Skip to content

How to Handle Personal Data When Expanding Your Business to the UK

Table of Contents

If you are expanding your business to the UK, you will need to handle your customers’ data securely and comply with relevant privacy laws. Even if you only work with a few clients, complying with privacy laws is critical. The General Data Protection Regulations (GDPR) will affect how you handle and store personal data from your customers. This article will provide several tips on handling personal data to become GDPR compliant when expanding to the UK. 

Key Privacy Laws in the UK

The Data Protection Act 2018 governs data protection in the UK. This piece of legislation incorporates the General Data Protection Regulation (GDPR) as domestic law. If you expand your business into the UK, you must ensure your business is GDPR compliant.

The other key piece of legislation you must be mindful of is the Privacy and Electronic Communications Regulations (PECR). The PECR contains important rules on sending direct marketing materials and using cookies on your website.

How to Comply With the GDPR

If you are expanding your business to the UK, you should familiarise yourself with the GDPR because this will affect how you handle personal data. You may collect personal data:

  • directly from your customers (such as their names and contact details); 
  • from your contractors; or 
  • from your customers about their own clients (such as if you are helping your customers to provide services like a SaaS platform).

If you collect any sensitive information, such as health information or information regarding someone’s ethnicity or religion, you must take extra care.

To comply with the GDPR, consider the following steps.

1. Assess Whether You Are a Controller or Processor

The GDPR has different obligations depending on whether you are a data ‘controller’ or a ‘processor.’ Sometimes, you may also be considered a joint controller.

ControllersProcessors
A controller determines what personal data to collect and how to process that personal data. Controllers may do so alone or jointly with another entity. For example, you would be considered a controller if you collect contact and payment details from a customer so that you can provide your goods or services to them. You are also a controller when you engage employees.A processor processes personal data on behalf of another entity. You may be a controller or a processor, or both a controller and processor. Many SaaS businesses such as Mailchimp, Stripe, and Xero are considered processors when their customers instruct them to process the personal data of a third party. For example, a business might provide all of its employees’ payment details to Xero.

2. Understand Your Obligations as a Controller or Processor

Some obligations under the GDPR apply to all businesses, such as:

  • implementing appropriate security measures to protect personal data;
  • appointing a data protection officer in some circumstances; and 
  • retaining records of privacy-related activities.

Other obligations will depend on whether you are a controller or processor (and it is possible to be both). Key obligations you will have as a controller are:

  • ensuring you can legally process each piece of personal data that you process;
  • displaying a compliant privacy policy to your customers;
  • familiarising yourself and training your staff on the rights of data subjects; and
  • paying an annual data protection fee to the UK Information Commissioner’s Office (ICO) unless an exemption applies to your business.

Processors also have obligations under the GDPR, including processing only personal data on the instructions of a controller. For example, if you are a CRM provider and your customers upload their clients’ personal data into your system, you should only use their personal data to provide your CRM. Importantly, you should not take that personal data and use it for another business.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

3. Put Privacy Documentation in Place

There are several privacy documents that you should put in place to be GDPR compliant. Some of these, such as a privacy policy, are mandatory, and others are a matter of best practice. 

DocumentExplanation 
Privacy PolicyThis is an externally facing policy that lets people know how you handle personal data.
Privacy RegisterYour business should keep records of privacy-related decisions it makes and its activities.
Data Processing AgreementA data processing agreement is a legally binding contract between two parties. It states the rights and obligations of each party concerning the protection of personal data. Use this agreement whenever you appoint a data processor to process personal data.
Data Breach Response PlanA data breach response plan is a guide that explains what a data breach is and outlines the actions a company will take if a data breach happens.
Data Retention PolicyThis policy is a set of guidelines that outline how long you will keep certain types of information or data and the procedures for securely disposing of it when it’s no longer needed.

4. Update Your Marketing Practices

If you are moving your business to the UK, you may need to update your marketing practices so they are compliant with the GDPR and PECR. Importantly, ensure you have consent to send marketing materials (unless an exception applies) and seek consent to install any non-essential cookies on a user’s device. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

Your business must become GDPR compliant if you want to expand operations to the UK. Not only will you need to comply with the GDPR, but you will also need to ensure that your marketing practices are compliant with the PECR. As a first step, assess whether your business is a controller, processor or both, and understand your corresponding obligations under the GDPR. You should also compile required privacy documentation, including a privacy policy (which a solicitor can help you with), and review your marketing practices to ensure they are compliant.

If you need advice on how your business can stay GDPR compliant, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Lauren McKee

Lauren McKee

Practice Leader | View profile

Lauren is a Practice Leader in LegalVision’s Corporate and Commercial team and works across a broad range of commercial contracts matters. Lauren works with SMEs, startups and enterprise clients to understand their business and assist them with their contracts needs.

Qualifications: Bachelor of Laws (Hons), Bachelor of Arts, Macquarie University.

Read all articles by Lauren

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards