In many ways, the General Data Protection Regulation (GDPR) means more of the same as the previous data regulation before 25th May 2018: UK businesses, of all sizes and identities, face significant personal data collection and data handling obligations. The GDPR legislation provides greater clarity and imposes stricter conditions around these obligations. The penalties for non-compliance have also become a lot weightier.
The rules are designed to protect personal data belonging to individuals, not businesses.
There are 5 essential facts you should know from the outset:
1. We’re in it together: Almost all businesses, regardless of their size, are affected by these rules.
If, for example, you sell or market products, employ workers, or you monitor the behaviour of people within the EU (including the UK), the GDPR rules apply to you. (Monitoring potentially includes the use of web-data analytics tools and cookies to analyse website visitor activity).
2. Brexit will not change this: The UK government has made clear that it intends to keep the GDPR’s rules in place once the UK leaves the EU (in March 2019). It’s expected to do so by means of a newly proposed Data Protection Act that will mirror all relevant elements of the GDPR.
3. Penalties have increased substantially: The cost of not complying is potentially a very high one – intentionally so, and the UK has made clear that it intends to take a hard line on breaches. Fines will increase from a maximum £500,000 to £17m, or 4% of turnover, whichever is the greater.
However, the Information Commissioner has also made very clear that the predominant purpose of this law is not to fine businesses and that the Information Commissioner’s Office (ICO) has no desire to cripple any business for non-compliance. (In 17,300 cases investigated by the ICO between 2016/7, only 16 resulted in fines and the then maximum fine of £500k has never been imposed.)
Other sanctions include formal and public warnings, reprimands and court-enforceable, corrective orders. Reputational impact, resulting for example, in a perception of untrustworthiness or neglect, recklessness, lack of respect for, or incompetence by, a business collecting or handling personal data, which damages customer trust in that business, is considered an equally motivating deterrent for many businesses.
4. Personal data collection, its use, sharing and storage is key to compliance: ‘Personal data’ is any information relating to an identifiable person who lives in the EU (including the UK). This could be their name, address, location data or online identification data, National Insurance or passport number. It applies to both automated personal data and to manual filing systems.
(There is also a special category of personal data, called ‘sensitive personal data’ which already covered for example, an individual’s religious beliefs, trade union membership, racial or ethnic origin, sexual status, physical health and mental health; and which now also includes, genetic and biometric data, if these can be engineered to uniquely identify an individual person. Criminal records don’t fall within this classification but must be similarly treated with extra safeguards.)
You need to be on top of this data, knowing precisely what you’re collecting, how you’re using it and then storing and sharing it, to understand whether you’re doing enough to comply.
5. Consent is vital: At the root of it all is the need to have express consent from that identifiable person (often called a ‘data subject’), for any of those activities – which that individual must have fully understood. Gone is the ability to automatically opt-in individuals (tick consent boxes for them) or to provide only high level and general indications of what will happen to their personal data and then rely on them to opt-out later on (hoping that they won’t go to the effort), if they do not wish to be included in such a manner.
How you communicate with any data subjects about their personal data will be an important piece in your approach to compliance and in being able to evidence that you are complying.
What are the main changes?
If you’re already familiar with the UK’s pre-GDPR data protection regime, this first section won’t be news to you. Skip ahead to the next sub-section entitled ‘What’s changed?’.
However, if you’d like a quick refresher on the pre-GDPR data protection obligations of small businesses generally (which in essence, have been adapted but largely not removed by the GDPR), we’ve summarised the UK’s core legal principles of data protection below and included some other very relevant information. Even if you’re familiar with the existing regime, we recommend you at least skim these before looking at what the GDPR changes and how you must now comply with its requirements.
A quick refresher on data protection obligations generally
The 8 legal principles and what they mean
As UK businesses, we’ve been required to operate according to the following legal requirements relating to data handing and protection for several decades:
- Personal data must be collected and used fairly and lawfully by all businesses and the individuals within them
- It must only be held and used for one or more specified reasons given to the Information Commissioner (note: the requirement to register your business has been altered under the GDPR; see the changes section below)
- You must handle it in a manner that’s compatible with your registered purpose(s) and with what you told the individual when you collected it. (This includes only disclosing it to those people mentioned in the register entry.) Unless you said you would do so in the register, you can’t sell or otherwise share that data
- The data must be adequate, relevant and not disproportionate or excessive given the purpose you stated in the register. Only collect and keep what you reasonably and legitimately need
- The data must be kept accurate and up to date – this is an ongoing duty. So, if someone moves or the data changes, you must update the records you hold
- You mustn’t keep the data longer than is strictly necessary for the registered purpose
- The data must be kept safe and secure – this includes ensuring that it is backed up and access-protected, with access permitted only to those authorised to see it. Never leave it exposed on an open screen or lying around
- You must not transfer the data outside of the European Economic Area (the EU plus a few additional European countries), unless that recipient country has similarly robust data protection rules in place. You may need to take advice on this, but prohibited destinations currently include the United States if you do not have particular shield protections in place in your case. (This prohibition therefore includes the transmission of personal data from the EEA to your own subsidiary or brand office located in the US and/or the ability of that US subsidiary or branch office to access personal data belonging to EEA data subjects from somewhere else, e.g. on a foreign server
These mandatory principles must be complied with and enforced by a ‘data controller’. Again, that’s most of us as businesses. A business or organisation that collects personal data and makes decisions about what to with it is a data controller. Data controlling businesses tend to nominate a member of staff as their data protection officer, to oversee data protection compliance and to interact, as required, with the ICO. However, for businesses with fewer than 250 employees and who are not engaged in certain exceptional activities, this is not a mandatory requirement.
Other key terms and requirements
You’ll also have come across a couple of other terms under the current data protection regime and we’ve included a reminder of their (unaltered) meanings here too:
While data controllers collect information and make the decisions about what to do with it, data processors are a step removed from this decision-making activity.
Data processors may be a business or individual (not an employee of a data controller) who helps a data controller by ‘processing’ data based on the controller’s instructions but doesn’t decide what to do with that data. Good examples of data processors are payroll companies, accountants and market research or hosting companies. Cloud providers are also generally treated as data processors.
This means any activity or set of actions performed on personal data by automated or manual means, for example, collecting, recording, co-ordination or organisation, structuring, storing and archiving, adapting, retrieving, consulting, using, transmitting, publishing or otherwise making it available, erasure and destruction.
Data privacy impact assessment
This refers to a documented assessment of the rationale for, risks and mitigation measures relating to, a certain type of data processing activity. (Take a look at our separate guide on these for more information about how and when to use them.)
Subject access request
These are requests for disclosure that an individual on whom you hold personal data can make. The individual is entitled to view the data (all of it) verify that you have lawfully collected, stored and used it, and check that it is up to date. You’re legally obliged to comply with this request. (Take a look at our separate guide on these for more information on when these can be made and what you need to do in response to them.)
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way