Skip to content

Privacy Laws in England and Wales: What are Your Obligations as a Business?

Table of Contents

As of 2018, the General Data Protection Regulations (GDPR) imposed new data privacy obligations on businesses in England and Wales. These included the obligation for businesses to store and safeguard their customers’ personal information. Your business can face big fines if you do not comply with the new legislation. For that reason, it is wise to know and understand your businesses data privacy obligations. This article will detail the different obligations that the GDPR places on businesses to protect their customers’ personal data. 

What is GDPR Compliance? 

The GDPR applies to any person residing in the European Union. The regulations ensure that businesses safely collect, process and store personal information in their daily functions. 

Many businesses now need to collect sensitive data from their customers to operate. For example, online retailers collect consumer information to facilitate deliveries of goods, run marketing campaigns and operate general business practices. 

Storing and using that data is known as data processing. Importantly, your business’ obligations may vary depending on how your business uses its customers’ information. So, to understand your obligations under GDPR, you must establish whether you are a data controller or a data processor. 

Are You a Data Processor or Data Controller? 

What is a Data Controller?

In short, data controllers are the primary decision-makers when managing and storing personal data. They decide what information is collected and the purposes for collecting that information. Data controllers typically have a relationship or contract with the person whose data is being collected, also known as the ‘data subject’, and will appoint a processor to collect their data on their behalf. 

Controllers take on more GDPR responsibilities than processors. This is because controllers seek to collect data for their business functions. They are also responsible for the compliance of their data processors. Data controllers must register with the Information Commissioner’s Office (ICO) and pay a data protection fee. 

What is a Data Processor? 

Data processors collect, handle, and store their customers’ personal information. Typically a processor will follow the instructions from a data controller on how and where to collect personal data from. Unlike data controllers, data processors do not decide what data should be collected and how the data is used. Furthermore, they do not decide on how long to retain the data for. 

Processors do not have the same privacy obligations as controllers under GDPR as data controllers. Still, they must ensure that they correctly follow the controller’s instructions, prevent breaches and maintain security, and notify controllers of potential breaches. 

Here are several obligations your business must adhere to if you are a data controller or processor. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

GDPR Privacy Obligations Imposed on Businesses

Process Data Fairly and Lawfully

This obligation applies to both controllers and processors and requires that you use data lawfully and obtain it fairly.

If your business is a data controller, you must acquire data in a way that does not convene data security regulations. You must also use that data appropriately in the functioning of your business. It is your responsibility to ensure that your data processors are compliant with this principle. 

Collect Adequate Information For Specified and Legitimate Purposes 

If your business is a data controller, you must only collect a reasonable amount of specified data from your customers. You must also have a purpose for doing so that is both lawful and has good reasoning. Otherwise, you can receive a fine if you are collecting unnecessarily large amounts of data that have no bearing on your business practices. Additionally, you must not hold the data you collect longer than necessary. 

Accountability and Transparency

Both data processors and data controllers must be held accountable for how they use personal data. That requires them to keep a history of how they store and process personal information and be transparent on how and why they collect and process personal information. 

Security

Data processors must take the appropriate measures to ensure their security systems are up to date and secure enough to prevent any data breaches from occurring. 

Controllers must also employ the same practices and have an obligation to ensure any data processor they employ is securely housing their customers’ personal information. 

Duty to Delete and Amend Personal Information When Requested

A customer can request a data controller to delete, alter or ask for access to their personal information. In that case, data controllers must fulfill these requests and amend or delete their data immediately after the customer makes the request.

Notification of Potential Breaches

If you become aware of a potential data breach, you must report that breach as soon as possible. If you are a data processor, you need to immediately report that breach to your data controller. 

Data controllers are responsible for notifying the Information Commissioner’s Office (ICO). The ICO is the regulatory authority responsible for overseeing data protection regulation in England and Wales. Additionally, data controllers must also notify any persons whose information has been leaked and appropriately take measures to rectify the situation. 

Data Controller’s Responsibility for their Processors

Data controllers also must ensure that their processors are operating within the GDPR’s standards. A processor’s failure to comply with any of the above obligations or data protection laws can result in fines against you as the data controller. 

Key Takeaways

When establishing your business’s data protection obligations under the GDPR, you must first establish whether you are a data processor or a controller. Both result in different privacy obligations to businesses. Therefore, identifying whether you are one or the other can help you adhere to the GDPR. 

Generally, your business will have an obligation to safeguard the information you collect from your customers appropriately. You may therefore need to: 

  • ensure the appropriate security measures are in place to store data;
  • process data lawfully and fairly;
  • be transparent about how you use that data; and
  • allow customers to access, delete and amend their personal data as they desire.

You should seek the advice of a practising lawyer if you are trying to understand your privacy obligations under the General Data Protection Regulations. If you need advice on how your business can stay GDPR compliant, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Why are greater obligations placed on data controllers?

Data controllers have greater obligations because they oversee data processing, which occurs more often than not through a third-party data processor. In instructing a processor to handle their customer’s personal information, a controller acquires more obligations to ensure the processor is acting fairly within the law. 

How do I know if I am a data controller or data processor?

The main distinguishing feature between whether you are a data controller or processor is whether you are advising another entity on what data you are looking to collect. If you do instruct another entity to process data, you are a data controller. On the other hand, if you receive instructions to process personal information, then you are a data processor. 

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Edward Carruthers

Edward Carruthers

Read all articles by Edward

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards