Unless you’ve been living under a rock for the last few years, you’ll no doubt have heard of the General Data Protection Regulation, aka the GDPR. The GDPR is a regulation designed to protect the privacy and security of individuals. Non-compliance can come with a series of financial and reputational risks, and as a business that collects data, you're likely to be obligated to the GDPR. In this guide, we set out what you need to do to be compliant. For the purposes of this blog, we'll be focusing on the UK GDPR. It's worth noting, the UK GDPR is a separate entity to the EU GDPR, and you may be obligated to both - or just one. Let's dive in.

A brief history of the GDPR

With the implementation of the GDPR in 2018, followed soon after by the UK’s Data Protection Act 2018, a new era for data protection dawned. By the 1st of January 2021, the UK has brought its own version of the GDPR into effect, setting out the key principles, rights, and obligation for the handling of personal data.

The UK’s data regulator, the Information Commissioner’s Office (ICO), has the power to impose a number of sanctions for data breaches, including hefty fines, which focussed the mind of many a business owner and suddenly made data protection a hot topic.

Many businesses find the prospect of compliance daunting. However, it’s worth bearing in mind that at any given time, the majority of businesses will not, strictly speaking, be GDPR “compliant” and the ICO understands that compliance is not a ‘tick box’ exercise, but is something that needs to be worked at on an on-going basis. What the ICO is looking for is for businesses to take data protection seriously, to inform themselves as to what the law requires, to think about how they use data and why, and to have effective processes in place.

How you manage data protection within your business will be unique to your organisation and the risks involved. It is important to reflect on how and why you use personal data within your business and to seek advice and support about how to manage your use.

Data protection is principle-based and not ‘one size fits all’, you will always need to take decisions based on the risks involved. But, we’re going to take you on a whistle-stop tour through some of the basics to give you an overview of the regime and some pointers on where to start to take steps towards managing risks effectively.

Data protection 101

Given its scope and complexity, you're likely to have a number of questions surrounding the GDPR, and what it means for your business. Let's tackle these.

Will the GDPR apply to my business?

It’s pretty safe to assume it will (sorry). The GDPR applies to businesses of all shapes and sizes where personal data is being processed (more on processing below). If you employ staff, you will hold their personal data at the very least.   

So, what counts as personal data?

Personal data is information about a living person that identifies them (or that could identify them when combined with other information). It doesn’t matter if the information doesn’t seem particularly ‘private’ – even information that is publicly available can be personal data.

What is processing?

Processing is essentially anything that you ‘do’ with personal data. Examples of processing include collecting, using, disclosing or even deleting personal data.

What is a data controller?

A data controller (or just plain old ‘controller’) is the party that decides how and why the data will be processed. Explore more data protection roles and responsibilities here.

What is a data processor?

A data processor (also just known as a ‘processor’) is a party that processes personal data on behalf of the controller, in accordance with the controller’s instructions. For example, where you outsource a service such as a payroll or HR system. 

Now you speak the lingo, let’s look at the basis of the law itself.

Key principles of the GDPR

There are 7 key principles of the GDPR. These are:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

These principles of the backbone of the Regulation and businesses’ obligations revolve around these principles.

Your obligations

First up...

Lawfulness, fairness and transparency

This principle underpins the whole regime. Businesses must identify a ‘lawful basis’ (in simple terms, a good reason) for processing personal data. There are six bases that you may seek to rely on. Very briefly, these are:

• Consent – the individual has given you their free and informed consent to process their personal data for a specific purpose.
• Contract – you have entered into a contract with the individual  (or will be doing so) and you need to process their data in order to fulfil your obligations under the contract.
• Legal obligation – you are required by another law to process their data.
• Vital interests – the processing is necessary to protect someone’s life.
• Public task – the processing is required to fulfil a task in the public interest (or similar).
• Legitimate interests - the processing is necessary for yours or a third party’s legitimate interests. This may be a commercial interest. This interest must be balanced against the data subject’s rights – if there is a good reason to protect the individual’s personal data, this will override your legitimate interests.

