Data-protection law touches almost everyone, yet the rules are often described in jargon that makes them harder to use than they need to be. This refresher sets out, in plain English, what the United Kingdom’s data-protection regime is and what rights it gives you over information held about you. Unlike the consumer-credit rules, which depend on whether the borrower is an individual or a company, data-protection law applies to personal data regardless of whether you are borrowing for yourself or running a business — so this is one area that is squarely relevant to every director who deals with us.
The two main laws
Two pieces of law form the backbone of data protection in the UK. The first is the UK General Data Protection Regulation, usually written as UK GDPR — the retained version of the EU regulation, kept in UK law after Brexit. The second is the Data Protection Act 2018 (DPA 2018), which sits alongside UK GDPR and fills in the detail for the UK. The independent regulator that oversees both is the Information Commissioner’s Office, whose guidance is published at gov.uk.
“Personal data” simply means information that relates to an identified or identifiable living person — a name, an address, an email, an identity document, and so on. An organisation that decides how and why personal data is processed is a “controller”, and controllers carry the main legal responsibilities.
Your core rights
UK GDPR gives individuals a set of rights over their personal data. The ones people use most often are these.
- The right to be informed. You are entitled to a clear explanation of what data an organisation holds about you, why, and who it is shared with. Ours is set out in our privacy notice.
- The right of access. You can ask for a copy of the personal data held about you. This is known as a subject access request, and we explain how to make one in our guide to how to make a data subject access request.
- The right to rectification. If data about you is inaccurate or incomplete, you can ask for it to be corrected.
- The right to erasure. In certain circumstances you can ask for data to be deleted — sometimes called the “right to be forgotten”. It is not absolute: where we are required by law to keep records, or need them to manage a live agreement, we may have to retain some information.
- The right to object and to restrict. You can object to certain uses of your data, including direct marketing, and ask that processing be limited while a query is resolved.
What the rules are not
It is worth clearing up a common misunderstanding. Data-protection rights are not the same as financial-services protections. The fact that UK GDPR applies to information we hold about a director does not mean our business lending is regulated consumer credit — it is not, and it is not covered by the Financial Ombudsman Service or the Financial Services Compensation Scheme. Those are separate regimes. Data protection governs how information is handled; it says nothing about which financial rulebook applies to a loan.
It is also worth noting that UK GDPR primarily protects living individuals, not companies. So the personal data of a director is protected, while purely corporate information about the company sits outside it. In practice, because we run an identity check on the director, your personal data is firmly within scope, and you can exercise the rights above in relation to it.
How to exercise your rights with us
If you want to see, correct or question the data we hold, the simplest starting point is our privacy notice, which sets out the lawful bases we rely on and how to contact us. To request a copy of your data specifically, follow the steps in how to make a data subject access request. We do not charge for a standard request, and we aim to respond within the statutory time limit.
Good data practice is not a favour; it is the law, and it is also simply how a lender ought to behave. Knowing your rights under UK GDPR and the DPA 2018 puts you in control of your own information — and makes it easier to spot when something is not right.