What is the difference between UK GDPR and the Data Protection Act 2018?

The UK GDPR is the retained EU General Data Protection Regulation that applies directly in UK law since Brexit. The Data Protection Act 2018 (DPA 2018) supplements the UK GDPR by providing additional details, exemptions, and provisions for areas like law enforcement processing and national security. Together, they form the UK's data protection framework. In practice, you must comply with both.

Do I need to register with the ICO as a data controller?

Most organisations that process personal data must pay a data protection fee to the ICO, unless they are exempt (e.g., processing only for personal, family, or household affairs). The fee is based on the organisation's size and turnover. As an administrator, you should check whether your employer has registered, as failure to do so is a criminal offence.

What should I do if I suspect a data breach at work?

Immediately report your concern to your line manager or the designated Data Protection Officer (DPO). Do not try to investigate yourself. The organisation must assess the breach and, if it poses a risk to individuals' rights and freedoms, notify the ICO within 72 hours. Affected individuals may also need to be informed. Quick reporting helps limit damage and shows compliance.

How long can we keep employee records after they leave?

The storage limitation principle requires that personal data be kept no longer than necessary. For employee records, a common retention period is 6 years after employment ends (to cover potential legal claims). However, specific types of data (e.g., pension records) may need to be kept longer. Always follow your organisation's data retention policy and schedule.

Can I use customer email addresses for marketing without asking?

Generally, no. Under UK GDPR, you need a lawful basis for processing, and for direct marketing, consent is usually required. The Privacy and Electronic Communications Regulations (PECR) also apply, requiring opt-in consent for electronic marketing to individuals. There is a 'soft opt-in' exception for existing customers if you gave them a clear chance to opt out when collecting their details, but it's safer to obtain explicit consent.

What is a Subject Access Request (SAR) and how do I handle one?

A SAR is a request from an individual to access their personal data held by your organisation. You must respond without undue delay and within one month (extendable by two months for complex requests). Verify the requester's identity first, then provide a copy of the data in a commonly used electronic format. You cannot charge a fee unless the request is manifestly unfounded or excessive.

Understanding data protection legislation

ICAN QUALIFICATIONS LIMITED

vocational

This element equips learners with foundational knowledge of key UK data protection legislation, including the UK GDPR, the Data Protection Act 2018, and the Freedom of Information Act 2000. It explores the purposes, principles, and scope of each law, enabling individuals to handle personal data lawfully and respond to information rights requests in a business context. Practical application includes recognising how these laws impact daily administrative tasks such as record-keeping, data sharing, and responding to subject access or freedom of information requests.

Learning Outcomes

Assessment Guidance

Key Skills

Key Terms

Assessment Criteria

Assessment criteria

iCQ Level 2 Certificate in Data Protection and Data Security Principles

Topic Overview

The iCQ Level 2 Certificate in Data Protection and Data Security Principles is designed for students pursuing a career in Business Administration. This qualification covers the core legal and practical aspects of handling personal data in a business environment. You will learn about the key principles of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, including how to lawfully collect, store, and process personal data. Understanding these principles is essential for any administrative role, as data breaches can lead to severe penalties and reputational damage for organisations.

This topic matters because data protection is a legal requirement for all UK businesses. As an administrator, you may be responsible for managing customer records, employee files, or marketing databases. The course teaches you how to identify personal data, apply the six data protection principles, and respond to subject access requests. It also covers practical security measures like password policies, encryption, and secure disposal of data. By mastering these concepts, you will help your employer comply with the law and build trust with clients and stakeholders.

Within the wider subject of Business Administration, data protection sits alongside other compliance areas such as information governance and records management. It is a foundational skill that supports efficient and ethical business operations. The qualification also prepares you for more advanced studies in data protection or for roles such as Data Protection Officer (DPO) or compliance assistant.

Key Concepts

Core ideas you must understand for this topic

→Personal data: Any information relating to an identified or identifiable living individual, such as name, email, IP address, or health data.
→Six data protection principles: Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security).
→Lawful basis for processing: At least one of six bases must apply, e.g., consent, contract, legal obligation, vital interests, public task, or legitimate interests.
→Data subject rights: Including the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights related to automated decision-making.
→Data breaches: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Must be reported to the ICO within 72 hours if likely to result in a risk to individuals.

