Contact one of our advisors now Call 0800 088 6004

Guide to UK Data Protection Law

Reasons to choose Wilson Browne

Data privacy and protection are of utmost importance in today’s digital world.

Businesses and organisations that deal with personal data must understand their roles and responsibilities in processing and controlling that data.

But so too must those who are engaged by those businesses as individuals have personal responsibility when handling data.

Responsibilities are dependent on the role of those handling the data. The two critical roles in this regard are data controller and data processor.

But how do you know which of the roles (if either) apply? This FAQ is designed to help answer this and other data protection related questions.

What is a Data Controller?

A data controller is an entity that determines the purposes and means of processing personal data.

Data controllers are responsible for ensuring that the data is collected and processed in compliance with data protection laws.

This includes determining what data is collected, how it is used, and who it is shared with.

Who can be a data controller?

Data controllers can be individuals, organisations, or public authorities.

They have legal obligations to protect the data they collect and process and must ensure that they comply with data protection laws, such as the retained EU law version of the General Data Protection Regulation (‘GDPR’).

Examples of data controllers include social media platforms, healthcare providers, financial institutions and sole traders.

These entities (businesses and individuals) collect and process personal data to provide services to their users, patients, and customers.

What is a Data Processor?

A data processor is an entity that processes personal data on behalf of a data controller.

They act under the authority of the data controller and follow their instructions regarding how the data is processed. Data processors can be individuals or organisations that provide services to the data controller, such as IT services or data storage.

Data processors are not responsible for determining the purposes or means of processing personal data. However, they have legal obligations to protect the data they process and must comply with Data Protection laws.

They are also required to have a contract with the data controller that outlines their responsibilities and obligations.

Examples of data processors include cloud service providers, payroll processing companies, and marketing agencies. These entities process personal data on behalf of their clients, the data controllers.

What are the key Differences between Data Controller and Data Processor?

The main difference between a data controller and a data processor is that the data controller determines the purposes and means of processing personal data, while the data processor processes the data on behalf of the data controller.

Data controllers are responsible for ensuring that personal data is processed in compliance with Data Protection laws.

They must have a legal basis for collecting and processing personal data and must obtain the consent of the data subject if necessary.

They are also responsible for providing data subjects with certain rights, such as the right to access their personal data, correct it, or have it erased.

Data processors, on the other hand, do not determine the purposes or means of processing personal data. They must follow the instructions of the data controller and comply with Data Protection laws.

They are also required to have appropriate security measures in place to protect the data they process.

How do you determine whether you are a controller or processor?

It is important to remember that neither organisations nor individuals are, by their nature, either a controller or a processor.

Instead, consider the personal data and the processing activity that is taking place, and consider who is determining the purposes and the manner of that specific processing.

You need to ask whether the organisation or individual decides:

  • to collect personal data in the first place;
  • the lawful basis for doing so;
  • what types of personal data to collect;
  • the purpose or purposes the data are to be used for;
  • which individuals to collect data about;
  • whether to disclose the data and if so, to whom;
  • what to tell individuals about the processing;
  • how to respond to requests made in line with individuals’ rights; and
  • how long to retain the data or whether to make non-routine amendments to the data.

These are decisions that determine the purposes and means of the processing.

Therefore, if you make any of these decisions, it is likely that you are a controller. However, within the terms of its contract with the controller, a processor may decide:

  • what IT systems or other methods to use to collect personal data;
  • how to store personal data;
  • the details of the security measures to protect personal data;
  • how it will transfer personal data from one organisation to another;
  • how it will retrieve personal data about certain individuals;
  • how it will ensure it adheres to a retention schedule; and
  • how it will delete or dispose of the data.

How does an organisation know whether they have to register to the Information Commissioner Office (‘ICO’)?

Every organisation or sole trader who processes personal information needs to pay a Data Protection fee to the ICO, unless they are exempt.

You can use this ICO web form (compromising of 5 questions) to determine whether you are exempt.  See here

What are the consequences of failing to register with the ICO?

Fines range from £400 to £4,000.

What is a Data Subject Access Request (‘DSAR’)?

A DSAR is a legal right under UK Data Protection law that allows individuals to access personal information held about them by organisations.

It is not just employees who can make the request – any individual whose data is processed can make a request.

A DSAR is a request made by an individual to an organisation asking for access to their personal data.

The request can be made in writing. Personal data is any information that can identify an individual, such as name, address, email address, and phone number.

Why do individuals make a DSAR?

There are many reasons why an individual may wish to make a DSAR.

For example, they may want to know what personal data an organisation holds about them, or they may want to check that the information held is accurate and up to date.

They may also want to understand how their data is being used, and whether it is being shared with any third parties.

In some cases, individuals may want to make a DSAR to exercise their other rights under the Data Protection law.

For example, they may want to request that their personal data be deleted, or that any inaccurate information is corrected.

DSARs can also be made as part of a claim strategy.

How are DSARs made?

