Glossary
Data protection
Last updated
Part of our topic guide on AI Governance & Data Strategy.
Data protection is the law and practice governing how organisations collect, store, use and share personal information — anything that identifies a living person, from a customer's email address to an employee's payroll record. In the UK, the core legal framework is the UK GDPR alongside the Data Protection Act 2018, regulated by the Information Commissioner's Office (ICO), the UK's independent data-protection authority.
Why it matters
Every organisation that holds personal data — which is nearly all of them — has legal duties around how it's handled, and getting this wrong carries real cost: reputational damage, regulatory action, and lost customer trust. It's also increasingly a data-and-AI skills issue, not just a legal one. As organisations build more with data and AI, the people closest to that work — analysts, engineers, product owners — need to understand data protection well enough to build it in from the start, not treat it as something the legal team bolts on afterwards. In our view, that's why data literacy and data protection awareness belong together as foundational skills, not siloed specialisms.
How it works
Data protection in the UK rests on a few core ideas:
- Personal data — any information that can identify a living person, directly or indirectly (name, email, IP address, employee ID, and so on).
- UK GDPR — sets out the core principles: data must be collected for a specific purpose, kept accurate, held no longer than necessary, and kept secure.
- The Data Protection Act 2018 — sits alongside the UK GDPR, covering areas the GDPR doesn't fully address, including some law-enforcement and national-security processing.
- The ICO — the independent regulator that oversees compliance, investigates breaches, and can issue enforcement action.
- The Data (Use and Access) Act 2025 — a newer piece of legislation amending aspects of the UK's data-protection regime; check the ICO or legislation.gov.uk for the specifics of any provision that affects your organisation, as detail here is still settling.
Because this is a specialist, fast-moving area of law, many organisations build dedicated data-protection or information-governance capability — sometimes through a funded apprenticeship route, such as the Level 4 Data Protection and Information Governance Practitioner standard.
Common questions
What is the Level 4 Data Protection and Information Governance Practitioner apprenticeship?
It's an apprenticeship standard, set at Level 4 (roughly equivalent to the first year of a degree), for people whose job is to manage an organisation's compliance with data-protection law and good information-governance practice. Like all apprenticeship standards, it's built around a defined set of knowledge, skills and behaviours (KSBs) rather than a fixed job title — so it can suit people already working in compliance, legal, IT or governance roles, not only those with "data protection" in their job description.
What does a Data Protection and Information Governance apprenticeship involve?
It combines on-the-job practical work with structured off-the-job training, covering areas such as UK data-protection law, information-security principles, records management and handling subject-access requests and breaches. As with any apprenticeship, the exact assessment method — project work, a portfolio, a professional discussion, or a knowledge test — is set by the standard's own assessment plan, not by the training provider.
Are there apprenticeship programmes in data protection?
Yes — data protection sits within the wider family of funded apprenticeship standards in England, alongside routes covering data analysis, data engineering and AI. Funding works the same way as other apprenticeships: through the Growth & Skills Levy (formerly the Apprenticeship Levy) for larger employers, with government co-investment or full funding available for smaller employers depending on the apprentice's age and circumstances.