What is UK GDPR?

We often hear of companies being in breach of GDPR, and how fines for GDPR illegalities can be extremely costly. For many of us, there is some understanding of what this means and how it affects us. Many believe that GDPR went out the door when we left the EU, which it did in some ways. UK GDPR is the UK-specific version of the Europe-wide EU GDPR rules that became law in May 2018.

Fast forward to 2021 and with the UK leaving the EU, the UK no longer had the protection of the EU GDPR rules it was originally part of. To mitigate this, the UK government updated the Data Protection Act 2018 to ensure that personal information and data were still protected.

In this blog, we will explore this topic in detail to help ensure that your business, its staff, customers and suppliers can remain confident that their data is handled correctly and safely.

What does UK GDPR mean?

UK GDPR stands for UK General Data Protection Regulation and, much like its EU equivalent, is in place to protect the privacy rights of individuals, giving them more control over the use of their personal information. You’ve likely seen the cookie consent buttons pop up on websites – these are part of GDPR. You are given the right to accept or reject cookies, and therefore are accepting or rejecting the handling of some of your data.

In simple terms, UK GDPR regulates how businesses collect, store and use the personal data they collect. This could be wide-ranging, depending on the business you are in.

It may come as a surprise that this law applies to any business handling data of UK citizens, even if they are based abroad. This means that if you are based in the US yet handle data for UK citizens, you’ll need to be GDPR compliant.

Who needs to follow UK GDPR?

UK GDPR applies to any business that handles the data of UK citizens. Should a business do any of the following, they must ensure they follow GDPR rules:

• Collect, store, or process data of UK citizens
• Offer goods or services to UK citizens, even when the business is not based in the UK. The size of the business does not matter. If you process data, you will need to comply.

What counts as personal data for UK GDPR?

Mistakenly, some may consider personal data to only include names, addresses and dates of birth, but it extends much further than this.

Of course, an address, phone number or email address is seen as personal data, but the following also count as personal information:

• Any form of digital identifier such as a cookie or IP address
• Financial records
• Health records
• Anything deemed to be sensitive information

Information such as race, religion, sexuality and biometrics require further protection and a legal basis to process. This kind of information could also require a DPO – these are detailed later on.

What are the key principles of UK GDPR?

UK GDPR is built on six principles, which help to guide a business on how it should handle any personal data it acquires. One principle not being adhered to could see a business fined considerable sums. Once we’ve covered all six principles, we will demonstrate the kind of fine you could risk facing if noncompliant:

1. Lawfulness, fairness, and transparency: A business must be open about data practices and use data both fairly and lawfully
2. Purpose limitation: The data must only be collected for its stated purpose and not be repurposed in any way unless consent is given
3. Data minimisation: Only the data required for the service you provide must be collected. For example, an online store will need a name and address, but it won’t need health records or your previous addresses
4. Accuracy: All data must be kept accurate and up to date as needed
5. Storage limitation: Data should only be kept for as long as it is needed. UK GDPR does not state specific time limits as needs may vary per business
6. Integrity and confidentiality: Data needs to be protected and free from risk of breaches or unauthorised access

How much can you be fined for breaching UK GDPR?

The fines for breaching UK GDPR can be substantial, and certainly enough to cause a business financial trouble. As it stands, serious breaches of UK GDPR principles can result in a business being fined up to £17.5 million or 4% of its annual turnover. In the UK, we have already seen fines of £20 million for British Airways, £12.7 million for TikTok, and even £500,000 for the Cabinet Office.

Of course, the fines won’t always be this high – the ICO will investigate the breach and assess how severe it is. If a business is actively showing it follows best practices but there has been some form of breach, the fine is likely to be much smaller than the fine faced by a business that shows a blatant disregard for following the rules.

How does UK GDPR work for individuals?

Anybody who submits their data has rights regarding to their data, whether it’s for a purchase, a sign-up to a mailing list or joining a social media network. Businesses must enforce strict processes to ensure these rights are honoured and that breaches are unlikely.

Every individual has the right to:

• Be informed about data collection and use
• Access data a business holds about them
• Rectification if their data is incorrect or incomplete
• Erasure (also known as the “right to be forgotten”)
• Restrict processing of their data
• Data portability, allowing them to transfer their data
• Object to how data is processed, particularly for direct marketing

For example, if someone requests to see the data your business holds on them, you must provide it within one month.