It is worth noting that additional obligations apply in respect of sensitive types of data e.g. health, ethnicity and criminal-related information. Processing must be done in compliance with the law and in a way that is fair. The processing must not have an adverse effect on the individual, and it must not be done in a way that is unexpected or misleading. Businesses need to be very clear with people from the outset about how their personal data is being used. Next up...

Purpose limitation

You must clearly identify your purpose for processing, document this and make this information available to data subjects. A common way to do this is through a privacy policy on your website...

Data minimisation

You must only collect the data you really need. If you’re delivering a package to a customer, do you really need their date of birth, for example? It might be useful to know the age of your average customer for marketing purposes, but do you really need to know in order to deliver the package? On the other hand, if you are selling a product that is only suitable for people over the age of 18, this may be a valid reason to collect this information.

Accuracy

You must ensure the data you hold is accurate. Consider whether you may need to take steps to ensure that the information you hold is up to date.  

Storage limitation

You must not keep data for longer than you really need to. We’re often asked, ‘how long can we keep data for?’ and the answer will be different for each business (or even for each set of data within that business) depending on what the specific purpose for processing is. You need to actively manage your data by regularly reviewing it and erasing or anonymising it where possible.

Integrity and confidentiality (security).

It is vital that you ensure that you have security measures in place to protect the personal data you hold and that these are appropriate to the type of data you’re holding. You’ll need to consider tools such as software and encryption to protect data, and don’t forget to think about how to protect hard copy data too.

Accountability

You are required to take responsibility for the management of personal data within your organisation. You must take steps to put appropriate measures in place and be able to demonstrate the steps you have taken towards compliance. Be sure to record any decision you make about personal data and the thinking behind your decision.

Where should you start when it comes to data protection?

• Data protection audit. If you’re not sure where to start, a sensible first step would be to engage a data protection professional to undertake an audit. An audit would look at your business and the ways in which you use personal data and consider whether your current processes are managing the risk effectively. A solicitor will be able to help you identify areas of weakness and advise you on where you can make improvements to your processes to take steps towards compliance.

• Are you the controller or the processor? In relation to every set of data you use, it’s important to take a step back and consider your role at the outset, so that you can understand and fulfil your obligations in relation to the processing of that data. Your obligations will vary depending on whether you are the controller or the processor…sometimes this is clear cut, but at other times, this will be more nuanced. For example, you will most likely be the data controller of your employee data, but you may be the data processor of certain personal data whilst providing services to a client. You can, in fact, be both a controller and processor in relation to the same personal data, shifting in and out of each role as you process the data in different ways. A good example of a scenario where these shifts occur is where you may work with a recruitment agent during a recruitment process in relation to the prospective employee’s data. In certain circumstances, you may be a joint controller with another party, meaning you have jointly determined how and why you’re processing the data. Your solicitor will be able to support you in looking at the scenarios in which you process data and help you understand your role and obligations in context.

•  Do I need to register with the ICO? Every organisation or sole trader that is a data controller must register with the ICO and pay a fee. There are certain exceptions to this rule – you can check whether your business may be exempt by taking a quick online assessment at the point you come to pay the fee.

Is your house in order? There are a number of policies and notices that you will need to put in place. Again, what you will need to introduce will depend on exactly what you’re doing with personal data within your business, but you should consider whether you need the following:

• Privacy policy/notice (separate policies for customers and employees) setting out how and why you process their personal data
• Cookies policy and cookies notice – IP addresses are personal data and so if you use cookies to track users on your website, you need to let users know.
• Your contracts with third parties must set out each party’s obligations in relation to any personal data being processed under the contract. The GDPR is very specific about what must be covered.
• Data processing agreements – you may choose to put a separate data processing agreement in place with a third party where, for example, you have a historic agreement that doesn’t touch on personal data (or doesn’t deal with it adequately).
• Data retention policy, data security policy and data breach policy – these are all policies that set out how you will manage these aspects of the personal data you hold.

If you would like some support with undertaking a data audit, developing policies or drafting GDPR-compliant contracts to get your data protection house in order, or if you have any other queries at all about the GDPR and how to meet your obligations, we can help. Discover how we help businesses with their data protection obligations here.