Privacy and everyday data protection
By the end of this module you will be able to:
- Distinguish between personal data, special category data, and anonymous data with examples
- Explain the six UK GDPR lawful bases for processing and identify the most appropriate base for a given scenario
- Describe key data-subject rights including access, rectification, erasure, and portability
- Apply data minimisation and purpose limitation to a realistic data-collection scenario
Real-world enforcement · October 2020
British Airways collected passenger data it did not need. The ICO fined it £20 million.
Between June and September 2018, attackers compromised British Airways' booking system and harvested the personal and financial data of approximately 429,612 customers, including names, billing addresses, email addresses, and payment card details. The attackers used skimming code injected into the booking pages to capture data as customers entered it.
In October 2020, the ICO (Information Commissioner's Office) issued a fine of £20 million, reduced from an initial notice of £183 million. The ICO found that British Airways had failed to process personal data using appropriate technical and organisational measures as required by the UK GDPR (General Data Protection Regulation). Specific failures included inadequate security monitoring, poor subnetwork segregation, and overly broad access to third-party systems.
The case illustrates that data protection law is not a separate concern from cybersecurity. A security failure that exposes personal data triggers regulatory obligations: notification to the ICO within 72 hours, notification to affected individuals where there is a high risk of harm, and potential fines based on the organisation's annual global turnover. Privacy and security are two sides of the same accountability framework.
British Airways had the data. Its booking system worked. So what exactly did data protection law say it had done wrong, and why did the 2018 breach matter so much more than just a technical failure?
With the learning outcomes established, this module begins by examining personal data, special category data, and anonymisation in depth.
8.1 Personal data, special category data, and anonymisation
Personal data under the UK GDPR (which incorporates the EU GDPR post-Brexit through the Data Protection Act 2018) is any information that can identify a living individual, directly or indirectly. Direct identifiers include names, email addresses, and national insurance numbers. Indirect identifiers include IP addresses, cookie IDs, and location data when combined with other information that allows identification.
Special category data attracts additional protection because its exposure can cause particular harm. The UK GDPR Article 9 defines special categories as: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used to uniquely identify someone), health data, sex life and sexual orientation, and data relating to criminal convictions and offences.
Anonymous data is data from which individuals cannot be identified, directly or indirectly. The UK GDPR does not apply to truly anonymous data. However, anonymisation is harder to achieve than commonly assumed. A dataset of postcodes, ages, and job titles might appear anonymous until combined with a public register that re-identifies individuals. The ICO's Anonymisation Code of Practice recommends applying the "motivated intruder" test: would a reasonably motivated person with access to commonly available resources be able to identify individuals from this data?
“Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
UK GDPR, Article 4(1) - Article 4, Definitions
The UK GDPR definition of personal data is deliberately broad. 'Indirectly' identifiable data is included, which means IP addresses, device fingerprints, and pseudonymised data (where a key still exists that could re-identify individuals) all fall within scope. This is why anonymisation requires more than simply removing a name column from a dataset.
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible.”
UK GDPR Article 5(1)(b): Purpose Limitation
With an understanding of personal data, special category data, and anonymisation in place, the discussion can now turn to the six lawful bases for processing, which builds directly on these foundations.
8.2 The six lawful bases for processing
Processing personal data is only lawful if it falls within one of six bases defined in UK GDPR Article 6. Organisations must identify their lawful basis before collecting data, not retrospectively.
Consent: the individual has given clear, informed, specific, and freely given consent. Consent must be as easy to withdraw as to give. Pre-ticked boxes are not valid consent. Consent is often over-relied upon; where processing is necessary for a service, legitimate interests or contract may be more appropriate.
Contract: processing is necessary to perform a contract with the individual, or to take pre-contractual steps at their request. A bank collecting account details to open an account uses this basis.
Legal obligation: processing is necessary to comply with a legal requirement. Employers processing employee payroll tax information use this basis.
Vital interests: processing is necessary to protect someone's life. This is a narrow basis used in emergency medical situations.
Public task: processing is necessary for a task in the public interest or in the exercise of official authority. Most public sector processing uses this basis.
Legitimate interests: processing is necessary for the controller's or a third party's legitimate interests, unless those interests are overridden by the individual's rights. This requires a three-part test: purpose test (identify the legitimate interest), necessity test (is processing necessary?), and balancing test (does the individual's interest override it?).
Common misconception
“Consent is the most appropriate lawful basis for most processing activities.”
Consent requires clear, informed, freely given, and easily withdrawable agreement. Where processing is necessary to deliver a contracted service, legal obligation, or legitimate business function, consent is often the wrong basis because it creates an obligation to stop processing if withdrawn, which may be incompatible with the service. Over-reliance on consent as a default leads to consent fatigue, ineffective withdrawal mechanisms, and regulatory exposure when consent management fails.
Common misconception
“Anonymised data has no privacy implications because it cannot identify individuals.”
