Download the Toolkit: GDPR Compliance 12 Step Guide - English.pdf

If you collect or receive personal data and you have overall control over why you need that data and how it should be used, you will be deemed to be a data controller. Or if you process personal data on behalf of a data controller, you will be classed as a data processor. In either case, you and those within your organisation need to work to the rules that are set out in the UK GDPR legislation, to be legally compliant.


What is classed as ‘personal data’?

Personal data includes information like:

  • a person’s name or contact details (this person is known as the ‘data subject’)
  • an identification number, for example a person’s National Insurance or passport number
  • location data, for example a person’s home address or mobile phone GPS data
  • an online identifier, for example a person’s IP or email address.


Personal data that is considered to be more sensitive is also covered by the UK GDPR, and is referred to as ‘special category data’. Special category data specifically includes:

  • genetic data relating to genetic characteristics which give unique information about a person’s physiology or health
  • biometric data for the purpose of identifying a person, including facial images and fingerprints
  • data concerning a person’s physical or mental health, and the provision of health care services
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • sex life or sexual orientation.



This toolkit includes a 12-step task list to help you comply with the UK GDPR: 12 Steps to GDPR compliance