Organisations of all sizes routinely work with personal data, whether relating to staff, clients, partners or service users. As digital systems become increasingly interconnected, personal data can flow through business software, cloud platforms, mobile devices and even third-party tools.
General Data Protection Regulation (GDPR) sets the expectations for how that information should be managed securely, transparently and responsibly.
In the UK, these responsibilities come from the UK GDPR and the Data Protection Act 2018, which together emphasise the importance of safeguarding personal information throughout its lifecycle.
Understanding GDPR also helps lay the groundwork for organisations considering recognised information security standards, such as ISO 27001. This standard outlines controls that support good privacy practice and risk management – making it a useful reference point for those developing a broader information governance approach. making it a useful reference point for those developing a broader information governance approach.
What GDPR Means for Organisations
GDPR applies to any organisation processing personal data belonging to people in the UK or EU. For modern SMEs, this often includes data held in HR platforms, CRM systems, operational tools, customer portals, or information processed through third-party software and suppliers.
Central GDPR expectations include clarity on:
- What data is collected
- Why it is collected
- How it is used
- How long it is retained
- How it is stored and secured
ISO 27001 also reinforces these considerations. Its focus on information security risk management and operational controls helps organisations manage and protect personal data consistently.
Why GDPR Matters
GDPR provides a framework for how organisations handle personal information, supporting transparency and trust.
The Information Commissioner’s Office (ICO) may take action where organisations do not meet their obligations, including:
- Corrective measures
- Requirements to notify affected individuals
- Financial penalties (up to £17.5 million or 4% of global annual turnover)
Beyond enforcement, GDPR helps organisations:
- Build confidence with clients and stakeholders
- Strengthen operational resilience
- Support cyber security and data governance
- Reduce the likelihood of data incidents
These considerations align with broader risk-management based standards, including ISO 27001 and ISO 22301 for business continuity.
What Counts as Personal Data?
Personal data refers to any information that can identify a living individual, directly or indirectly.
For many organisations, this includes:
- Employee and HR records
- Client contact details
- Supplier or partner information
- IP addresses or online identifiers created by digital tools
- Usage data generated by systems, applications or hardware
What Is Special Category Data in GDPR?
Some personal data requires enhanced protection because of its sensitive nature and the potential risk to individuals’ rights and freedoms if it is misused or disclosed. This includes:
- Health information
- Biometric or genetic data
- Racial or ethnic origin
- Sexual orientation
- Religious or philosophical beliefs
For businesses, processing this type of data is subject to stricter conditions under the UK GDPR. Organisations must have a clear and valid lawful basis and apply additional safeguards to protect this information from unauthorised access, loss or misuse.
What Is Criminal Offence Data?
Criminal offence data refers to information about an individual’s criminal convictions or offences. Under the UK GDPR, this type of data is treated separately from special category data and is subject to additional safeguards under Article 10.
For organisations that process criminal offence data – such as those in security, finance, or employment screening – this means they must ensure that there is a lawful basis for processing and that the processing is authorised under UK law.
Identifying if criminal offence data is held or processed within your systems is a key part of understanding your privacy and information security risks. This aligns with ISO 27001’s requirement to determine information assets and assess associated risks as part of a risk-based approach.
Key GDPR Principles
GDPR is built around seven core principles that shape responsible information handling. These include ensuring data is:
- Used lawfully, fairly and transparently
- Collected for specific, legitimate purposes
- Limited to what is necessary
- Accurate and kept up to date
- Retained only as long as needed
- Protected against unauthorised access, loss or damage
- Managed in a way that demonstrates accountability
Businesses can find that these principles align naturally with ISO 27001, especially around asset management, access control, and retention policies.
Looking to understand data protection requirements in more detail?Explore our Data Protection Course for an overview of key obligations.  |
Lawful Bases for Processing Personal Data
Every processing activity must have a lawful basis under the UK GDPR. These are the six legal bases for processing personal data:
1. Consent
The individual has given clear, informed permission for their data to be processed for a specific purpose.
2. Contract
Processing is necessary to fulfil a contract with the individual, or to take steps before entering into a contract.
3. Legal obligation
The processing is required to comply with a legal duty (excluding contractual obligations), such as employment law or tax rules.
4. Vital interests
Processing is necessary to protect someone’s life. This is typically used in emergency or life-threatening situations.
5. Public task
The processing is necessary for a public authority or organisation carrying out an official function in the public interest.
6. Legitimate interests
Processing is necessary for an organisation’s legitimate interests or those of a third party, unless these are overridden by the individual’s rights and freedoms.
The most appropriate lawful basis depends on the nature of your activities and your relationship with individuals. It must be identified before processing begins and documented clearly.
