If you’re still not sure what you need to do to comply with data protection law, it’s time to get to grips with the rules. All businesses use personal information in one way or another, and to do this we are required to comply with current legislation.
Here we explain the relevant rules for the UK, what they are for and how to comply with them.
What is data protection for?
Until a few years ago, the Data Protection Act of 1998 regulated the handling of personal data in the UK; however, this was replaced by the European Union’s General Data Protection Regulation (GDPR) when it came into force in 2018. Since 1st Jan 2021, when the UK officially left the European Union, the UK now has its own version of the regulations, the UK GDPR, which is based on the EU framework with certain alterations for the UK context.
All these laws share the same aim of protecting fundamental human rights and freedoms, regulating the handling of personal data, and increasing data security.
Therefore, the objectives targeted are as follows:
- Protect UK and European citizens and give them control over their personal data.
- Reinforce the rights of the individual to access, erase or modify their personal data when they so wish.
- In Europe, to standardise data protection rules across the continent.
Data Protection Regulations
As we’ve already seen, the GDPR came into force in 2018: this was a new legal framework agreed to by the countries that make up the European Union. It is also compulsory for anyone who sells their goods or services in these territories to comply. Its scope is unprecedented.
One of the unique points of the GDPR is that it awards people more rights. In a nutshell, they must give their explicit consent for the transfer and use of their data and can modify or erase this whenever they want.
In the UK, the Data Protection Act of 2018 (DPA 2018) sits alongside and supplements the UK GDPR. It defines how the UK implements the GDPR and includes exemptions, for example. The Data Protection Act follows six data principles which state that information must be:
- Used fairly, lawfully, and transparently.
- Used for specified, explicit purposes.
- Used in a way that is adequate, relevant, and limited to only what is necessary.
- Accurate and, where necessary, kept up to date.
- Kept for no longer than is necessary.
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.
Who does data protection affect?
All companies must comply with the 2018 Data Protection Act. In other words, all UK organisations, both public and private, that collect and use personal data need to incorporate data protection into their policies.
For example, if our company asks customers for their email addresses to send them special offers, we are handling their personal data and we must comply with what the DPA 2018 says.
If a UK company has dealings with countries within the European Union, they must also comply with the EU General Data Protection Regulation when handling the personal data of European citizens.
The 7 steps to implement data protection
If you’re not up to date with data protection, you’re late! Managing personal data should be one of your company’s priorities.
What do you need to do? Here are the seven key steps:
1. Draft an action plan
The GDPR requires a strategic action plan for implementing the law. All areas should be included.
2. Designate a Data Protection Officer
It is compulsory to have a designated Data Protection Officer within the company. Their role is to guarantee the company’s compliance with data protection legislation.
4. Reinforce security systems
It is also the company’s responsibility to implement processes to identify and resolve issues relating to personal data breaches.
5. Check supplier compliance
It’s important to make sure that any of your suppliers involved in data processing are also compliant with GDPR. Here, we’re talking about software or IT programs used regularly in the company, for example.
6. Data encryption
Companies must encrypt highly sensitive data to guarantee their security and, of course, avoid data leaks.
7. Involve the whole organisation
Data protection affects many departments, so it is important to train and involve the whole organisation to achieve full compliance.
What are the penalties for violating the Data Protection Act?
The Information Commissioner’s Office oversees enforcement of the DPA and has the authority to impose monetary penalties for infringements. There are two categories, and the amount of the fine will depend on whether it comes under the higher maximum or standard maximum:
- Higher maximum: can apply to any failure to comply with any of the data protection principles and can be up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
- Standard maximum: applies to other provisions, such as administrative requirements of the legislation and can be up to £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
How much does it cost to outsource data protection compliance?
Outsourcing data protection allows you to put your responsibilities in the hands of experts who can ensure your compliance with the law. However, it’s essential to make sure the provider is reliable and offers sufficient guarantees.
The cost of these services varies. Some companies charge a monthly fee, which can be around £60, while others charge a one-off annual amount up to £600.