Under GDPR and the Data Protection Act 2018, businesses and their staff are responsible for the security, compliance and governance of their data. GDPR is based around six privacy principles together with the accountability principle. In addition to these principles, individuals have specific rights in relation to their personal information placing certain obligations on organisations that are responsible for processing it. An overview of these principles is available on the Information Commissioner’s Office website: