The UK government has introduced new data protection laws that all businesses operating in the UK must comply with. These regulations aim to strengthen data security and give individuals more control over their personal information. As a business owner or manager, it’s vital you understand your obligations under the new rules. In this article, I will provide an in-depth look at the key changes and how your business can ensure compliance.
The General Data Protection Regulation (GDPR)
The centrepiece of the new data protection regime is the General Data Protection Regulation (GDPR). This is an EU-wide regulation that came into effect in May 2018. The UK adopted the GDPR despite Brexit, as it provides a comprehensive framework for data protection.
Some key features of the GDPR include:
-
Expanded definition of personal data – The GDPR applies to any information that can directly or indirectly identify an individual. This is broader than under previous UK law and captures IP addresses, cookies, and more.
-
Increased territorial scope – The GDPR applies to all companies processing data of EU citizens, regardless of where the business is located. This has major implications for UK companies.
-
Tougher rules on consent – Companies must get explicit, affirmative consent from individuals to process their data. Pre-ticked boxes and implied consent are no longer acceptable.
-
Right to access – Individuals can request details on what data a company holds on them and how it is processed. Requests must be responded to within one month.
-
Breach notification – Companies must report data breaches to the ICO within 72 hours of discovery if the breach poses a risk to individuals’ rights and freedoms.
-
Significant penalties – Under the GDPR, the ICO can issue fines up to €20 million or 4% of global turnover, whichever is higher, for the most serious data breaches.
The UK Data Protection Act 2018
Alongside the GDPR, the UK passed the Data Protection Act 2018. This Act essentially incorporates the GDPR into UK law. It also includes exemptions where the UK has legislated domestically on areas of data protection.
Some notable provisions under the Data Protection Act 2018 include:
- Age of consent for processing children’s data is set to 13 years.
- Journalistic exemptions protect freedom of expression and media activities.
- Exemptions for financial services firms to process sensitive data to detect fraud.
- Provisions that permit security measures like CCTV and body cams.
Steps for Businesses to Ensure Compliance
To comply with the new data protection regime, UK businesses should take the following steps:
Appoint a Data Protection Officer
Under the GDPR, businesses that process large volumes of sensitive data must appoint a Data Protection Officer (DPO). This person is responsible for monitoring compliance, providing advice, and acting as a contact point for the ICO. Consider whether your business needs a dedicated DPO.
Audit Your Data
Conduct an audit to identify what personal data your company holds, where it came from, how you use it, who you share it with, and how long you keep it. Review your data flows and map out any risks or gaps in compliance.
Review Privacy Notices
Check the privacy notices and consent mechanisms used across your business. Make sure they clearly explain how you use personal data. Obtain fresh GDPR-compliant consent if needed.
Assess Lawful Basis for Processing
For each processing activity, identify the lawful basis under the GDPR. The main options are consent, contract, legal obligation, vital interests, or legitimate interests. Document your lawful basis and update privacy notices.
Implement Data Protection Policies
Put in place comprehensive policies that outline your obligations under the new regulations. Cover areas like data retention, breach reporting, international transfers, and individuals’ rights.
Strengthen Technical Security
Review the security measures used to protect personal data. Encrypt sensitive data, use pseudonymization where possible, and ensure you can restore availability and access in the event of a breach.
Prepare for Data Subject Requests
Update procedures to ensure your business can comply with requests for access or erasure within the one month timeframe required under the GDPR. Identify where personal data is stored and how it can be retrieved.
Train Staff
Provide training to all staff handling personal data on the new data protection regime. Make sure everyone understands their responsibilities under the GDPR and Data Protection Act.
Maintain Records of Compliance
Document the steps you have taken to achieve GDPR compliance. This includes things like policies, consent forms, lawful bases for processing, records of breaches, and staff training.
Non-Compliance Carries Major Risks
Failure to comply with the strengthened data protection laws leaves businesses at risk of severe penalties. The ICO has already issued major fines under the GDPR, including:
- British Airways – £20 million for a customer data breach
- Marriott International – £18.4 million for a breach affecting 339 million guest records
- Equifax – £500,000 for security vulnerabilities
Additionally, individuals can claim compensation for damages caused by non-compliant data handling. With data breaches on the rise, the risks for companies are substantial.
By understanding your obligations and implementing the necessary governance, security, and controls, your business can avoid falling foul of the new regulations. Review the steps outlined above and ensure your data practices align with the latest legal requirements. The investment will help safeguard your reputation with customers and avoid potentially ruinous fines.
