Five data protection basics

Most people know the feeling: exams are looming, the highlighters come out, and suddenly topics ignored for months become urgent overnight. For many businesses data protection only gets the same attention when a breach, regulator enquiry or an urgent due diligence questionnaire lands.

This approach rarely works. The UK General Data Protection Regulation (UK GDPR) expects organisations to build good habits into day-to-day operations, not learned under pressure. Here are five fundamentals businesses often revisit too late.

1. Lawful basis: consent is not the default

A common mistake is assuming consent is the safest lawful basis for processing personal data. Article 6 of the UK GDPR sets out six lawful bases, including contract, legal obligation, legitimate interests and vital interests.

Consent has strict requirements. It must be freely given, specific and informed, and it must be easy to withdraw. Choosing the right lawful basis at the outset is not a paperwork exercise. It affects retention periods, transparency obligations and individual rights.

2. Article 30 records should be operational, not decorative

Records of processing activities (ROPAs) under Article 30 are often treated like forgotten revision notes: drafted once, filed away and ignored.

In practice, a good ROPA is an operational tool. It helps businesses understand what personal data they hold, why they hold it, who receives it, whether it is transferred internationally and how long it is kept.

When a breach occurs or a regulator asks questions, weak data mapping shows. If a business cannot explain its processing activities clearly, it becomes much harder to demonstrate compliance elsewhere.

The strongest ROPAs evolve with the business, not just before an audit.

3. Processor agreements are not optional

Another familiar last-minute scramble happens when businesses realise they can’t locate signed data processing agreements with suppliers.

Article 28 requires written contracts whenever a processor handles personal data on behalf of a controller. This commonly includes IT providers, payroll companies, CRM platforms, cloud storage providers, marketing agencies and outsourced HR support.

These contracts must include mandatory provisions on security, confidentiality, sub-processing, audit rights and the return or deletion of data.

Gaps are often only spotted during procurement checks or client onboarding, when supplier terms are already embedded and hard to change quickly.

4. Breach reporting clocks start faster than people think

When a personal data breach happens, panic frequently replaces preparation.

Under Article 33, you may may need to notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a reportable breach. Article 34 may also require affected individuals to be informed where there is a high risk to their rights and freedoms.

The challenge is that businesses cannot assess risk properly if nobody knows the escalation process, who makes decisions or what information needs recording.

Not every breach is reportable, but every breach should be assessed promptly and documented carefully. Waiting until an incident occurs to work out the response plan is rarely a comfortable exercise.

5. Staff training is part of accountability

Many breaches still stem from basic human error: misdirected emails, weak passwords, inappropriate disclosures or phishing attacks.

Article 5(2) embeds the accountability principle and meaningful staff training is a core part of demonstrating it. Training shouldn’t be limited to an annual generic slideshow. Different teams face different risks and training should reflect those realities.

Front-line staff, HR teams, finance and senior management all handle personal data in different ways. Tailored, regular training helps turn compliance from theory into practice.

Like exam preparation, data protection basics are far easier to manage consistently than to relearn under pressure. Businesses that address these fundamentals early are usually better places when breaches, audits or demanding client questionnaires arrive.