GDPR – a recap of the basics

Cover Image for GDPR – a recap of the basics

| Claire Thomson

The General Data Protection Regulation (GDPR) has been with us since 2018, the latest in a long line of data protection rules aimed at protecting personal information of individuals. The requirements have been transposed into UK law via the Data Protection Act of 2018, and this Act forms the basis for United Kingdom General Data Protection Regulation (UK GDPR).

Several years on, we recap on the basic principles and what businesses need to be doing to ensure ongoing compliance.

GDPR applies to all businesses in the UK that hold personal data. Relevant data is anything by which an individual could be identified – it could be physical or virtual (e.g. IP address) locations, a name or ID number, or other factors related to that individual. Examples of personal data that could be held by a business would be employee bank details, the addresses of the directors and the phone number of the office landlord. The legislation doesn’t extend to the data held about incorporated entities, but does cover the individuals behind such entities.

Under the legislation, a data controller is a person, company or other body which decides the purposes and methods of processing personal data, whereas a data processor is the person, company or other body who processes the data on behalf of the controller. It is possible to be both a data controller and a data processor.

The Regulation is built around seven key principles, each of which is expanded upon throughout the legislative text.These principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality and accountability. It is essential that all businesses consider each of these principles when developing their data protection policies. Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) of the UK Regulation states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.

Where there has been a breach of GDPR provisions, it may be necessary to report to the Information Commissioner’s Office (ICO), via their website. A breach can be reported by a data controller, a data processor or an individual concerned about their own or someone else’s personal data.Breaches should be reported on a timely basis. There may also be requirements to report to data subjects that there has been a breach involving their personal data.

Further information on UK GDPR can be found on the Information Commissioner’s Office website at https://ico.org.uk.

The contents of this article are meant as a guide only, and are not a substitute for professional advice. The authors accept no responsibility for any action taken, or refrained from, as a result of the material contained in this document. Specific advice should be obtained before acting, or refraining from acting, in connection with the matters dealt with in this article.

Image of Claire Thomson

About the Author

OmniPro Practice Support Claire's focus is on helping practices achieve on-going best practice compliance, with a particular focus on delivering technical training and providing guidance on the requirements of financial reporting and company law in both Ireland and the UK. Claire is a qualified Chartered Accountant with the Institute of Chartered Accountants of Scotland, and trained with Grant Thornton in Belfast. She spent 5.5 years in corporate audit, before moving to Grant Thornton’s risk & compliance team, where she spent 6 years supporting the all-Ireland practice as their UK financial reporting subject matter expert. As a member of our Practice Support Team, Claire’s focus is on helping practices achieve on-going best practice compliance, with a particular focus on delivering technical training and providing guidance on the requirements of financial reporting and company law in both Ireland and the UK. Claire is a qualified Chartered Accountant with the Institute of Chartered Accountants of Scotland, and trained with Grant Thornton in Belfast. She spent 5.5 years in corporate audit, before moving to Grant Thornton’s risk & compliance team, where she spent 6 years supporting the all-Ireland practice as their UK financial reporting subject matter expert.

YOU MAY ALSO LIKE

Cover Image for FAQ - Frequently Asked Questions

FAQ - Frequently Asked Questions

 

What is Per Minute CPD™?  Per Minute CPD ™ allows you to do CPD in smaller chunks, in a wa...

Cover Image for AI: Friend Not Foe

AI: Friend Not Foe

 

Artificial Intelligence (AI) has emerged as a transformative force, one that professionals...

Cover Image for 947 508 Minutes of CPD

947 508 Minutes of CPD

 

Last year, over 947 508 minutes of webinars, video courses and blogs were consumed on CPDS...