Common Questions for Data Protection…

If you gather, store and use people’s data, you must comply with legislation, such as UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 and e-privacy laws. In terms of a company’s compliance with GDPR, this applies to organisations engaged in ‘professional or commercial activity’.

If you are the owner of a smaller business with fewer than 250 employees, there is a less onerous requirement for processing records but this does not mean you are exempt from other parts of the legislation.

If you’re not sure about which parts of GDPR apply to your company, please get in touch and we can guide you in the right direction.

How can Compliance and Privacy Solutions help?

We will carry out an assessment to find out what is required, which means getting a good understanding of what type of data is being processed and for what purpose. Whilst all of the GDPR applies to all organisations, the risk posed to the data subjects (the individuals) by the organisation, generally drives the proportionality of the measures required.

We conduct gap analysis to determine the size of the requirement. We can then provide practical support to close the gaps, such as policy drafting and record creation.

With GDPR compliance in the UK, as with other countries covered by the legislation, you essentially have two roles as a data controller:

1. Comply with all data protection principles
2. Demonstrate your compliance with data protection principles

Some organisations have a Data Protection Officer, or DPO, to support you in fulfilling these duties. If yours is a smaller company, the role of DPO may be incorporated into a team member’s role. For some organisations, such as a public authority, the appointment of a DPO is mandatory.

The DPO will help ensure the data your organisation holds and processes is in compliance with GDPR.

As a rule of thumb, you should be keeping information about someone for ‘no longer than is necessary’. Storage limitation is a key principle of data protection in the UK. For example, you shouldn’t keep hold of data about a staff member indefinitely after they have left your company. Retaining data must be for a legitimate purpose and held for a defined period of time.

Also, digital archives are not exempt from GDPR. If an archive includes information that meets the GDPR definition for personal data (that is, data on an identified or identifiable living person), then this archive is also covered by the rules.

You are permitted to hold on to personal data for longer if you are retaining it for public interest archiving, scientific or historical research, or statistical purposes.

If you are not sure whether you are exempt from storage limitations on data, please give us a call.

For GDPR compliance for UK companies, the Information Commissioner’s Office (ICO) provides a handy checklist. You will comply with GDPR laws on storing data if you

• know what personal data you hold and why you need it
• carefully consider and can justify how long you keep personal data
• have a policy with standard retention periods where possible, in line with documentation obligations
• regularly review your information and erase or anonymise personal data when you no longer need it
• have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’
• clearly identify any personal data that you need to keep for public interest archiving, scientific or historical research, or statistical purposes

Many organisations do not fit the criteria for a mandatory appointment of a Data Protection Officer (DPO). However, a good deal of companies see the DPO as an investment, providing an edge when engaging with prospects and clients. 

A DPO can only be appointed by virtue of their expert knowledge of the law and ability to act objectively and independently (this is why managing directors and CEOs cannot be DPOs – there is a conflict of interest).

You could decide to appoint a company, such as Compliance and Privacy Solutions, to become your DPO. This can be much more cost effective than hiring an individual full-time or multi-tasking an existing member of staff.

Contact us to find out more about our DPO service.

UK GDPR companies compliance applies to two groups: controllers and processors.

A controller determines the purposes and means of processing personal data. So, when you are a data controller, you do the following

• decide to collect or process the personal data
• decide what the purpose or outcome of the processing is to be
• decide what personal data should be collected
• decide which individuals to collect personal data about
• obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
• process the personal data as a result of a contract between you and the data subject
• employ the data subjects
• make decisions about the individuals concerned as part of or as a result of the processing
• exercise professional judgement in the processing of the personal data
• have a direct relationship with the data subjects
• have complete autonomy as to how the personal data is processed
• appoint processors to process the personal data on your behalf

Data controllers have the highest level of responsibility with GDPR compliance, and must comply with, and demonstrate compliance with, all data protection principles and UK GDPR requirements.

A processor is in charge of processing personal data on behalf of the controller. If you are a processor, you will

• follow instructions from someone else regarding the processing of personal data
• be given the personal data by a customer or similar third party, or told what data to collect
• make some decisions on how data is processed, but implement these decisions under a contract with someone else

As a processor, you will not

• decide to collect personal data from individuals
• decide what personal data should be collected from individuals
• decide the lawful basis for the use of that data
• decide what purpose or purposes the data will be used for
• decide whether to disclose the data, or to whom
• decide how long to retain the data
• be interested in the end result of the processing

With UK GDPR, processors do not have entirely the same obligations as controllers, but they have a number of direct obligations of their own under the laws.

Get in touch with the CaPS team to find out more about your responsibilities under UK GDPR legislation.

UK GDPR applies to the control and processing of personal data and here are a few pointers on what this means

• personal data is information that relates to an identified or identifiable individual
• information could be something simple, such as a name or phone number
• if an individual is identified or identifiable from your information, it is not personal data if it doesn’t relate to the individual
• information that has had ‘identifiers’ removed or replaced to pseudonymise the data, it is still personal data under UK GDPR
• information that is truly anonymous is not covered by UK GDPR
• information about a deceased person does not constitute personal data and is not subject to the UK GDPR
• information about companies or other organisations is not personal data

Without the necessary checks, problems can arise when different organisations process the same data for different purposes.

UK GDPR has seven key principles that form the basis for this country’s data protection regime. They are

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)

It is important that you understand and act upon each principle if you are to comply with UK data protections laws. Exceptions to these principles are very limited, and failure to comply with them can result in large fines. As a Data Controller, you must also demonstrate your Accountability for compliance with the UK GDPR.

If you gather and use information about individuals for any reason other than your own personal, family or household purposes, then you need to comply with UK GDPR and data protection laws.

The UK data protection regime is set out in the UK GDPR and Data Protection Act 2018 and the rules are enforced by the Information Commissioner’s Office (ICO).

In short, the Act sets out the UK’s data protection framework alongside UK GDPR, and it contains three separate data protection regimes

• a general processing regime (UK GDPR)
• regime for law enforcement authorities
• regime for the three intelligence services

What you need to do to comply will depend on your responsibilities. A controller is a person or organisation that decides how and why to collect and use the data. A processor is a separate person or organisation that processes the data on behalf of the controller.

It is likely that your company or organisation will do both, control and process data. If this is the case, you must comply and demonstrate compliance with two sets of responsibilities.

In the UK, the Information Commissioner can issue a fine for a GDPR data protection breach, and the level is decided on a case-by-case basis. There are two tiers of penalty

• higher maximum – £17.5 million or 4% of the total annual worldwide turnover the preceding financial year, whichever is higher
• standard maximum – £8.7 million of 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher

In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles. The standard maximum applies when there is an infringement of other provisions, such as administrative requirements of the legislation.

Large fines for data breaches are not uncommon and can have a significant impact on a company or organisation. This is why investment in compliance with UK GDPR laws should be an important mitigation in your management of organisational risks.

Under UK GDPR law, you must appoint a DPO if

• you are a public authority or body (except for courts acting in a judicial capacity)
• your core activities need large scale, regular and systematic monitoring of individuals, such as online behaviour tracking
• your core activities involve large-scale processing of special categories of data or data relating to criminal conditions and offences

Whether you fit this criteria or not, you do need to make sure that your company or organisation has sufficient staff and resources to comply with GDPR laws. This duty is why companies will often outsource the DPO role.

Appointing experts such as CaPS ensures you have the capacity and expertise for GDPR compliance.