Learning Objectives

What you need to know and understand

Understand the General Data Protection RegulationUnderstand the purpose of the Data Protection ActUnderstand the purpose of the Freedom of Information Act

Assessment Criteria

Key criteria assessors look for in your portfolio

Award credit for clearly distinguishing between the UK GDPR, the Data Protection Act 2018, and the Freedom of Information Act 2000 in terms of purpose and scope.
Award credit for accurately outlining the key principles of the UK GDPR (e.g., lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability).
Award credit for explaining how the Data Protection Act 2018 supplements and tailors the UK GDPR for national application, including exemptions and the role of the Information Commissioner's Office.
Award credit for describing the main purpose of the Freedom of Information Act 2000 as granting public access to information held by public authorities, and identifying the types of bodies it applies to.
Award credit for providing workplace examples that illustrate the practical differences between a subject access request under data protection law and a freedom of information request.

Assessment Guidance

Guidance for achieving higher grades

💡Use real-world scenarios from a typical business environment to demonstrate application of each law, such as how a HR department handles employee data or how a local council responds to FOI requests.
💡Be prepared to compare and contrast the legislations, highlighting key differences in who they apply to and the rights they confer.
💡Learn the eight principles of the UK GDPR thoroughly and be able to explain each in simple terms, linking them to practical examples.
💡In written assessments, always specify the correct legislation when referring to specific rights or obligations—avoid vague references to 'data protection law'.
💡If required to advise on a scenario, clearly state which law applies, the relevant sections or principles, and the recommended lawful action.
💡Always refer to the specific legislation: the UK GDPR and the Data Protection Act 2018. Mentioning the ICO (Information Commissioner's Office) as the regulator shows depth of knowledge.
💡When answering scenario-based questions, apply the six principles step by step. For example, if asked about a data breach, explain the notification requirements and the potential impact on data subjects.
💡Use real-world examples to illustrate your points, such as a company sending marketing emails without consent (breach of transparency) or keeping customer data for too long (breach of storage limitation).

Common Mistakes

Common errors to avoid in your coursework

Confusing the UK GDPR with the Data Protection Act 2018, treating them as interchangeable rather than complementary pieces of legislation.
Misunderstanding that the Freedom of Information Act only applies to public authorities, not private businesses, leading to incorrect application.
Believing that the Freedom of Information Act gives individuals access to their own personal data, when in fact that is covered by subject access rights under data protection law.
Overlooking the fact that the UK GDPR applies to both automated and manual filing systems, not just digital data.
Failing to recognise that data protection principles are legal obligations, not optional guidance, and that non-compliance can result in significant penalties.
Misconception: 'Consent is always the best lawful basis.' Correction: Consent is just one of six bases and is not always appropriate. For example, processing employee data often relies on 'contract' or 'legal obligation' instead.
Misconception: 'Anonymised data is still personal data.' Correction: Anonymised data that cannot be re-identified is not personal data. However, pseudonymised data (where identifiers are replaced) is still personal data if re-identification is possible.
Misconception: 'Only digital data needs protecting.' Correction: Personal data in paper files, such as handwritten notes or printed reports, must also be secured. Physical security measures like locked cabinets are equally important.

Frequently Asked Questions

Common questions students ask about this topic

Before You Start

Prior knowledge that will help with this topic

•Basic understanding of business administration roles and responsibilities.
•Familiarity with general IT security concepts like passwords and firewalls is helpful but not essential.
•No prior legal knowledge is required, but an interest in compliance and ethics is beneficial.

Key Terminology

Essential terms to know

Understand the General Data Protection RegulationUnderstand the purpose of the Data Protection ActUnderstand the purpose of the Freedom of Information Act

Ready to learn?

AI-powered learning tailored to this unit

Understanding data protection legislation

Assessment criteria

Topic Overview

Key Concepts

Learning Objectives

Assessment Criteria

Assessment Guidance

Common Mistakes

Frequently Asked Questions

Before You Start

Key Terminology

Ready to learn?

Related Topics in ICAN QUALIFICATIONS LIMITED vocational Business Administration

Principles of managing information and producing documents

Principles of personal responsibilities and working in a business environment

Principles of providing administrative services

Administer finance

Topic Synopsis

Key Concepts & Core Principles

Exam Tips & Revision Strategies

Common Misconceptions & Mistakes to Avoid

Examiner Marking Points

Understanding data protection legislation

Assessment criteria

Topic Overview

Key Concepts

Learning Objectives

Assessment Criteria

Assessment Guidance

Common Mistakes

Frequently Asked Questions

What is the difference between UK GDPR and the Data Protection Act 2018?

Do I need to register with the ICO as a data controller?

What should I do if I suspect a data breach at work?

How long can we keep employee records after they leave?

Can I use customer email addresses for marketing without asking?

What is a Subject Access Request (SAR) and how do I handle one?

Before You Start

Key Terminology

Ready to learn?

Related Topics in ICAN QUALIFICATIONS LIMITED vocational Business Administration

Principles of managing information and producing documents

Principles of personal responsibilities and working in a business environment

Principles of providing administrative services

Administer finance