To make a DSAR, an individual should contact the organisation in writing or verbally and request access to their personal data. The request should include:

  • The individual’s name and contact details
  • The specific personal data they are requesting
  • Any relevant dates or time periods related to the personal data
  • Any additional information that may help the organisation locate the personal data, such as a reference number or account number

It is important to note that an organisation may ask for additional information to verify the identity of the person making the request.

This is to ensure that personal data is not shared with the wrong person.

Is there a time limit for responding to a DSAR?

Yes, the controller of the data must respond to the request without undue delay and within one month of receipt of the request.

However, in certain circumstances, the controller may be allowed to extend the time limit by an additional two months.

This may be the case where the request is complex, or the data subject has made multiple requests.

If an extension is required, the controller must inform the data subject within one month of receipt of the request and provide an explanation for the delay.

It is prudent to take advice on whether a request is complex or how many requests amount to “multiple requests”, as inappropriately applying this extension can have financial consequences.

Can I charge someone who makes a DSAR?

In most circumstances, the answer is “no”.

However, an organisation can charge a reasonable fee to cover their administrative costs if the request is ‘manifestly unfounded or excessive’.

An unfounded request is one that is made with no reasonable justification or motive, or which seeks to harass an organisation.

An excessive request is one that is particularly burdensome, such as a request for a large amount of data or repeated requests for the same information.

It is prudent to take advice on whether a request is manifestly unfounded and/or excessive, as getting this wrong can have financial consequences.

Can we refuse to respond to the DSAR?

Yes. The Information Commissioners Office (ICO) website contains helpful guidance on exemptions.

However, these exemptions will need to be carefully considered, as inappropriately applying for an exemption can have financial consequences.

What information do we have to provide?

Organisations must provide:

1. Personal data held: organisations must make reasonable efforts to provide all personal data held about the individual; this includes any data held by third parties on the organisation’s behalf. This includes:

  • Documentation which is part of a filing system – both live and archived irrespective of whether it is in hard or electronic format,
  • Communications – Emails and messages on social media accounts if the organisation is the data controller,
  • Personal data contained in datasets,
  • Data contained on personal devices which are used for work purposes under a “Bring your own Device” policy, and
  • Records – e.g computer log-on records.

2. Purpose of processing: provide information about the purpose for which the data was collected and how it has been processed.

3. The rights to rectification, erasure, and restriction.

4. Details of the complaints process: this includes the right to complain to the ICO if they are not satisfied with the organisation’s response to their DSAR.

Can we refuse to provide any information?

There are certain circumstances in which an organisation can refuse to provide certain information to a data subject. This includes:

  1. Disproportionate, excessive and repeat data requests;
  2. Data containing third-party data;
  3. Legally privileged data; and
  4. Data which may give rise to a security risk or disclose business secrets.

Any instance of refusal should be carefully considered.

In many instances, it is preferable to redact the information to be disclosed as opposed to refusing full disclosure.

Either way, the organisation must provide a valid reason for refusing to provide information in response to a DSAR.

For this reason, specialist advice is generally taken before withholding information.

What if we refuse all/part of a request?

The decision not to comply with/withhold (including by redaction) some or all information can be appealed to the organisation itself.

You must respond to the appeal within a reasonable timeframe.

If the individual remains dissatisfied with your response to the DSAR after an appeal, the individual can then complain to (ICO).

The ICO is an independent regulatory body that enforces data protection laws in the UK.

The ICO can investigate the complaint and take enforcement action against the organization if necessary.

Is a Freedom of Information (‘FOI’) Request the same as a DSAR?


Freedom of Information laws give individuals the right to access information held by public authorities. In the UK, this right is enshrined in the Freedom of Information Act 2000 (FOIA).

An FOI request is a written request for information that is held by a public authority in the UK.

This can include information held by government departments, local authorities, NHS bodies, schools and universities, the police and other public bodies.

What information can be requested?

Almost any information held by a public authority can be requested under the FOIA, including reports, correspondence, emails, and minutes of meetings.

However, there are some exemptions to the information that can be released, such as information that is subject to legal privilege, personal data, or information that may harm national security.

How can an FOI request be made?

The FOI request needs to be in writing (letter or email) and sent to the public authority to which the request is made.

The request should include:

  • The requester’s contact name and contact details,
  • a clear description of the information requested, and
  • an indication of the format the information is to be provided in (e.g. electronic or paper copy).

Is there a time limit for responding to a FOI request?

Yes, the public authority has 20 working days to respond to an FOI.

If more time is needed, this must be notified to the requester together with a date by which the response will be provided.

Can we charge for responding to a FOI request?

In most cases, no.

Public authorities cannot charge a fee for responding to an FOI request, although there are some exceptions where a fee can be charged for the cost of providing the information.

Can we refuse an FOI request?

Yes, there are specific grounds for refusing a request.

However, there are consequences for inappropriately refusing the request.

If your request is refused, the individual may ask for a review of the refusal decision.

Complaints can also be made to the ICO, who is responsible for enforcing the FOIA in the UK.


Should you have any queries in relation to Data Protection, DSAR or FOI request, please do not hesitate to get in contact with our employment law team on 0800 088 6004.