Data Protection & UK-GDPR
There are strict rules for how companies may process personal data. The purpose of the UK General Data Protection Regulation (UK-GDPR), and other data protection rules, is to protect personal data and the privacy of individuals.
The same requirements throughout the EU
Personal data is all information that can be linked to a living person, e.g. names, social security numbers, e-mail addresses, and pictures that contain people. The UK-GDPR requires that there must be a specific, legitimate purpose for processing the personal data and there must be a valid legal basis for processing the data.
There are common general data protection rules for the whole EU, but as result of Brexit, a new domestic data protection law called the UK General Data Protection Regulation or "UK-GDPR" took effect on January 31, 2020. This, alongside the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (known as the "PECR"), governs the processing of personal data from individuals located inside the United Kingdom. The UK-GDPR is almost identical to the EU’s GDPR, which means that companies that comply with the rules in one EU country are likely to comply with the rules in the UK.
Why is Data Protection & GDPR important?
Processing personal data incorrectly can be expensive. Companies that violate data protection legislation in the UK risk fines up to GBP 17.5 million, or four percent of the company's global annual turnover (although it is very rare for fines to be this large).
Commercially, it is also important to comply with, and be able to demonstrate that you have complied with, UK data protection regulations. Solid protection of personal data creates trust between companies and their customers, and suppliers and partners will expect (and often contractually require) that you meet certain criteria linked to data protection.
Finally, and perhaps most important of all: the protection of personal data is a human right that must be respected by both private companies and public actors.
What you need to do according to the Data Protection & UK-GDPR
UK-GDPR applies to a company as soon as it starts processing personal data by, for example, collecting, or organising, personal data. Regardless how thorough your data protection policies are, you need to constantly assess and evaluate your processing of personal data so that you can identify potential shortcomings and improve accordingly. It is important to remember that compliance with the UK-GDPR is not a one-off effort, but an ongoing process of improvement that requires you to keep track of your previous assessments.
You will need to:
- Map out what personal data you process in your business (for example, if you have a customer list with names, e-mail addresses, or card details).
- Document how you process personal data (for example, do you send newsletters via e-mail?).
- Examine what lawful basis you have for any processing of personal data (for example, do you process the data in accordance with an agreement).
- Providing insufficient information when collecting personal data - an example of this is asking a person to consent to the processing of their data without informing that person why their data is being collected. This risks the resulting consent being invalid.
- That personal data is processed for longer than is necessary to fulfill the purpose - review your processing acitivties and set up routines for deleting personal data that is no longer required.
PocketLaw helps you build better a business
Do you feel overwhelmed, or do not know where to start? Don't worry, we are here to help you with your Data Protection and UK-GDPR compliance. PocketLaw offers a platform with legal docments, guidance and a clever contract management system, as well as personal legal advice. All legal you need to grow your business and drive it forward.