Since 2016, when the EU General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (EU GDPR) was introduced, data protection has grown from being seen somewhat as an afterthought, to an essential consideration for any business that processes personal dataInformation which relates to an identified or identifiable natural person.. Since then, the UK has left the EU, meaning that any business processing the personal data of UK residents now has to comply with the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998). (DPA).
Data protection laws aim to give individuals more control over their personal data by granting them a number of rights, including the right to be informed how businesses are using their data; to have access to the data being processed about them; and, sometimes, to have it erased.
Data protection laws also try to ensure that businesses are adequately protecting the personal data that they processA series of actions or steps taken in order to achieve a particular end.. So, aside from respecting the aforementioned rights of individuals, the UK GDPR and DPA place further restrictions and obligations on their use of personal data. These rules centre around 7 key principles:
The seventh principle of Accountability speaks to the heart of data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data.. This places the onus on each company not only to comply with the legislation, but also, crucially, demonstrate their compliance. Although demonstrating compliance with these principles will likely take considerable time and financial investment, the cost of non-compliance is likely to be far harder to swallow.
The cost of non-compliance
The UK GDPR operates a two-tier fine system. For a less serious breach of the UK GDPR, you could be fined up to €10 million or 2% of your annual turnover. For a more serious offence, this doubles to €20 million or 4% of annual turnover. Fines for data breaches sit in the higher tier, however, additional costs may be accrued by post-breach mitigation, and litigation if the data subjects affected pursue legal action.
Failure to comply can also land your business with a reputation for mishandling its customers’ personal data – a perception that can be hard to shake. Conversely, through complying, businesses can bolster their reputation as a company that looks after their employees/clients/customers’ personal data, as well as avoid any enforcement actions or fines.
So, what does all this mean for your business?
As a minimum, you need to be aware of the following:
Before you can put together an effective data protection strategy, it is key that you know what categories of personal data you process, why you need the data, who has access to it, and how long you keep it for. Conducting a data discovery will help you to see how you process personal data across your business, enabling you to identify risk areas which you can then manage.
Under the UK GDPR, data breaches that are severe enough to be reported to the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (the UK’s data protection supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation.) must be reported within 72 hours of you becoming aware of them. This timeframe does not change for weekends or bank holidays, so having an efficient breach reporting procedureAn approved and established way of completing a certain task. in place is vital. It is also important that all employees are trained to understand what a breach is and where to report it.
Companies have one calendar month to fulfil valid rights requests from the time they are received, so it is important that you have a predefined process for dealing with these efficiently
The UK GDPR holds data controllers and processors jointly and severally liable for any non-compliance, meaning that if as a controller you pass personal data onto a third party processor, you are responsible for ensuring that they comply with the law.
In summary, the GDPR insists on transparency and honesty from companies such that individuals are better informed, as well as providing increased control over what happens to their personal data. This does rely upon organisations taking the necessary steps to comply with the regulation.
Fill in your details below and we’ll get back to you as soon as possible