Rights of Individuals
Individuals have defined rights over their data, including:
- Being informed
- Accessing data
- Rectifying inaccuracies
- Requesting deletion
- Restricting processing
- Data portability
- Objecting
- Challenging automated decision-making
Having internal mechanisms to recognise and respond to these rights helps organisations meet GDPR expectations and contributes to good information governance.
This could include maintaining a rights request log, establishing internal response timelines, assigning responsibilities to a named contact, or using templated responses to ensure consistency. While each organisation’s approach may differ, the goal is to ensure rights requests are handled clearly, fairly, and within the required timeframes.
Practical Considerations for Organisations
Below are common areas organisations focus on when reviewing their GDPR approach.
1. Assigning responsibility
Some organisations are legally required to appoint a Data Protection Officer (DPO). Others assign data protection responsibilities internally to someone with appropriate knowledge.
A DPO’s core responsibilities include monitoring the organisation’s compliance with data protection law, advising on data protection impact assessments (DPIAs), acting as a point of contact for the Information Commissioner’s Office (ICO), and serving as a contact for individuals whose data is being processed. The DPO must operate independently and report to the highest management level.
2. Understanding the data you handle
This often involves reviewing:
- The types of data held
- Where it is stored
- Who has access
- How long it is retained
- How it is secured
For example, an organisation may start by mapping the flow of personal data across internal systems and third-party platforms. This might involve working with department leads to identify what data is collected, how it moves through the organisation, and any points where it is stored, shared or deleted. This type of overview can help highlight areas where data protection risks or improvement opportunities may exist.
3. Keeping privacy information clear
Privacy notices should explain how personal data is collected, used and shared, helping individuals understand how their information is managed.
4. Responding to rights requests
Organisations need appropriate procedures to recognise rights requests and manage them effectively.
A rights request is a formal request made by an individual to exercise one or more of their data protection rights under the UK GDPR. These include the right to access their personal data, request corrections, object to processing, or request erasure, among others. These requests must be responded to without undue delay and, in most cases, within one calendar month.
5. Handling data breaches
A personal data breach may result from cyber incidents, human error, compromised accounts or misdirected information.
Where a breach presents a risk to individuals, the ICO must be notified within 72 hours.
Read about when to report a data breach to the ICO.
6. Maintaining records of processing activities
Maintaining records of processing activities helps organisations demonstrate accountability under the UK GDPR. These records typically include information such as the purposes of processing, the types of data involved, who the data is shared with, how long it is retained, and the security measures in place.
For example, a business might maintain a central register or spreadsheet that logs each type of personal data it processes, the lawful basis for doing so, and any third parties that data is shared with. This helps ensure transparency and supports effective data protection governance.
7. Raising awareness
Training helps staff understand their roles in protecting personal data and supports consistent day-to-day practices.
GDPR, ISO 27001 & 27701
While GDPR is a legal requirement, recognised standards can help organisations strengthen their approach to information security and privacy.
- ISO 27001 provides a structured approach to managing information security risks through defined controls, policies and processes
- ISO 27701 builds on this by adding specific requirements for managing personal data and supporting privacy governance.
The table below shows how these standards can help support some of the key areas covered by the UK GDPR.
|
GDPR Topic |
ISO 27001 |
ISO 27701 |
How it helps |
|---|---|---|---|
|
Managing information security |
✅ |
✅ |
Provides security controls to protect data |
|
Taking a risk-based approach |
✅ |
✅ |
Encourages identifying and managing data protection risks |
|
Handling individual rights requests |
⚠️ Partial |
✅ |
27701 includes processes to manage data subject rights |
|
Keeping records of data use |
⚠️ Partial |
✅ |
27701 supports keeping records of processing activities |
|
Building privacy into systems and processes |
✅ |
Partial |
Helps design controls that support data protection by design |
|
Identifying a lawful basis for processing |
❌ |
✅ |
27701 includes governance controls to document legal grounds for processing |
|
Managing third-party data processors |
✅ |
✅ |
Both cover supplier management and contractual controls |
|
Responding to data breaches |
✅ |
✅ |
Includes controls for incident response and reporting |
Being certified to ISO/IEC 27001 or ISO/IEC 27701 doesn’t mean you’re automatically GDPR compliant. These standards can help you manage risks and put the right controls in place — but you’ll still need to make sure you meet all legal requirements under the UK GDPR.
Ongoing Responsibility
Data protection is an ongoing responsibility. As organisations grow or introduce new processes or systems, the flow of personal data may change.
Maintaining GDPR alignment can involve:
- Reviewing processes periodically
- Updating documentation
- Refreshing staff awareness
- Monitoring risks and security controls
This ongoing approach complements broader resilience practices seen in standards such as ISO 27001 and ISO 22301.
To learn more about how recognised standards such as ISO 27001 can support effective information security and privacy governance, contact our team today.
