GDPR Data Processing in the UK: A Practical Guide for Businesses

UK GDPR applies to almost every business that holds personal data — but the rules around lawful processing, data subject rights and compliance obligations are frequently misunderstood. This guide covers what "processing" actually means under the law, which lawful basis applies to your activities, and the practical steps required to stay compliant.

What "Processing" Actually Means

One of the most common misconceptions about UK GDPR is that it only applies to active use of personal data. In fact, the definition of processing is considerably broader. Under Article 4 of UK GDPR, processing means any operation performed on personal data, whether automated or manual.

This includes collecting data, recording it, storing it, retrieving it, using it, disclosing it, and deleting it. If your CRM holds a customer's name and email address and you have never looked at that record, you are still processing personal data. The question is not whether you are processing data — almost certainly you are — but whether you are doing so lawfully.

The Six Lawful Bases for Processing

UK GDPR requires that every instance of personal data processing has a lawful basis. There are six, and you must identify the appropriate one before you begin processing. The ICO's guidance is explicit that you cannot swap lawful bases retrospectively if challenged.

1. Consent

Consent is valid under UK GDPR only when it is freely given, specific, informed and unambiguous. Pre-ticked boxes and vague statements about "improving our services" do not meet the standard. Consent must also be as easy to withdraw as it is to give. It is appropriate for marketing communications and optional features, but is often overused — and can be withdrawn at any time.

2. Contract

You can process personal data without consent when it is necessary to perform a contract with the data subject, or to take steps at their request before entering a contract. Processing a customer's delivery address to fulfil an order is a clear example. The key word is "necessary" — the processing must be genuinely required, not merely convenient.

3. Legal Obligation

Where processing is required to comply with a legal obligation under UK law, no separate consent is needed. Retaining employee payroll records for HMRC purposes is covered here. You should be able to identify the specific legal obligation in question.

4. Vital Interests

Applies in genuine emergencies where processing is necessary to protect someone's life. It is a narrow basis, rarely applicable to routine business activities.

5. Public Task

Applies to public authorities and those carrying out tasks in the public interest under UK law. Most private businesses will not rely on this basis.

6. Legitimate Interests

Legitimate interests is the most flexible lawful basis and the one most applicable to ordinary business activities — fraud prevention, network security, direct marketing to existing customers, and intra-group data sharing are common examples cited by the ICO. It requires a three-part test: identify a legitimate interest, demonstrate that processing is necessary to achieve it, and confirm that the individual's rights do not override it. This balancing test must be documented.

The Data Minimisation Principle

UK GDPR requires that personal data be adequate, relevant and limited to what is necessary for the stated purpose. In practice, this means you should not collect fields you do not need, retain data longer than necessary, or give staff access to data beyond what their role requires.

If your data cleansing process involves working with customer records, data minimisation is part of that exercise — removing fields that serve no current purpose reduces both your compliance exposure and your processing costs.

Purpose limitation is closely related: data collected for one purpose cannot simply be repurposed for something different. If you collected email addresses for order confirmation, you cannot use them for marketing without a separate lawful basis.

Data Subject Rights

Under UK GDPR, individuals have eight rights over their personal data. Businesses must respond to requests within one calendar month in most cases.

• Right of access: Individuals can request a copy of the personal data you hold about them (a Subject Access Request). You must respond within one month and cannot charge a fee in most circumstances.
• Right to rectification: Individuals can require you to correct inaccurate data or complete incomplete data.
• Right to erasure: The "right to be forgotten." Applies in specific circumstances — for example, when consent is withdrawn and there is no other lawful basis.
• Right to restrict processing: Individuals can request that processing be suspended while accuracy or legitimacy is being contested.
• Right to data portability: Applies where processing is based on consent or contract and carried out by automated means. Individuals can request their data in machine-readable format.
• Right to object: Individuals can object to processing based on legitimate interests or direct marketing. For direct marketing, this right is absolute.
• Rights related to automated decision-making: Individuals have the right not to be subject to solely automated decisions that produce significant effects.
• Right to be informed: You must provide clear information about how personal data is used at the point of collection, typically through a privacy notice.

Data Processing Agreements

When you engage a third party to process personal data on your behalf — a payroll provider, a cloud storage service, an analytics platform, or a data processing firm — UK GDPR requires a written Data Processing Agreement (DPA) to be in place before any processing begins.

The DPA must specify the subject matter and duration of processing, the nature and purpose, the type of personal data and categories of data subjects, and the obligations and rights of the controller. It must also require the processor to only act on documented instructions, maintain confidentiality, implement appropriate security measures, and assist the controller in meeting obligations regarding data subject rights.

Practical Steps for UK GDPR Compliance

Data Mapping

Document what personal data you hold, where it came from, what you use it for, who you share it with, and how long you retain it. The ICO refers to this as a Record of Processing Activities (ROPA). Organisations with more than 250 employees are legally required to maintain one; smaller organisations should maintain one as good practice.

Lawful Basis Documentation

For each processing activity in your ROPA, document which lawful basis applies and why. If relying on legitimate interests, document the balancing test. This documentation is evidence of accountability — one of the core principles of UK GDPR.

Data Quality and Retention

Inaccurate, outdated or excessive data is both a compliance risk and a practical problem. A structured data cleansing exercise typically identifies significant volumes of redundant or incorrect records, and establishing retention schedules prevents the problem accumulating again.

Supplier Audit

Review your supplier list for any third parties that process personal data on your behalf and confirm DPAs are in place. Where suppliers are based outside the UK, check that appropriate transfer mechanisms exist.

UK GDPR vs EU GDPR

Since the UK's departure from the EU, UK GDPR has existed as a separate (though largely identical) legal framework. For most practical purposes, compliance with UK GDPR means compliance with EU GDPR, but there are growing divergences to monitor. The ICO is the UK's supervisory authority. The ICO's GDPR guidance and resources pages are the authoritative reference for UK-specific obligations.