If you are a organisation in the United Kingdom (UK) involved in the collection of customer data, you may have come across the term General Data Protection Regulation (GDPR). GDPR is acknowledged as the most significant data protection regulation within the European Union (EU), with a key focus of transforming the way organisations of all sizes manage personal data.
Complying with GDPR is essential for all organisations, not only for the reputational benefits but also ensuring that risk for non-compliance, which involves penalties and fines is mitigated and avoided.
In this blog, we will help you understand the A - Z of what GDPR entails and guidelines to keep organisation compliant with management and safeguard of personal data.
In this blog post, we'll cover:
- GDPR terms and definitions
- What is UK GDPR?
- What does it mean to be GDPR compliant?
- What are the GDPR rights of data subjects?
- What are the types of organisations that GDPR applies to?
- What kind of data does GDPR apply to?
- What are the principles of GDPR and what they expect you to do?
- What are the effects of GDPR breaches?
- What steps should be taken to comply with GDPR?
- How does GDPR affect small businesses?
- How can DataGuard help you become GDPR compliant?
GDPR terms and definitions
Before diving into understanding what GDPR and compliance of this entails, here are some general GDPR terms and definitions that would be helpful as you read this article.
Terminology | Definition |
Data Subject | A natural person whose personal data is processed by a Data Controller or Data Processor. |
Data Controller | An individual or organisation that determines the purpose and means that data is processed |
Data Processor | An individual or organisation that processes data on behalf of a Data Controller |
Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, etc. |
Data Protection Impact Assessment | A process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible. |
Data Protection Officer | The primary role of the DPO is to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules. |
Obtaining Consent | Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies agreement to the processing of personal data relating to him or her. |
Security Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
Principles | the fundamental principles embedded within the GDPR which set out the main responsibilities for organisations. |
Personal Data | Any information relating to an identified or identifiable natural person ('data subject') |
What is UK GDPR?
The UK GDPR, now known as the Data Protection Act 2018 (DPA) is a legislative framework that establishes rules for the gathering and processing of personal information for anyone within the UK. The DPA came into effect after Brexit, when the UK adopted GDPR regulations following their departure from the EU. The DPA mirrors the EU GDPR and applies similar data protection regulations to anyone within the UK, with a few exceptions.
UK GDPR applies to all organisations based in the UK, it equally applies to organisations outside the UK that will have business transactions and dealings within the UK . Similarly, the EU GDPR applies to any organisations that will have business transactions and dealings within the EU and any of its territories. Collectively, this will be addressed as GDPR in this article.
GDPR has outlined 7 fundamental principles. Organisations should align any policies on management of personal data to these principles to ensure continuous compliance with GDPR requirements.
These principles uphold individual rights under GDPR in relation to management and safeguarding of individual’s personal data.
Individual rights under GDPR, requires the need for consent before collecting or processing any of their personal data. GDPR prohibits the collection or handling of individual persona data without consent. There are consequence for non-compliance and this includes punitive measures, including penalties and fines.
What does it mean to be GDPR compliant?
There are clear benefits for ensuring that your organisation is compliant with requirements under GDPR. The following are a few reasons why your organisation should ensure that it is GDPR compliant:
- It allows your business to operate in a clear legal environment - Complying with GDPR allows organisations to not only avoid penalties and fines, but also build brand value through trust, transparency and proper utilisation of data.
- It enhances trust and credibility - Existing customers value trust and consistency in any organisation, plus, it is an attractive incentive for new customers.
- You can better understand your customers - With guidelines under GDPR, your sales and marketing teams can have a targeted approach with a compliant list of those they can contact in relation to products and/or services.
- Business process automation becomes easier - When implementing GDPR guidelines, organisation begin to better understand their processes including areas for improvement. This allows for an easier approach to process automation.
- Provides a better understanding of data collected – Understanding GDPR compliance requires a gap analysis audit. This audit entails analysing the type of data collected, quantity, purpose and use. This audit provides you with a framework understanding your data profile and thus improving data management.
While the benefits of GDPR compliance are important considerations, the requirement of legal rights of your data subjects must be understood and adhered to.
What are the GDPR rights of data subjects?
GDPR guarantees data subjects 8 fundamental rights including the right to withdraw consent. These rights provide data subject with an element of control in relation to their personal data. These data subject rights are as follows:
- Right to Withdraw Consent - Data subjects can withdraw previously given consent to process their data.
- Right to be Informed - Data subjects must be provided with any information regarding the processing of their personal data.
- Right to Access - Data subjects have the right to request confirmation of whether their data is being processed and for what it is being processed.
- Right to Rectification - Data subjects have the right to request the rectification of inaccurate personal data.
- Right to be Forgotten - Data subjects may request the erasure of their personal data without delay.
- Right to Restrict Processing - Data subjects have the right to request the restriction of personal data if it is inaccurate, unlawful, not needed or pending verification of legitimacy.
- Right for Data Portability - Data subjects have the right to ask for their data provided to them or transferred to another controller.
- Right to Object - Data subjects have the right to object on the grounds of processing their personal information.
- Right to Object to Automated Processing - Data subjects have the right not to be subject to decisions solely based on automated processing or profiling.
What are the types of organisations that GDPR applies to?
The scope of GDPR includes all organisations of all sizes that handle or manage personal data. To understand this further, these data handling organisations are categorised into ‘Processors’ and ‘Controllers’.
GDPR defines a Controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data”. In other words, controllers make decisions about processing activities. They have overall control over the personal data being used and are ultimately in charge of and responsible for processing that data.
A Processor is a "natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller". A Processor will only process information in line with the instructions given by a Controller.
Now that you have an understanding of data handlers, let us take a look at what the data in question is.
What kind of data does GDPR apply to?