How does a person give consent under UK GDPR?

As mentioned previously in reference to cookies, an individual must be given the option to consent to or reject the collection of their data. As a business, it is your responsibility to ensure that consent is be freely given by your customers or staff. The option to give consent cannot be vague or lack specific information as to why data is being collected.

A clear option to consent and withdraw consent would be advisable, plus avoiding pre-ticked boxes is highly recommended. That way, the customer is fully in control of whether they provide specific data or not. Giving consent is particularly important in times when data is used beyond providing essential services.

Data Processors vs. Data Controllers

There are two key roles within data handling when it comes to UK GDPR – that of the data controller and that of the data processor. Who you are in relation to this will depend on what service you provide. Larger businesses may opt for data processors, especially when there are large volumes of data to handle. However, small businesses could decide it is a viable option if they don’t have a sufficient infrastructure in-house.

You will, in most cases, be a data controller. Even if you are a data processing business, you would require data controllers to decide what data is captured and how it is processed for those using your service.

The full definitions are below:

• Data Controller: The entity that decides the “what” and “how” of data processing (e.g. a business collecting customer data)
• Data Processor: A third party that processes data on behalf of the controller (e.g. a payroll service)

Controllers have the primary responsibility for ensuring GDPR compliance, but processors also have duties, including keeping data secure and reporting breaches promptly.

How can businesses remain compliant with UK GDPR?

Security is a critical part of GDPR. Businesses must take steps to protect personal data, including:

• Using encryption and access controls
• Training employees on data protection practices
• Regularly reviewing security measures

If a data breach occurs and there is a risk to someone’s rights or freedom, you must report it to the ICO (Information Commissioner’s Office) within 72 hours. Otherwise, the fines could be very high.

Getting UK GDPR right the first time

If you are setting up a new business and are due to be handling personal data, it is essential to consider data protection from the start. This could include:

• Building security into new systems
• Limiting the data you collect and keep
• Ensuring that the settings on websites or apps default to the highest privacy level

You should also review the guidance and resources provided by the ICO to ensure nothing is missed.

You should then also look at the following:

• Audit Your Data: Identify what data you collect, why, how it’s stored and for how long
• Update Privacy Policies: Clearly communicate data practices on your website and in any customer interactions
• Implement Security Measures: Use encryption, regular software updates and access controls
• Train Your Staff: Ensure employees understand GDPR basics and how to handle personal data
• Document Everything: Keep records of data processing activities, especially if there’s a breach or a request for data access

Paying a Data Protection Fee and appointing a DPO

In some cases, where your business handles personal data, you’ll have to pay the ICO a data protection fee. This will vary depending on the size of the business and what its role is, but a quick assessment is available on the ICO website. Fees start at £40 per year (£35 if paid via direct debit) and rise to £2,900 per year for large organisations with a turnover of more than £36 million and 250 or more employees. This fee allows the ICO to fund their work into ensuring UK GDPR compliance and investigating breaches that may arise.

Appointing a DPO (data protection officer) can help ensure you remain compliant. A DPO can be hired directly or outsourced to a third party, and will be responsible for overseeing the way your business handles data and follows the rules of UK GDPR. They will monitor compliance, advise on best practices, complete assessments on the data processing activities, train employees and liaise with the ICO where necessary.

Do I need a DPO?

It is mandatory for some businesses, but for others, it’s simply an option to help safeguard the business from inadvertent breaches. You must appoint a DPO if:

• You are a public body or authority
• Your core activities require large-scale and systematic monitoring of individuals
• Your core activities involve large-scale processing of special categories of data such as health, racial or ethnic origin, religious beliefs or past criminal indiscretions

If none of these apply, you are not obligated to hire a DPO but may still choose to for more stringent management of your GDPR obligations.

The storing of personal data must be secure and necessary. With no set time limits on how long you hold onto it, you may require specific safe storage to minimise the risk of breaches in the workplace. At Stockroom London, we provide robust business storage solutions that ensure your valued data is kept safe. With secure document shredding also provided, we can make sure data is destroyed compliantly when it needs to be. Contact us today to see how we can help you meet your GDPR requirements with safe storage of the data you are required to hold.