True anonymisation is much harder to achieve than it appears. The UK ICO's anonymisation code of practice notes that anonymisation must be strong against re-identification attacks combining the dataset with other available data. Researchers at MIT demonstrated in 2015 that 87% of the US population can be uniquely identified using only zip code, date of birth, and sex from public records. Netflix's 'anonymised' dataset was re-identified by correlating it with public IMDb reviews in 2007. Organisations should treat data as personal data unless they have formally assessed re-identification risk using an expert adversarial model, not simply because direct identifiers have been removed.
With an understanding of the six lawful bases for processing in place, the discussion can now turn to data subject rights, which builds directly on these foundations.
8.3 Data subject rights
The UK GDPR grants individuals rights over how their personal data is used. Organisations must have processes to respond to these requests within one calendar month.
The right of access (Subject Access Request, SAR) entitles individuals to receive a copy of all personal data held about them, the purposes for which it is processed, and information about how long it is retained. The right to rectification allows individuals to correct inaccurate data.
The right to erasure (the "right to be forgotten") applies in specific circumstances, including when data is no longer necessary, consent is withdrawn and no other lawful basis applies, or the individual objects and the controller has no overriding legitimate interest. It is not absolute: legal obligation and public task processing can override it.
The right to data portability applies where processing is based on consent or contract and is carried out by automated means. It allows individuals to receive their data in a structured, commonly used, machine-readable format and to transfer it to another controller.
With an understanding of data subject rights in place, the discussion can now turn to data minimisation and purpose limitation, which builds directly on these foundations.
8.4 Data minimisation and purpose limitation
Two of the UK GDPR's seven data protection principles are particularly relevant for system design. Data minimisation (Article 5(1)(c)) requires that personal data collected be adequate, relevant, and limited to what is necessary for the specified purpose. Collecting data "just in case it is useful later" is not compliant.
Purpose limitation (Article 5(1)(b)) requires that data collected for one purpose not be used for a different, incompatible purpose without a new lawful basis. A company that collects delivery addresses to fulfil orders cannot later use those addresses to send marketing unless it has a separate lawful basis for doing so.
In cybersecurity terms, data minimisation reduces the blast radius of a breach. British Airways collecting only what was necessary to process a booking would have had fewer records exposed in 2018. Organisations that hoard data "because storage is cheap" create disproportionate risk without proportionate benefit.
The ICO expects organisations to apply privacy by design: building data minimisation and purpose limitation into systems from the start rather than applying them as an afterthought. A new feature request that would require collecting additional personal data triggers a legitimate interests assessment or consent review before the data collection begins, not after.
A GP surgery collects patient date of birth, NHS number, address, and health condition to provide medical care. A data analyst wants to use anonymised versions of the condition and postcode data for public health research. Which statement is most accurate?
A startup wants to send marketing emails to users who signed up for a free trial. The sign-up form included a pre-ticked box saying 'I agree to receive marketing emails.' Which UK GDPR principle is most clearly violated?
A user submits a Subject Access Request to an online retailer asking for all personal data held about them. The retailer responds three months later saying the search took longer than expected. What rule did the retailer most likely violate?
A UK-based HR software company stores employee personal data for its enterprise clients. One client asks the HR software company to share all employee salary data with an AI vendor for model training. The HR software company would like to comply. What is the correct data protection analysis, and who is responsible for the decision?
Key takeaways
- Personal data covers any information that can identify an individual, directly or indirectly. Special category data attracts additional protection under UK GDPR Article 9. Anonymisation requires more than removing a name column.
- Processing personal data requires one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The basis must be identified before collection begins.
- Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are not valid consent under UK GDPR.
- Data subject rights include access, rectification, erasure, restriction, portability, and objection. Organisations must respond within one calendar month.
- Data minimisation and purpose limitation are design principles, not compliance checkboxes. Collecting less data reduces breach exposure. Data collected for one purpose cannot be repurposed without a new lawful basis.
You now have the complete Foundations vocabulary: from definitions and risk through data, networks, attacks, identity, human factors, and privacy law. The final Foundations module brings everything together: a single integrated scenario that tests whether you can apply all eight modules to one realistic incident. Module 9 is the capstone.
Standards and sources cited in this module
UK GDPR (retained in UK law via the Data Protection Act 2018)
Article 4 (Definitions), Article 5 (Principles), Article 6 (Lawful bases), Article 9 (Special categories), Article 12-22 (Data subject rights)
Primary legislation governing personal data processing in the UK. All definitions and principles in this module derive from the UK GDPR.
ICO, 'British Airways Penalty Notice' (October 2020)
Full penalty notice
Primary source for the British Airways GDPR enforcement case: £20 million fine, technical failures, and regulatory reasoning. Used as the opening case study.
ICO, 'Anonymisation: managing data protection risk, Code of Practice'
Section 3, The motivated intruder test
Defines the motivated intruder test for assessing whether data is truly anonymous. Referenced in Section 8.1.
ICO, 'Lawful basis for processing' guidance
All six bases explained with examples
UK ICO guidance on selecting and documenting lawful bases. Referenced in Section 8.2.
Module 8 of 25 · Cybersecurity Foundations