As the digital environment continues to evolve and more businesses choose to provide an online service offering, especially due to the implications of the pandemic, understanding the General Data Protection Regulation and the Data Protection Act (2018) is crucial. Knowing what GDPR is can save your business from incurring large penalties, as well as provide you with peace of mind that you are operating your business in a compliant way.
We understand that knowing exactly what to do when it comes to being compliant with GDPR can be overwhelming, however, with the correct advice, you can ensure you’re in line with this complex and intricate area of the law.
With our expansive knowledge on the topic, we will cover everything you need to know, including how to deal with UK data protection regulators such as the ICO.
What is the GDPR Legislation in the UK?
Replacing the previous data protection directive from 1995, the GDPR is a newer framework that exists to protect and enforce data protection laws. The legislation came into place as of 25 May 2018 and is enforced by the Information Commissioner’s Office (ICO).
Brexit and the UK’s decision to leave the European Union will not alter this.
Whilst GDPR was initially introduced by the EU and incorporated into UK Law the end of the transition period brought the direct applicability of "EU GDPR" to an end. "UK GDPR" does however remain and is in place for those that are directly responsible for the daily responsibility and management of data protection. It applies to most UK businesses and organisations.
As previously mentioned, the digital landscape is continually evolving, and individuals are now sharing more of their data and information online. This means that extra levels of protection are necessary to protect an individual’s information – a breach of this protection can result in repercussions for businesses and organisations.
What are the key principles of UK GDPR?
There are seven key principles at the core of UK GDPR and while they do not act as hard rules, they are designed with the purpose of laying out the broad purposes of the legislation. These principles do not differ greatly from the existing data protection laws, and include the following:
Lawfulness, fairness, and transparency
Data minimisation – this particular principle, while not new, continues to be of great importance, especially as individuals are creating and sharing more information than ever before. It emphasises the fact that businesses and organisations should not collect and store any more data than is absolutely necessary. To summarise, the ICO comments that “you should identify the minimum amount of personal data you need to fulfil your purpose”. Anything outside of this is an overreach of data.
Integrity and confidentiality (security) – another key principle, security ensures personal data is protected against the unauthorised and unlawful processing of data. It also includes accidental loss, destruction, or damage. Essentially, every possible measure should be put in place to ensure an individual’s information is not accidentally leaked as part of a data breach or accessed by malicious parties such as hackers.
To ensure your compliance with UK GDPR, these principles must be held at the forefront of all your business operations and referred to as the building blocks for following data protection best practice.
Who does GDPR apply to?
GDPR applies to any organisation operating within the EU that offers goods or services. This means almost every small business and major corporation must have GDPR-compliant strategies in place. UK GDPR broadly reflects EU GDPR.
What are your UK GDPR rights?
Overall, the legislation is designed to protect the data and information of individuals. With this in mind, there are eight distinct rights laid out by EU GDPR and retained within UK GDPR. For individuals, those rights are as follows:
The right to be informed – this includes any gathering of data by companies, and individuals must be informed before their data is gathered.
The right of access – this means that individuals have the right to access their personal data, as well as ask how their data is being used by the company.
The right to rectification – this ensures individuals can have their data updated or rectified if it is out of date, incorrect or incomplete.
The right to erasure – if a consumer withdraws their consent for a company to use their personal data, they retain the right to have this data completely deleted.
The right to restrict processing – individuals have the right to request that their data is not used for processing. However, their record can remain the same, it just cannot be used.
The right to data portability – individuals retain the right to have their data transferred from one service provider to another. To ensure compliance is met, it must be done in a commonly used and machine-readable format.
The right to object – this can include individuals possessing the right to stop their data from being used for direct marketing. There are absolutely no exemptions to this rule, and all processing must stop as soon as the request is received. This right must be made clear to individuals from the beginning.
The right to be notified – If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly without undue delay. You must however notify the ICO within 72 hours of any breach that may impact upon an individual's rights and freedoms.
Whilst the legislations afford consumers and individuals more power over how their data is collected, used, and stored, it also means that organisations collecting and using this data have less power, and are at risk of breaches albeit accidentally.
However, if you ensure all these conditions are met, UK GDPR compliance should be achieved.
What constitutes a UK GDPR breach and what are the consequences?
It is incredibly easy for regulators to hit businesses with huge fines for breaching their UK GDPR responsibilities. These fines can be earned from simply processing an individual’s data in the incorrect way, or where there is a security breach.
In the UK, these penalties are imposed by the ICO, and any money that is gained is rerouted back through the Treasury. Even smaller offences can result in fines of up to £10 million, or two per cent of a business’s global turnover.
Larger breaches are met with heftier fines, sometimes reaching up to £17.5 million, or up to four per cent of a business’s annual global turnover, whichever is the greatest amount.
There are three major types of GDPR breaches:
Confidentiality breach – this breach occurs when there has been either an unauthorised or accidental disclosure of, or access to, personal data. This type of breach is most often seen with patients’ records.
Availability breach – this breach happens when there is an accidental loss of access to, or destruction of, personal data. For example, if there is a cyberattack that prevented access to and/or destroyed records.
Integrity breach – this type of breach occurs when there is an unauthorised or accidental authorisation of personal data.
In some cases, a data breach can involve all three forms of breaches. Ensuring your business is operating in line with these regulations can require a particular set of expertise and a dedicated team, or individual, to oversee this activity.
Do you need help from GDPR compliance solicitors?
Our team of GDPR compliance solicitors can help to support businesses in various ways, such as assisting with drafting contracts with data protection clauses. Additionally, we can assist with commercial disputes and advise on breaches of said contracts or claims that may arise as a result of a breach.
Simply get in touch with the team at Smith Partnership today and an experienced data protection lawyer can work closely with you to achieve the best possible outcome.
You can also read more about the services we offer to both corporate and commercial clients.