens if you drive without a licence?
What are the penalties for Benefit Fraud?
Stages of Money Laundering explained

Contact Us

Chambers is centrally located within walking distance of the train station, secure car parks and the Courts.

Contact Us

St Pauls Chambers
Park Row House
19-20 Park Row

For out of hours assistance please call the senior clerk on 07854170429.

The switchboard will open from 08:30 until 17:30

Phone: +44 (0)1132 455 866
Email: [email protected]
CJSM: [email protected]

Portfolio Builder

Select the expertise that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)