Introduction to this document

Data protection obligations summary

Every company holds onto personal information of some sort, about its staff, customers, business contacts and others. Make sure your company abides by its data protection obligations.

Personal information

The retention and processing of personal information is governed by the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Our summary sets out the conditions that all companies must fulfil in order to be able to keep and use personal information, whether it concerns staff, customers, suppliers, business contacts or others.

The Information Commissioner’s Office (ICO) enforces these obligations, and can prosecute companies and individuals for breaching the legislation. It also has the power to carry out audits and can serve improvement or remedial notices and impose fines where breaches are discovered. The ICO’s website contains information and guidance on compliance with data protection law (

Individuals’ rights

Individuals can request access to the personal information held about them. If your company receives such a request, the individual is entitled to:

  • confirmation as to whether or not their personal data are being processed by the company
  • access to copies of their specified personal data; and
  • information about the purposes for which their data are held and processed, to whom their data have been or will be disclosed, and how long their data are likely to be stored. If they did not provide their data personally, they should be told where it was obtained, if possible, and they should be informed about any automated decision making, e.g. profiling, involved. They should also be told about their rights to have their data corrected, removed or access to it restricted and their right to complain to the ICO.

If your company receives a data subject access request, it needs to respond within one month (this can be extended for up to three months, if the request is particularly complex).