GDPR stands for ‘General Data Protection Regulation’. It came into force on May 25th 2018 for all European Union members, and with the risk of large fines, GDPR is a term that all businesses, large or small should be aware of.
With the UK now outside of the EU, however, the application of GDPR has gotten a little murkier: does it still apply in the UK, and if so, what are the rules? Our friends at Lawbite have pulled together the facts and information that you need to know to ensure you don’t fall foul of the rules.
What is UK GDPR?
UK GDPR is the retained version of the EU General Data Protection Regulation 2016. Alongside UK GDPR there is the Data Protection Act 2018 and Privacy and Electronic Communications Regulations 2003 (“PECR”) that are applicable to UK-based businesses that process personal data.
What is Personal Data?
Personal data is any information identifying a data subject (individual in personal or business capacity) directly or indirectly including name, email address, postal address, user ID, IP address and others. If your business has customers, suppliers, business contacts, employees or freelancers and uses their contact and other personal details in the course of its business it will be subject to the UK GDPR rules.
What are the penalties for non-compliance?
The penalties are very high up to £17.5 million or 4% of the business' total annual worldwide turnover in the preceding financial year.
What is the Information Commissioner’s Office (“ICO”)?
The ICO is the UK’s independent authority that is responsible for upholding information rights. It is a requirement that every organisation that processes personal data as a data controller, unless it is exempt, to register with the ICO and pay a fee. The fee is currently between £40 and £60 for most organisations annually but can be up to £2,900.
Data Controller or Data Processor?
Most businesses act as both. You are likely to be a data controller in situations where your business decides how and what personal data to collect, store and dispose of and this is normally in relation to such data subject categories as users, customers, employees, contractors, freelancers, suppliers and business contacts.
Your business will likely act as a data processor where there is exposure to personal data shared with your business by customers or users in relation to their employees, clients, contractors and other parties and where your customers or users make decisions about the personal data with your business only using the data as far as it needs to in order to provide its goods or services.
What is necessary for compliance?
UK GDPR can be a documents heavy area depending on the complexity of your business and how personal data is processed. Some “one-man band” companies may cover everything they need in a bespoke details privacy policy, cookie policy and terms and conditions. Whereas other businesses might likely need a number of documents, procedures and training sessions in order to show and record their compliance.
It would be usual for an organisation that is a data controller to have the following documents:
- record of data processing activities (use flowcharts)
- data protection policy
- data retention policy
- IT security policy
- privacy policy for website/ app
- terms and conditions for website/ business
- cookie policy
- privacy policy for employees
- data protection impact assessment(s) where necessary
- other potential documents, such as data breach policy, data subjects rights policy and others
Data Processors, often including contractors, freelancers, services providers and similar parties that have access to personal data during the course of the provision of their services need to have data processing agreements or language in place with their customers.
Most of the above-mentioned documents are internal with user-facing documents typically including website or app privacy policy, cookie policy, terms and conditions, consent language and marketing options.
Steps to demonstrate compliance include:
- privacy governance structure
- policies, documents and procedures
- implementation of technical and security measures
- training
- tests and audits to demonstrate compliance.
What are the lawful bases for processing?
The must be a lawful basis to lawfully process personal data for each of the data / subject category, including:
- consent
- contract or taking pre-contractual steps
- legal obligation
- vital interests
- public task, or
- legitimate interests.
What rights do individuals have in relation to their personal data?
The individuals’ rights include the following:
- right to be informed about processing
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- rights to data portability
- right to object
- right in relation to automated decision making and profiling.
International Data Transfers
For transfers outside of the European Economic Area (EEA) and UK use safeguards, including:
- transferring to countries that have adequacy decisions and are considered as having similar protection as countries within EEA
- use Standard Contractual Clauses
- when necessary for the performance of a contract
- necessary to establish, exercise or defend legal claims.
If your company is not established in the UK and does not have a branch or a subsidiary in the UK you will need to appoint a UK data protection representative. The same applies to European countries.
Transfers of personal data to EU/EEA following Brexit
Adequacy decisions in relation to UK – in June 2021 the EU (European Union) approved adequacy decisions for the EU GDPR and the Law Enforcement Directive, both expected to last until 27th June 2025. This means personal data can continue to flow as it did before between UK and EU/EEA (European Economic Area).
EU has new Standard Contractual Clauses for international transfers as one of the options where additional safeguards are required for international personal data transfers but they have not yet been approved by UK ICO. UK ICO conducted consultations between August 2021 and October 2021 in relation to its draft International Data Transfer Agreement and its draft Addendum to EU Standard Contractual Clauses but there are no approved new versions as of 8 November 2021 and it is advised that the previous versions of the EU Standard Contractual Clauses are used in the meanwhile for international transfers that require additional safeguards as it is decided that Standard Contractual Clauses would be suitable (data transfers from UK to any countries outside of EEA that do not have adequacy decisions in relation to them).
What is Crunch doing to ensure my data is protected?
At Crunch, we take GDPR really seriously and we have a range of safeguards and initiatives to ensure we’re fully compliant with GDPR. Our privacy policy confirms that we manage data according to GDPR, so that’s a tick in the box for you if you’re a Crunch Client.
Need GDPR advice?
Our legal partner LawBite is here to help. They offer Crunch clients free legal consultations to help businesses identify exactly what they need to do for GDPR compliance. You can book your consultation via our Legal support webpage, or speak to your client managers.