Privacy and Data Protection

Every time you tap "Accept", log in, search, scroll or send a message, you leave a trace. The phone in your pocket knows where you have been, who you talk to, what you watch late at night and what you nearly bought but didn't. Multiply that by billions of people and you get the single most valuable thing modern organisations collect: personal data — any information that relates to an identifiable living person. Your name and date of birth are personal data, but so are your location history, your likes, your face in a photo and even the way you swipe.

Privacy is your right to control information about yourself: to decide what is collected, who sees it and what it is used for. It is not the same as having something to hide. You close the bathroom door, put a password on your phone and post to friends rather than the whole planet — none of that is suspicious, it is simply drawing a line around what is yours. The hard part in a digital world is that the line is invisible, and it is crossed quietly, thousands of times a day, by companies you never meet.

The law: the Data Protection Act 2018 and UK GDPR

Because personal data can be misused so easily, the UK does not leave privacy to good manners. The Data Protection Act 2018, together with the UK GDPR (General Data Protection Regulation), is the law that any organisation handling your data must obey — from a global social network down to your school. It gives two things: a set of principles that say how data must be treated, and a set of rights that put you back in control. Break the rules and the regulator, the Information Commissioner's Office (ICO), can issue fines of millions of pounds.

The organisation that decides how and why your data is used is called the data controller, and it is legally responsible for following the principles below. You — the person the data is about — are the data subject.

Read them as a promise the law forces every organisation to make about your data. Notice how ordinary they sound: don't lie about what you're doing, don't grab more than you need, don't keep it forever, don't leave it lying around. The power is that they are enforceable.

Your rights as a data subject

The principles tell organisations what to do; your rights let you do something about it. Under the DPA 2018 / UK GDPR you can, among other things:

For most uses of your data the organisation needs a lawful basis, and often that basis is your consent — which must be a clear, freely given yes. A pre-ticked box or a buried checkbox does not count, and you are allowed to change your mind and withdraw it.

Personal data must be: The controller must also be able to demonstrate it meets these — the accountability principle.

Privacy in everyday tech

The law is the frame; the pressure is felt on your screen every day. A few of the places it shows up:

Running a global app costs a fortune — servers, engineers, electricity. If you are not handing over money, the business must be earning it another way, and usually that way is your data. Every like, watch-time and location ping is fed into a profile that predicts what you will click, and that prediction is auctioned to advertisers in the fraction of a second it takes a page to load. As the saying goes: "if you're not paying for the product, you are the product." That doesn't make free services evil — but it does explain why the "Accept all" button is so big and colourful, and the "Reject" link is so small and grey.

Two traps to keep in mind. First, "free" almost always means you pay with your data. Before you tap Accept, ask what the app gains from the permission and whether it really needs it — the fact that it asks doesn't mean you must say yes.

Second, your digital footprint is very hard to erase. Once a photo, message or post is shared online, other people can screenshot it, copy it, re-share it and cache it in seconds. Deleting the original does not delete the copies, and the "right to be forgotten" cannot chase down every one. Employers and universities really do search applicants online. So the safest privacy control of all is the one you apply before you post or grant a permission: pause, and think about who might see this in five years' time.

A worked example

Suppose a free quiz app asks for your location, your contacts and permission to keep your data indefinitely to "improve our services and partners' offers". Hold it against the principles:

A privacy-aware GCSE student's move: deny the location and contacts permissions (the quiz still works), and think twice before accepting the terms at all. That single decision applies four legal principles at once — which is the whole point of understanding them.