How Does UK GDPR Apply to My Business Customers?

In the modern business world, organisations generally handle vast amounts of data, and virtually all businesses will process some form of personal data. With the UK General Data Protection Regulation (UK GDPR) in force, it is essential for you to understand how these rules affect your business customers. Compliance with this law is necessary not just for B2C but also for B2B businesses. This article explores how the UK GDPR applies to your business customers.

What Do UK GDPR Rules Cover?

UK GDPR is a law which protects personal data, giving individuals more control over their data use. For businesses, this means ensuring all personal data you process complies with these rules. Personal data includes any information that can identify an individual directly or indirectly — such as names, addresses, emails, phone numbers, and IP addresses. Both data controllers (organisations determining the purpose and means of processing) and data processors (organisations processing data on behalf of controllers, such as service providers) must comply with the rules. 

Compliance with the UK GDPR is critical. Non-compliance can result in severe fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. Aside from just financial penalties, failing to comply can damage your business’s reputation and harm customer trust. 

Complying with the UK GDPR can also benefit businesses commercially. Committing to protecting personal data and respecting privacy rights is good business practice. 

Does UK GDPR Apply to Business Data?

UK GDPR applies to data subjects and the personal information of living individuals. 

The UK GDPR rules apply to business information if the information can identify a natural person. This includes business emails, phone numbers, employees’ business email addresses, and job titles if they can identify individuals. Even if you do not work with individual consumers, note that the UK GDPR may still apply to your business customers and the data you hold about them. 

Here are some practical examples of how UK GDPR rules can apply to the data relating to your business customers: 

• Sole Traders: A sole trader’s business email, phone number, and other contact details are personal data because they identify the individual. This can apply if your business offers services to sole traders – such as accountancy or copywriting services; 
• Company Employees: Employee information, such as work emails, phone numbers, performance reviews, and employment records, count as personal data even though it relates to their professional roles. You may access this data under contracts with your business customers – for instance, if your business clients share it with you to run their projects which involve their staff; and
• Company Directors: Information about company directors, such as contact details containing their names, is personal data. You may collect this when onboarding business clients who wish to engage you to deliver services. 

What are the Implications of Personal Data in Business Data?

If your business uses business data, including personal data, you must comply with UK GDPR. 

For example, a range of obligations may apply (depending on whether your business acts as a controller or processor), including:

• the need to consider a lawful basis for collecting and processing the data;
• providing clear privacy information about how you use personal information. For instance, as a controller, you will need to inform individuals how you use their data by issuing a privacy policy;
• you must put in place appropriate security measures to protect personal data and have a data breach prevention and response plan; and
• you must respect individuals’ rights regarding their data, such as the rights to access, rectification, and erasure.

Remember that not all business data is personal. Anonymised data, for example, is not covered by UK GDPR. Your organisation should carefully review and assess which types of data it collects from business customers and gauge which personal data you use and why to determine which rules apply. 

Why is it Important to be Careful When Using Business Data?

Handling business data carefully is crucial because it often includes individual personal data. Neglecting data protection rules can lead to UK GDPR breaches, resulting in negative implications such as significant fines and reputational damage. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

The specific requirements for compliance with UK GDPR depend on your business and how it uses personal data. A data protection lawyer can advise you on your business’s actions to achieve compliance. 

Key Takeaways

UK GDPR rules do not just apply to B2C businesses. Understanding and complying with UK GDPR is crucial for any business that processes personal data. This includes understanding that personal data covers any information that can identify an individual, whether directly or indirectly. It is vital to determine if the data you collect or process from business customers includes personal data within the scope of the UK GDPR. If you need support understanding which obligations apply to your business, you should seek legal advice.

If you need advice on compliance with the UK GDPR, LegalVision’s experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

1. What constitutes personal data under the UK GDPR? 

Under the UK GDPR, personal data includes any information that can identify an individual directly or indirectly, such as names, addresses, email addresses, phone numbers, and IP addresses.

2. How does the UK GDPR apply to businesses? 

The UK GDPR rules will apply to the identifiable information of individuals who work in businesses. This may include information about individuals such as company directors or employees.