skip to main content

On this page you will find out more about:

What is UKGDPR

UKGDPR refers to the UK General Data Protection Regulations, and concerns information collected about living individuals for any reason other than personal, family or household purposes.

UKGDPR is about ensuring that people can trust you to use their information fairly and responsibly.

GDPR is European law and applied to the UK before the UK left the European Union (EU). As a result of leaving the EU, UKGDPR replaces European GDPR, and has been the UK law concerning data and information rights since 1 January, 2021. The European Commission has approved their adequacy decision for the UK, which means that the EU has determined that the UK has an adequate level of data protection to allow for a flow of data between the EU and UK. This means that data can flow between the EU and the UK as before.

The principles of data protection laws

There are seven Data Protection Principles. You must abide by them all.

Principle one: Use data fairly and lawfully

Only process personal data when you have a lawful basis to do so.

There are three lawful basis options that are likely to be relevant to you. You can process personal data if:

1. The person has given you consent

You are only likely to need consent for marketing, or if you are processing sensitive data. The Data Regulator (the ICO) recommends you obtain consent for all marketing – although some marketing is legally possible without consent.

Sensitive data includes: racial or ethnic origin; political opinions; trade union membership; health; sexual life; data relating to offences and biometric data.

2. It is necessary for the contract

For example, you use customers’ contact details to advise them of the dates and times of lessons. This is likely to cover many commercial arrangements to provide products or services.

3. You have legitimate interests

This is a wide ‘catch all’ category but doesn't cover. You have to show that your interests are not outweighed by the rights and interests of people whose data you are processing.

Principle two: Make your purposes clear

Only use personal data for the purposes for which it is needed.

Clearly explain how you manage and process personal data in a privacy policy – particularly for any processing that may not be obvious, or any marketing activity.

For ideas on writing a privacy policy – look at the ICO’s privacy policy and the associated guidance. Your privacy policy is unlikely to need to be as long or as complicated!

Keep records of your data processing – particularly the details of who has consented or objected to marketing information.

If consent is needed make sure it is an opt-in consent. Opt-out statements like: ‘tick here if you do not want to receive information about our services’ are not acceptable.

Principle three: Only hold the data that you need

Can you justify the personal data that you are holding? If you are collecting personal data that you do not need – securely delete it and do not collect any more.

If you only need data for statistical purposes, anonymise it. Anonymous data is not personal data.

Principle four: Keep personal data accurate and up to date

Be careful that the personal data you collect is accurate, and keep it up to date.

When meeting people check with them that your records are up to date and accurate.

Principle five: Don't hold data longer than necessary

Determine a reasonable period to keep personal data, explain what the period is in your privacy policy, and make sure it is securely deleted at the end of that period. Don’t forget to delete electronic copies too.

It is up to you to justify the retention period in each case – providing you have a reasonable justification for the period, then it will be acceptable.

Customer invoices and order forms are usually maintained for seven years because they may be needed for this period for legal or tax reasons. It is unlikely that you will be able to justify keeping records of a person that has only enquired about your services for that long.

Principle six: Explain the data-giver's rights

Explain to anyone whose data you hold what rights they have. These rights include:

  • A right to have a copy of any data you hold about them
  • A right to stop any marketing messages
  • A right have inaccurate data corrected

Principle seven: Keep data secure

You must keep personal data secure - encrypt USB sticks, use a firewall and anti-virus software. Don’t forget to keep hard copy data secure too.

Security should be appropriate depending on the data. To determine this, consider the consequences of the data being lost. A bunch of business cards is very low risk data. A list of child students with their residential addresses is, on the other hand, much more sensitive and should be kept secure always.

If you experience a personal data breach you need to consider whether this poses a risk to people and assess the likelihood and severity of the risk to people’s rights and freedoms, following the breach. If it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.  If the risks are high, you should also tell the people concerned.  You can get advice, and complete an online “self assessment” via the ICO’s website.

Never share passwords

If in doubt – don’t click on links

Have up to date anti-malware

If you employ someone who leaves – cut all access to your systems immediately.

Principle eight: Stay inside the European Economic Area

Avoid sending personal data outside the European Economic Area (EEA) if possible. If it is necessary – only send when appropriate protections are in place. Usually this will require a contract in a specified form. More information is available on the ICO website.

UKGDPR Compliance and teaching

A reason for collecting information about individuals could be for the purpose of providing instrumental teaching. Access our MU member-exclusive advice on how teaching musicians can ensure that they are UKGDPR compliant.

The information given is general and is not a substitute for specific legal advice.

Information Rights advice for teaching musicians covers:

  1. Processing data lawfully
  2. Who needs to register as a data controller
  3. Privacy notices
  4. Marketing
  5. Children’s data and information rights
  6. Data subjects’ rights
  7. Securely disposing of data
  8. Data breaches

Learn about UKGDPR and Information Rights

Frequently Asked Questions

Do I need to get customers to consent for all data processing?

No, consent is your last resort and is only likely to be needed for marketing or the processing of sensitive personal data. Note: Parental consent is needed for children under 13.

What does processing mean?

Essentially, it means doing anything with personal data – using it, amending or updating it – and simply storing it etc.

Learn more with our UKGDRP case studies for musicians.

Are there special rules for children?

You should be extra cautious when processing personal data concerning children. For any photos we recommend parental consent is obtained. New guidance concerning UKGDPR and children has been added to the ICO website.

Learn more on UKGDPR and Information Rights for MU members.

Do I need to register with the ICO?

The need to register has technically been abolished, however it’s likely that you will need to pay a fee. An annual fee of £40 will be applicable for most small businesses. There are a few exemptions to the fees. Read the ICO's on their website.

Further information and resources

Information Commissioner’s Office (ICO) – includes access to newsletters and conferences. You can also contact the ICO by ‘phone or web-chat.

Cyber Essentials an overview of the Cyber Essentials scheme on the UK Government's website.

GDPR Coalition  a not-for-profit initiative working to raise awareness about data privacy obligations. Hosts lots of useful infographics about GDPR.

Get Safe Online  offers free advice on online safety and security, for individuals and businesses.

Radius Law vlogs – a series of free to access video blogs which cover GDPR amongst other things.