If you’re unsure what GDPR is and how to comply with data protection law, it’s time to get to grips with the rules. All businesses use personal information in one way or another, and to do this we are required to comply with current legislation.
Here we explain the relevant requirements, rules and penalties for the UK, what they are for and how to comply with them.
What is data protection for?
The General Data Protection Regulation is the new European Union legal framework which aims to protect people’s personal data and regulate the ways in which companies use them.
The main development brought in by the GDPR is greater control over personal data and the right for individuals to decide if their data can be used – or not – by any entity. It also gives them access to their data and the ability to modify them or withdraw access whenever they want.
The regulation was approved in May 2016, but it wasn’t until 25th May 2018 when it came into force in all European countries, and other countries where companies process the data of European citizens.
The Data Protection Act of 1998 regulated the handling of personal data in the UK; however, this was replaced by the European Union’s General Data Protection Regulation (GDPR) when it came into force in 2018. Since 1st Jan 2021, when the UK officially left the European Union, the UK now has its own version of the regulations, the UK GDPR, which is based on the EU framework with certain alterations for the UK context.
All these laws share the same aim of protecting fundamental human rights and freedoms, regulating the handling of personal data, and increasing data security.
Therefore, the objectives targeted are as follows:
- Protect UK and European citizens and give them control over their personal data.
- Reinforce the rights of the individual to access, erase or modify their personal data when they so wish.
- In Europe, to standardise data protection rules across the continent.
Broadly speaking, this new data protection regulation considers three fundamental aspects:
- Data protection: when data is collected, the information must be clear enough for the interested party to understand easily. Also, there must be a legitimate purpose and the use of data should be limited to this purpose. Afterwards, the data should be stored securely.
- Use of data: the data must only be used for the explicit purpose stated when the information was collected.
- The international transfer of data: sending personal data outside the European Economic Area to a country that does not offer adequate data protection is prohibited.
Additionally, a set of requirements imposed by the GDPR must also be taken into account:
- Individuals have the right to be informed about the collection and use of their personal data.
- Data collection must be carried out with a clear and explicit statement of the data processing purpose.
- The use of data is limited to the purposes stipulated at the outset.
- Citizens can move, copy or transfer their data to another company.
- If companies identify data security breaches, they must inform the authorities within 72 hours.
- Companies must designate a Data Protection Officer (DPO).
So, the GDPR follows three basic principles:
- The principle of responsibility: companies or public bodies who process personal data must implement mechanisms to ensure they have adopted all the measures necessary to comply with the GDPR.
- The principle of data protection by default or by design: from the moment the company is established, or a product is designed, they must adopt measures that guarantee compliance with the regulation.
- The principle of transparency: legal terms and privacy policies should be simple, complete and understandable.
As we can see, the GDPR places huge emphasis on guaranteed rights for users. Users must always give their express consent for the use of their data at the point they are collected. And, what’s more, they have the right to move, copy or transfer their data from one location to another, or if they so wish, erase them completely.
Data Protection Regulations
As we’ve already seen, the GDPR came into force in 2018: this was a new legal framework agreed to by the countries that make up the European Union. It is also compulsory for anyone who sells their goods or services in these territories to comply. Its scope is unprecedented.
One of the unique points of the GDPR is that it awards people more rights. In a nutshell, they must give their explicit consent for the transfer and use of their data and can modify or erase this whenever they want.
In the UK, the Data Protection Act of 2018 (DPA 2018) sits alongside and supplements the UK GDPR. It defines how the UK implements the GDPR and includes exemptions, for example. The Data Protection Act follows six data principles which state that information must be:
- Used fairly, lawfully, and transparently.
- Used for specified, explicit purposes.
- Used in a way that is adequate, relevant, and limited to only what is necessary.
- Accurate and, where necessary, kept up to date.
- Kept for no longer than is necessary.
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.
Who does data protection affect?
All companies must comply with the 2018 Data Protection Act. In other words, all UK organisations, both public and private, that collect and use personal data need to incorporate data protection into their policies.
The European regulation establishes a wide scope of enforcement which means that companies outside the EU that provide goods or services to European citizens must comply with the GDPR, as well as companies with a base in an EU country.
On a business level, it affects practically all company departments, so it is useful to designate, as the law requires, a data protection offer to guarantee complete compliance with the law.
For example, if our company asks customers for their email addresses to send them special offers, we are handling their personal data and we must comply with what the DPA 2018 says.
If a UK company has dealings with countries within the European Union, they must also comply with the EU General Data Protection Regulation when handling the personal data of European citizens.
The 7 steps to implement data protection
If you’re not up to date with data protection, you’re late! Managing personal data should be one of your company’s priorities.
What do you need to do? Here are the seven key steps:
1. Draft an action plan
The GDPR requires a strategic action plan for implementing the law. All areas should be included.
2. Designate a Data Protection Officer
It is compulsory to have a designated Data Protection Officer within the company. Their role is to guarantee the company’s compliance with data protection legislation.
4. Reinforce security systems
It is also the company’s responsibility to implement processes to identify and resolve issues relating to personal data breaches.
5. Check supplier compliance
It’s important to make sure that any of your suppliers involved in data processing are also compliant with GDPR. Here, we’re talking about software or IT programs used regularly in the company, for example.
6. Data encryption
Companies must encrypt highly sensitive data to guarantee their security and, of course, avoid data leaks.
7. Involve the whole organisation
Data protection affects many departments, so it is important to train and involve the whole organisation to achieve full compliance.
What are the penalties for violating the Data Protection Act?
The Information Commissioner’s Office oversees enforcement of the DPA and has the authority to impose monetary penalties for infringements. There are two categories, and the amount of the fine will depend on whether it comes under the higher maximum or standard maximum:
- Higher maximum: can apply to any failure to comply with any of the data protection principles and can be up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
- Standard maximum: applies to other provisions, such as administrative requirements of the legislation and can be up to £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The criteria for measuring the severity of penalties are as follows:
- The offence committed.
- Business volume of the offender.
- Degree of intentionality or negligence.
- Level of responsibility of the data controller or data processor.
- Whether it is a repeat offence.
- Category of personal data and volume of data that has been revealed.
- If they have notified or collaborated with the relevant authorities.
- Adhesion to the Code of Conduct.
- Other factors like benefits, losses, etc.
Therefore, the motive or the amount of the penalty can vary depending on several factors. However, it is evident that the figures tend to be substantial.
How much does it cost to outsource data protection compliance?
Outsourcing data protection allows you to put your responsibilities in the hands of experts who can ensure your compliance with the law. However, it’s essential to make sure the provider is reliable and offers sufficient guarantees.
The cost of these services varies. Some companies charge a monthly fee, which can be around £60, while others charge a one-off annual amount up to £600.