Table of Contents
As a business owner, you will undoubtedly have heard of the General Data Protection Regulation (EU GDPR). These data collection rules have benefitted from large-scale media reporting for several years. One of the main reasons for this is that the Information Commissioner’s Office (ICO) can fine businesses in England up to £17.5m for GDPR violations. This article will explore which pieces of information your business can safely handle without worrying about GDPR rules and ICO fines, so your company only worries about relevant data.
What is the GDPR?
The GDPR is a complex and lengthy piece of legislation that aims to protect sensitive personal data belonging to individuals (known as ‘data subjects’) from misuse. The UK GDPR exists due to the European Union directing the UK to pass appropriate legislation regarding data processing activities, which it did under the Data Protection Act 2018.
In order to do so, the GDPR contains various vital principles, which include:
- purpose limitation;
- data minimisation;
- accuracy;
- storage limitation;
- accountability;
- security of data; and
- lawfulness, fairness and transparency.
Overall, the GDPR encourages businesses to limit the data in their possession, store information securely and delete it when no longer of use. It also requires companies to provide individuals with complete transparency about how they will use their data (usually within a Privacy Policy) and relevant information on how to complain about data use.
Who is the ICO?
The ICO is an independent body that aims to enforce data protection rights against organisations in England. They do so in two main ways:
- providing online guidance as to the safe handling and processing of personal information; and
- taking enforcement action against businesses in England that fail to comply with GDPR rules (including the ability to fine any organisation up to £17.5m for GDPR violations).
The ICO is empowered to impose hefty fines, which they regularly do to non-compliant businesses. However, their initial aim is to provide sufficient information on the GDPR to help businesses avoid financial penalties.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Information Does the GDPR Cover?
The primary remit of the GDPR is to protect ‘personal data’. This includes all information that could allow a living person to be directly or indirectly identified (otherwise known as ‘personally identifiable data’).
This is an extremely wide definition and can include all of the following types of data:
- date of birth;
- email address;
- phone numbers;
- email address;
- weight and height information;
- photographs;
- copies of ID;
- IP addresses;
- biometric information; and
- health data.
The above is far from an exhaustive list and demonstrates how practically any piece of information that could identify any individual is likely to constitute ‘personal data’. Realistically, most of your business’s information is likely to fall within GDPR rules. GDPR rules apply the same way whether the individual is a customer, staff member or personal contact at another business.
Information the GDPR Does Not Cover
The GDPR do not cover information that does not fall under ‘personal data’. However, as we have seen above, most information can identify an individual.
The principal exemption is anonymous data. This is because genuinely anonymous information removes any identifying comments that allows you to identify the individual. So, for example, if your business carries out an anonymous poll of staff, this would not come under GDPR rules as it would not constitute personal data.
However, some businesses fall into the trap of believing pseudonymised data to fall outside GDPR rules. Unfortunately, this is not the case, as the ICO believes this type of information is susceptible to reverse engineering. Therefore, it is not fully anonymous. Because of this, some business owners obtain legal advice on defining information as anonymous or pseudonymised before handling it.
Key Takeaways
The ICO clarifies that the GDPR only applies to information that could be used to directly or indirectly identify a living person and calls this ‘personal data’. So any information which does not identify an individual is not personal data and does not come under GDPR rules, meaning your business will not risk a fine from the ICO for handling it in certain ways. However, the only type of information not classified as personal data is anonymised data (but not pseudonymised data). Because of this and the high fines awardable by the ICO, many business owners obtain expert legal advice when seeking to handle information outside of GDPR rules.
If you need help handling data in accordance with GDPR rules, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Because Brexit only sought to prevent new EU laws from entering English law and did not withdraw all existing rules from when the UK was an EU member state.
Yes, the ICO has confirmed that the GDPR applies equally to all businesses, whether sole traders, SMEs or global corporations.
We appreciate your feedback – your submission has been successfully received.