Category: Data Protection
Data protection is the legal and operational discipline of handling personal data lawfully, fairly, and securely under UK GDPR and the Data Protection Act 2018. This section covers the compliance questions organisations actually face: choosing and documenting the right lawful basis, carrying out DPIAs, responding to subject access requests, planning for data breaches, and deciding how the DPO function should be resourced. It is written for the people responsible for making these decisions in practice – senior teams, compliance leads, and anyone who has inherited data protection alongside another role – with the emphasis on getting to a defensible position rather than reciting the legislation. If you need support with any of it, see our Data Protection advisory services.
Legitimate Interests vs Consent: Getting the Lawful Basis Right
Consent and legitimate interests are both valid lawful bases under UK GDPR, but work very differently. Here’s when each is the right fit, and what goes wrong when the wrong one is chosen.
How to Respond to a Subject Access Request Without Over- or Under-Disclosing
A subject access request entitles someone to a copy of their personal data. Here’s how to scope the response correctly, what the “provide a copy” standard actually means, and when data can be withheld.
What Does a UK GDPR-Compliant DPIA Actually Look Like?
A DPIA is a legal requirement for high-risk processing under UK GDPR. Here’s what a compliant one actually covers, who needs to be involved, and the most common mistake organisations make.
Outsourced DPO vs In-House: What’s the Real Difference?
An outsourced DPO provides the independent oversight required under UK GDPR without the cost of a full-time hire. Here’s how outsourced and in-house DPO arrangements actually differ, and how to decide which fits your organisation.
Data Breach Response Plans: A Compliance-Driven Guide
A personal data breach is any security incident affecting personal data. This guide sets out a straightforward, UK GDPR-compliant approach to detecting, assessing, notifying, and documenting a breach.