September 30, 2022
Unless you’ve been living under a rock for the last few years, you’ll no doubt have heard of the General Data Protection Regulation, aka the GDPR. The GDPR is a regulation designed to protect the privacy and security of individuals. Non-compliance can come with a series of financial and reputational risks, and as a business that collects data, you're likely to be obligated to the GDPR. In this guide, we set out what you need to do to be compliant. For the purposes of this blog, we'll be focusing on the UK GDPR. It's worth noting, the UK GDPR is a separate entity to the EU GDPR, and you may be obligated to both - or just one. Let's dive in.
With the implementation of the GDPR in 2018, followed soon after by the UK’s Data Protection Act 2018, a new era for data protection dawned. By the 1st of January 2021, the UK has brought its own version of the GDPR into effect, setting out the key principles, rights, and obligation for the handling of personal data.
The UK’s data regulator, the Information Commissioner’s Office (ICO), has the power to impose a number of sanctions for data breaches, including hefty fines, which focussed the mind of many a business owner and suddenly made data protection a hot topic.
Many businesses find the prospect of compliance daunting. However, it’s worth bearing in mind that at any given time, the majority of businesses will not, strictly speaking, be GDPR “compliant” and the ICO understands that compliance is not a ‘tick box’ exercise, but is something that needs to be worked at on an on-going basis. What the ICO is looking for is for businesses to take data protection seriously, to inform themselves as to what the law requires, to think about how they use data and why, and to have effective processes in place.
How you manage data protection within your business will be unique to your organisation and the risks involved. It is important to reflect on how and why you use personal data within your business and to seek advice and support about how to manage your use.
Data protection is principle-based and not ‘one size fits all’, you will always need to take decisions based on the risks involved. But, we’re going to take you on a whistle-stop tour through some of the basics to give you an overview of the regime and some pointers on where to start to take steps towards managing risks effectively.
Given its scope and complexity, you're likely to have a number of questions surrounding the GDPR, and what it means for your business. Let's tackle these.
It’s pretty safe to assume it will (sorry). The GDPR applies to businesses of all shapes and sizes where personal data is being processed (more on processing below). If you employ staff, you will hold their personal data at the very least.
Personal data is information about a living person that identifies them (or that could identify them when combined with other information). It doesn’t matter if the information doesn’t seem particularly ‘private’ – even information that is publicly available can be personal data.
Processing is essentially anything that you ‘do’ with personal data. Examples of processing include collecting, using, disclosing or even deleting personal data.
A data controller (or just plain old ‘controller’) is the party that decides how and why the data will be processed. Explore more data protection roles and responsibilities here.
A data processor (also just known as a ‘processor’) is a party that processes personal data on behalf of the controller, in accordance with the controller’s instructions. For example, where you outsource a service such as a payroll or HR system.
Now you speak the lingo, let’s look at the basis of the law itself.
There are 7 key principles of the GDPR. These are:
These principles of the backbone of the Regulation and businesses’ obligations revolve around these principles.
This principle underpins the whole regime. Businesses must identify a ‘lawful basis’ (in simple terms, a good reason) for processing personal data. There are six bases that you may seek to rely on. Very briefly, these are:
It is worth noting that additional obligations apply in respect of sensitive types of data e.g. health, ethnicity and criminal-related information. Processing must be done in compliance with the law and in a way that is fair. The processing must not have an adverse effect on the individual, and it must not be done in a way that is unexpected or misleading. Businesses need to be very clear with people from the outset about how their personal data is being used. Next up...
You must only collect the data you really need. If you’re delivering a package to a customer, do you really need their date of birth, for example? It might be useful to know the age of your average customer for marketing purposes, but do you really need to know in order to deliver the package? On the other hand, if you are selling a product that is only suitable for people over the age of 18, this may be a valid reason to collect this information.
You must ensure the data you hold is accurate. Consider whether you may need to take steps to ensure that the information you hold is up to date.
You must not keep data for longer than you really need to. We’re often asked, ‘how long can we keep data for?’ and the answer will be different for each business (or even for each set of data within that business) depending on what the specific purpose for processing is. You need to actively manage your data by regularly reviewing it and erasing or anonymising it where possible.
It is vital that you ensure that you have security measures in place to protect the personal data you hold and that these are appropriate to the type of data you’re holding. You’ll need to consider tools such as software and encryption to protect data, and don’t forget to think about how to protect hard copy data too.
You are required to take responsibility for the management of personal data within your organisation. You must take steps to put appropriate measures in place and be able to demonstrate the steps you have taken towards compliance. Be sure to record any decision you make about personal data and the thinking behind your decision.
Is your house in order? There are a number of policies and notices that you will need to put in place. Again, what you will need to introduce will depend on exactly what you’re doing with personal data within your business, but you should consider whether you need the following:
If you would like some support with undertaking a data audit, developing policies or drafting GDPR-compliant contracts to get your data protection house in order, or if you have any other queries at all about the GDPR and how to meet your obligations, we can help. Discover how we help businesses with their data protection obligations here.