GDPR applies to personal data of natural persons — meaning people, not legal entities like corporations and non-profit organisations. Personal data in the context of GDPR means any information relating to a natural person. The following are some examples of personal data:
- Basic Information such as name, address, email, or phone number
- Web data including location, IP address, cookies, and RFID tags
- Health and Genetic information
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual Orientation
What are the principles of GDPR, and what do they expect you to do?
GDPR establishes seven principles that are meant to guide enterprises in their handling of personal data. These are designed to serve as a framework for explaining the regulation's objective. The seven principles are:
- Lawfulness, fairness and transparency - By providing clear and concise explanations, data subjects can better understand how their information will be used and how their privacy is protected.
- Purpose limitation - Data can only be used for the purposes for which it was originally revealed to the data subject and cannot be used for any other purposes.
- Data minimisation - Personal data should only be used in accordance with a company's or individual's stated purpose, and no more.
- Accuracy - The data you are gathering about your data subjects must be accurate at all times. Using this method, you can be certain that the data you are using is directly related to the subject and that your interactions with the data subject are conducted in a professional manner.
- Storage limitation - Make sure your consumer understands how long their data is being stored and how it is erased once it is used for its intended purpose.
- Integrity and confidentiality - Data should only be processed if it is absolutely necessary. Personnel with a genuine need for the data should be granted access to the files.
- Accountability - Anyone who is handling data needs to be properly trained and fully aware of exactly what GDPR compliance means.
What are the effects of GDPR breaches?
Noncompliance with GDPR can be punitive. GDPR fines and penalties the maximum fine can be been imposed of €20 million (about £18 million) or 4% of annual global turnover, whichever is greater, for infringements.
These fines are designed to be effective, proportionate and dissuasive. In short, to act as deterrents for organisations and to ensure compliance with GDPR.
What steps should be taken to comply with GDPR?
Now that we have covered the definition of personal data, the principles governing GDPR, and the magnitude of fines for infractions, let us take a look at a practical roadmap to assist your organisation in becoming GDPR compliant. Here are the most important steps:
Step 1: Create an actionable plan - To successfully apply data protection principles and preserve data subject rights, GDPR recommends the implementation of suitable technological and organisational measures. This is referred to as "data protection by design and default." This means that you must incorporate data security into your processing operations and business practices beginning with the design stage and continuing through the full data processing lifetime. The principles of GDPR can help you create this plan.
Step 2: Generate a processing register - GDPR requires entities to keep records of their processing actions and to keep such documents up to date. Data mapping covers the operational process of creating and maintaining a centralised inventory of the organisation's data flows.
Step 3: Conduct a Data Protection Impact Assessment (DPIA) - If a processing activity poses a significant risk to individual’s personal data, Controllers must complete a Data Protection Impact Assessment (DPIA).
Step 4: Build a framework for consent management - GDPR raises the bar for enterprises that rely on consent to process personal data. If you want people to provide their consent to your use of their personal information, your disclosures should be concise, easy to understand, and straightforward to withdraw. Organisations must also be able to provide proof of permission in a variety of methods.
Step 5: Review and remedy processor risks - Controllers are held liable for the Processor's acts or breaches under GDPR. Data transfers and contractual commitments must be examined with the same level of care as internal processing operations in order to adequately mitigate this risk.
Step 6: Implement GDPR compliance training - GDPR requires an appointment of a Data Protection Officer to oversee an organisation's adherence to the regulation, which includes educating and training employees. There should be initial and refresher training provided to employees by their employers. Additionally, there should be a system in place to keep track of the training in order to prove compliance.
Step 7: Appoint a Data Protection Officer (DPO) - The Data Protection Officer is responsible for ensuring that their organisation is compliant with GDPR and serving as the link between the employees and the members of the public who may find their information used and processed by the organisation. For more information, read our article on everything you need to know about appointing a data protection officer.
If your business has less than 250 employees but still processes personal or sensitive data regularly, you must be GDPR compliant. Small businesses rely heavily on marketing and getting information about their business out in public. Promotions and personal contact require access to personal information, hence the need for consent and overall compliance with the requirements of GDPR.
Large organisations have access to extensive resources to contract support with GDPR compliance, whether through internal hires or outsourcing. Smaller businesses, even with limited resources, can still achieve GDPR compliance by:
- Creating consent policies to acquire user data - If this task is too much of a large undertaking for you as a small business owner, consider hiring third-party contractors who are readily available at your disposal.
- Knowing how data is collected within your business - Find out the types of data collected in your business and what said data is used for. This builds transparency and allows you to gain the trust of your data subjects.
- Identify potential security issues and fix them - Security breaches are a common threat for any business, so it is best that you identify such issues and take remedial action as early as possible.
If you want to learn more, read our articles below to understand how GDPR affects small businesses, there are articles for sector-specific guidance.
- GDPR for small businesses
- GDPR for charities
- GDPR for schools
- GDPR for recruitment agencies
- GDPR for small clubs and societies
How can DataGuard help you become GDPR compliant?
Every year, the gap between your company's resources to manage external compliance obligations and its ability to meet those needs becomes challenging. In order to ease this burden and position your firm for success, DataGuard offers a suite of solutions including, Privacy-as-a-service and Consent and Preference Management.
With the support of our GDPR experts, you can look beyond compliance issues with minimum impact on your everyday operations. Get the help you need to tackle complex GDPR compliance requirements. You can also rely on our GDPR experts for industry-specific advice.
Are there still some questions that you would like answered? Feel free to contact one of our GDPR experts.
How to prepare your business for GDPR?
- Tested & certified GDPR expert
- Industry-specific data protection expertise
- One dedicated point of contact
Learn how we can help you overcome the GDPR compliance challenges.
Book an appointment