GDPR & Data Handling Basics

Personal data is any information that relates to an identified or identifiable living person. This includes obvious items like names, email addresses, phone numbers and home addresses, but also IP addresses, location data, cookie identifiers, and anything that could be combined with other information to identify someone. If you are unsure whether something counts as personal data, treat it as if it does until confirmed otherwise.

Under GDPR, you cannot process personal data without a lawful basis. For most operational tasks in a business, the relevant bases are: contract (you need the data to fulfil a service), legal obligation (a law requires you to hold it), or legitimate interest (your business has a genuine reason proportionate to the impact on the individual). If none of these apply, you shouldn't be processing the data.

Employee data is personal data. Payroll records, performance reviews, absence records, health information and disciplinary records are all subject to GDPR. Access to employee data should be limited to those with a clear need. HR data should never be discussed in group chats, shared by email unnecessarily, or left visible on shared screens. Treat colleague data with the same care as client data.

Any individual whose personal data your organisation holds has the right to request a copy of it. This is called a Subject Access Request (SAR). If you receive a SAR, do not attempt to handle it yourself — escalate it immediately to your data protection contact or line manager. There are strict deadlines (typically 30 days) and specific requirements for what must be provided.

A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes sending an email to the wrong person, losing a device containing personal data, or discovering unauthorised access to a system. Report any suspected breach to your manager or data protection contact immediately. Under GDPR, certain breaches must be reported to the ICO within 72 hours — delays in internal reporting make this impossible.