Getting started

The UK Information Commissioner’s Office* has a number of authoritative and readable guides, including:

*If your company is not UK based, you find your national data protection authority here (PDF).

EU and UK legislation relating to data protection and privacy

  • The General Data Protection Regulation (GDPR) in full – this is a marked up, easy to use version of the regulations with good search functionality.
  • UK Data Protection Act 2018. Each EU member state* will have its own data protection legislation based on GDPR.
  • The Privacy and Electronic Communications Regulation (PECR) – based on the EU’s Privacy and Electronic Communications Directive 2002 (often known as the ePrivacy Directive), this regulation came into UK law in 2003 and has had five updates since, including for cookies in 2009 and GDPR in 2018. The EU is in the process of replacing the e-privacy Directive with a new e-privacy Regulation to sit alongside the GDPR. However, the new Regulation is not yet agreed. For now, PECR continues to apply alongside the GDPR.


Our free assessment tools

Tried, tested and fully annotated assessment and planning tools for data controllers and data processors based on ICO guidance. Use these tools for a quick self assessment or in-depth planning. First you’ll need to decide if you are a data controller, data processor or both.

  • A controller determines the purposes and means of processing personal data. For example: HR data, data about your customers.
  • A processor is responsible for processing personal data on behalf of a controller. For example: if you offer a service that manages payroll for other companies.
  • Read more on data controllers and processors.

Assessment tool for data controllers
Assessment tool for data processors

If you’re uncertain what the results of the assessments mean, how you’d make changes or have any questions, contact us.

Free templates from the ICO and European Commission

Record of Processing for data controllers (Excel file)
Record of Processing for data processors (Excel file)
Data Protection Impact Assessment (DPIA) template (PDF)
EU model contracts for data transfer outside the EEA – whilst these model contracts were written prior to GDPR, they continue to apply.