The General Data Protection Regulation (GDPR) is a privacy law designed to give individuals rights over their data. It came into force in May 2018 and introduced strict rules about how businesses access, store and use personal data, such as phone numbers and medical history. The principles of GDPR apply to everyone, including employees, customers, contractors and members of the public that you hold information about.
Although the GDPR was an EU directive, since Brexit it has been retained in UK law under the Data Protection Act 2018. This act developed the tenets outlined in the Data Protection Act 1998 and has enforced strong penalties for those who fail to abide by GDPR principles.
While the full GDPR legislation is over 300 pages long, it has two key premises. The first is that organisations must have a valid reason for collecting personal information to communicate with the individual. The second is that the organisation, be it an accounting firm or an online store, must implement security measures to protect from data breaches or misuse of personal information.
Increase manager and employee awareness with our UK GDPR and Data Protection Awareness training course, which equips employees with an increased understanding of the implications of UK GDPR and how it is applied in the context of data security.
What is covered by personal data?
Personal data describes any information relating to a specific individual which could be used to identify them. This ranges from obvious details such as names to more specialised information such as medical history. These details are sometimes referred to as identifiers. As well as private information such as bank details and home addresses, personal data also refers to identifiers such as political stance, sexual identity and biometric data such as fingerprint and iris scans. These details are sometimes referred to as sensitive personal data.
Because of the monumental increase in internet usage and cloud-storage technology, the majority of personal data now exists online, as well as in hard copies such as printouts and physical records. The GDPR protects people from having their details misused, such as personal information being sold to marketing companies.
What does the GDPR mean for my organisation?
The GDPR means your organisation is legally required to comply with the data handling rules outlined in the legislation. An example of GDPR compliance is when a website alerts users that it uses tracking cookies to identify them and by clicking ‘accept’ the user agrees to its privacy and cookie policies.
The GDPR impacts other areas, such as marketing materials. An organisation must comply with data permission (customers confirming their wish to be contacted, usually by ticking a box) data access (a customer’s right to opt-out or unsubscribe from emails), and data focus (only collecting relevant data). The GDPR also specifies that customers may request access their personal data stored by an organisation by submitting a written Subject Access Request, and request that it is deleted or amended.
Two essential terms to understanding GDPR obligations are ‘data controller’ and ‘data processor’.
The data controller decides what data is collected, for what reason and how it should be processed. The controller ensures an organisation is GDPR compliant in terms of data accuracy, confidentiality and so on. The data controller is responsible for alerting the Information Commissioner’s Office (ICO) if a data breach occurs. The data processor collects, analyses, records and documents the data as outlined by the data controller.
Failure to comply with the GDPR can carry severe penalties. In cases of serious data breaches, organisations can be fined up to 4% of turnover or £17 million, whichever is the higher of the two figures. Penalties are determined by the Information Commissioner’s Office, which fined British Airways £20 million in 2020 over a data breach.
What are the seven key principles of the Data Protection Act?
- Lawfulness, fairness and transparency – The first principle is the foundation for the GDPR. It states that whenever an organisation collects data it must clearly communicate why it is being collected and how it will be used. This principle also specifies that if a customer has further enquiries about the processing of their data, it must be answered in a timely fashion. Finally, the collection, processing and disclosure of data must all be carried out in line with the regulations.
- Purpose limitation – Any data collected must be done so for a legitimate reason. The collected data can only be used for the specified purpose and nothing else unless the customer has given their explicit consent for this.
- Data minimisation – The GDPR legislation states that data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Therefore organisations must store only the minimum quantity of data needed for their purpose.
- Accuracy – Any data collected must be accurate, fit for purpose and recent. Organisations should regularly review stored data and delete or amend inaccurate information to comply with this principle. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
- Storage limitation – Data that is no longer required for its designated purpose must be destroyed unless there are other grounds for retaining it. The GDPR does not specify how long data should be stored; this is decided by the data controller. Organisations should have a review process in place to deal with the cleansing of databases.
- Integrity and confidentiality – Organisations must ensure that all necessary security measures pertaining to data security are in place. This refers to protection from internal threats such as loss, damage or unauthorised use. This principle also refers to external threats such as theft or malware.
- Accountability – Finally, an organisation must take full responsibility for any data it holds and also demonstrate compliance with all seven principles. This could be achieved through actions such as GDPR training for all employees or appointing a data protection officer.
Does the GDPR still apply now after Brexit?
Since Britain’s departure from the EU on January 1, 2021, the GDPR was retained under UK law as the Data Protection Act 2018. Following an additional statutory instrument named The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019′, the DPA has been amended and merged with the requirements of GDPR. The same seven principles apply as do the same obligations and penalties for failure to comply.
The main difference to GDPR post-Brexit is that now the UK is “a third country” so data flow between the UK and the EU faces greater restrictions. The EU has adopted an adequacy decision for the UK until 2025. For UK organisations processing personal data from individuals inside the EU, this UK adequacy decision allows unrestricted data sharing until 2025.
In September 2021, the Department for Digital, Culture, Media & Sport launched a consultation titled Data: A New Direction as part of the UK’s National Data Strategy. The outcomes of this consultation are yet to be announced, but the main proposals include placing tougher penalties on nuisance calls and text messages and reworking rules in relation to cookies and direct marketing.
Ensure your organisation complies with UK GDPR and data protection regulations with our UK GDPR and Data Protection Awareness training course that helps ensure your organisation is compliant and helps avoid the risk of costly fines.