Table of Contents
The General Data Protection Regulation (GDPR) affects all businesses in the UK that collect personal data about their customers. The law creates obligations on your business around that personal data, how you collect it and what you do with it. Importantly, the fines for breaching GDPR are substantial. This article explains what you need to know about GDPR. It also explains how it affects your business and how you can ensure you comply with it.
What is GDPR?
GDPR stands for the General Data Protection Regulation. This is a European Union privacy law that came into effect in 2018 across the whole of the EU. At the time it came into effect, this included the UK.
The GDPR rule gave EU individuals rights over their personal data. As a result, GDPR created obligations on all businesses that supply or even target individuals living in the EU. Although the UK left the EU on 1 January 2021, GDPR was incorporated into UK law. That means that UK businesses must still comply with GDPR.
What is Personal Data?
Personal data is information about a specific identifiable individual that relates to them. For example, you can consider any of the following personal data:
- a person’s name;
- an identification number like a National Insurance number;
- location information;
- a person’s IP address.
Essentially, it is information that you can use to identify a person or could be used to identify someone. The information held must also relate to that person to constitute personal data for GDPR.
Whether information relates to the identified or identifiable person is more complex and depends on various factors. These factors include what the data is and why you are collecting it. It also includes the effect of processing that data on the individual in question.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Data Controller vs Data Processor
The effect of GDPR on your business depends on whether you are considered a data controller or a data processor.
Simply put, a data controller decides why and how personal data is collected from an individual. A data processor processes that data for the data controller. However, a data processor does not decide who the data is collected from or why it is collected. A data processor has several obligations under GDPR, including keeping records of personal data and data processing activities.
On the other hand, a data controller has more substantial obligations. As well as complying with all the obligations of GDPR that would apply to data processors, data controllers must also ensure that the data processors they use comply with GDPR.
For example, you decide what information you need from your customers to sell and market to them, and you decide how you keep that data and what you do with it. All of those things are activities of a data controller, not a data processor.
How to Ensure Your Business is GDPR Compliant
GDPR has seven fundamental principles which underlie your obligations. These principles state that personal data regarding individuals must be:
- processed lawfully, fairly and transparently;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary for why you are collecting it;
- accurate and kept up to date (where that is relevant);
- kept in a form that allows identification of the individual for no longer than it is necessary for the reasons why it is collected; and
- processed in a way that has appropriate security to guard against unlawful access or processing.
Essentially, you must comply with these seven principles and ensure that any third parties who process data on your behalf also comply with these principles. The Information Commissioner’s Office (ICO) website contains helpful information and checklists to ensure you understand your business’ obligations under GDPR.
Lawful Processing of Personal Data
There are several lawful bases for processing personal data. For most businesses in the UK, it is lawful if the individual has consented to you processing their personal data. You also need certain information to process customer orders. For example, you cannot process a customer’s order for physical goods if you do not have their name and address. Collecting information that allows you to complete customer orders is lawful for GDPR.
GDPR creates privacy obligations on you to explain why you are processing your customer’s personal data and the lawful basis for processing it. For this and other GDPR obligations, you must have a comprehensive privacy policy that explains this information.
If you are collecting personal data on the basis that the individual has consented to it, that consent must be explicit. For example, if you have a form on your website which allows a person to sign up for your email newsletter, they must indicate that they understand that you will add them to your mailing list. You can usually accomplish this by including a checkbox that the person must actively tick.
What Rights Do I Need To Be Aware Of?
GDPR gives individuals eight rights over their personal data, which are the rights to:
- information;
- access;
- rectification;
- erasure;
- restrict processing; and
- data portability.
These rights place further obligations on you as a business owner. For example, as indicated above, the right to be informed means you must provide individuals with information about the data you are collecting and why you are collecting it. This is why you need a privacy policy for your business. In addition, there may be other policies that you need to put in place to demonstrate your business’ compliance with GDPR. The ICO website includes a section on accountability with various checklists so you can consider what policies your business needs.
The rights listed above are essential to note. Indeed, if an individual wants to exercise their rights, you must comply with their request. Hence, it is essential to consider how you process such requests as a business policy. Again, the ICO website has valuable checklists to help you with this.
What Happens If I Do Not Comply with GDPR?
The fines for not complying with GDPR are substantial and can be as much as £17.5 million or 4% of your annual turnover. Therefore you must ensure your company complies with GDPR.
Key Takeaways
You must ensure your business is GDPR compliant. GDPR places obligations on you to ensure that all personal data you collect from individuals based in the UK or EU is in keeping with the seven principles of GDPR listed above and that you can demonstrate you have processes and policies in place to ensure that individuals can exercise the rights over their personal rights that GDPR gives them.
If you need help ensuring your business is compliant with GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Yes, GDPR rules apply to all businesses regardless of their size. You need to make sure you have a straightforward privacy policy so your customers understand what data you are collecting and why. You need to make sure the way you hold that data is secure and that you can easily update or delete a customer’s information if they request you to.
Individuals must give explicit consent to have their data collected by your business. The easiest way to accomplish this is to ensure that the individual completes an overt action. For example, before providing you with their email address, you could ensure that they have to tick a check box that confirms they understand and consent to provide you with that email address.
We appreciate your feedback – your submission has been successfully received.
