The General Data Protection Regulation (GDPR) has been with us since 2018, the latest in a long line of data protection rules aimed at protecting personal information of individuals. The requirements have been transposed into UK law via the Data Protection Act of 2018, and this Act forms the basis for United Kingdom General Data Protection Regulation (UK GDPR).
Several years on, we recap on the basic principles and what businesses need to be doing to ensure ongoing compliance.
GDPR applies to all businesses in the UK that hold personal data. Relevant data is anything by which an individual could be identified – it could be physical or virtual (e.g. IP address) locations, a name or ID number, or other factors related to that individual. Examples of personal data that could be held by a business would be employee bank details, the addresses of the directors and the phone number of the office landlord. The legislation doesn’t extend to the data held about incorporated entities, but does cover the individuals behind such entities.
Under the legislation, a data controller is a person, company or other body which decides the purposes and methods of processing personal data, whereas a data processor is the person, company or other body who processes the data on behalf of the controller. It is possible to be both a data controller and a data processor.
The Regulation is built around seven key principles, each of which is expanded upon throughout the legislative text.These principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality and accountability. It is essential that all businesses consider each of these principles when developing their data protection policies. Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) of the UK Regulation states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
Where there has been a breach of GDPR provisions, it may be necessary to report to the Information Commissioner’s Office (ICO), via their website. A breach can be reported by a data controller, a data processor or an individual concerned about their own or someone else’s personal data.Breaches should be reported on a timely basis. There may also be requirements to report to data subjects that there has been a breach involving their personal data.
Further information on UK GDPR can be found on the Information Commissioner’s Office website at https://ico.org.uk.
The contents of this article are meant as a guide only, and are not a substitute for professional advice. The authors accept no responsibility for any action taken, or refrained from, as a result of the material contained in this document. Specific advice should be obtained before acting, or refraining from acting, in connection with the matters dealt with in this article.