Businesses can lead the way in tackling economic crime
Money laundering and terrorist financing remain significant threats to the UK, its economy, stability, and the welfare of its citizens, as well as to people
If you gather, store and use people’s data, you must comply with legislation, such as UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 and e-privacy laws. In terms of a company’s compliance with GDPR, this applies to organisations engaged in ‘professional or commercial activity’.
If you are the owner of a smaller business with fewer than 250 employees, there is a less onerous requirement for processing records but this does not mean you are exempt from other parts of the legislation.
If you’re not sure about which parts of GDPR apply to your company, please get in touch and we can guide you in the right direction.
How can Compliance and Privacy Solutions help?
We will carry out an assessment to find out what is required, which means getting a good understanding of what type of data is being processed and for what purpose. Whilst all of the GDPR applies to all organisations, the risk posed to the data subjects (the individuals) by the organisation, generally drives the proportionality of the measures required.
We conduct gap analysis to determine the size of the requirement. We can then provide practical support to close the gaps, such as policy drafting and record creation.
With GDPR compliance in the UK, as with other countries covered by the legislation, you essentially have two roles as a data controller:
Some organisations have a Data Protection Officer, or DPO, to support you in fulfilling these duties. If yours is a smaller company, the role of DPO may be incorporated into a team member’s role. For some organisations, such as a public authority, the appointment of a DPO is mandatory.
The DPO will help ensure the data your organisation holds and processes is in compliance with GDPR.
As a rule of thumb, you should be keeping information about someone for ‘no longer than is necessary’. Storage limitation is a key principle of data protection in the UK. For example, you shouldn’t keep hold of data about a staff member indefinitely after they have left your company. Retaining data must be for a legitimate purpose and held for a defined period of time.
Also, digital archives are not exempt from GDPR. If an archive includes information that meets the GDPR definition for personal data (that is, data on an identified or identifiable living person), then this archive is also covered by the rules.
You are permitted to hold on to personal data for longer if you are retaining it for public interest archiving, scientific or historical research, or statistical purposes.
If you are not sure whether you are exempt from storage limitations on data, please give us a call.
For GDPR compliance for UK companies, the Information Commissioner’s Office (ICO) provides a handy checklist. You will comply with GDPR laws on storing data if you
Many organisations do not fit the criteria for a mandatory appointment of a Data Protection Officer (DPO). However, a good deal of companies see the DPO as an investment, providing an edge when engaging with prospects and clients.
A DPO can only be appointed by virtue of their expert knowledge of the law and ability to act objectively and independently (this is why managing directors and CEOs cannot be DPOs – there is a conflict of interest).
You could decide to appoint a company, such as Compliance and Privacy Solutions, to become your DPO. This can be much more cost effective than hiring an individual full-time or multi-tasking an existing member of staff.
Contact us to find out more about our DPO service.
UK GDPR companies compliance applies to two groups: controllers and processors.
A controller determines the purposes and means of processing personal data. So, when you are a data controller, you do the following
Data controllers have the highest level of responsibility with GDPR compliance, and must comply with, and demonstrate compliance with, all data protection principles and UK GDPR requirements.
A processor is in charge of processing personal data on behalf of the controller. If you are a processor, you will
As a processor, you will not
With UK GDPR, processors do not have entirely the same obligations as controllers, but they have a number of direct obligations of their own under the laws.
Get in touch with the CaPS team to find out more about your responsibilities under UK GDPR legislation.
UK GDPR applies to the control and processing of personal data and here are a few pointers on what this means
Without the necessary checks, problems can arise when different organisations process the same data for different purposes.
UK GDPR has seven key principles that form the basis for this country’s data protection regime. They are
It is important that you understand and act upon each principle if you are to comply with UK data protections laws. Exceptions to these principles are very limited, and failure to comply with them can result in large fines. As a Data Controller, you must also demonstrate your Accountability for compliance with the UK GDPR.
If you gather and use information about individuals for any reason other than your own personal, family or household purposes, then you need to comply with UK GDPR and data protection laws.
The UK data protection regime is set out in the UK GDPR and Data Protection Act 2018 and the rules are enforced by the Information Commissioner’s Office (ICO).
In short, the Act sets out the UK’s data protection framework alongside UK GDPR, and it contains three separate data protection regimes
What you need to do to comply will depend on your responsibilities. A controller is a person or organisation that decides how and why to collect and use the data. A processor is a separate person or organisation that processes the data on behalf of the controller.
It is likely that your company or organisation will do both, control and process data. If this is the case, you must comply and demonstrate compliance with two sets of responsibilities.
In the UK, the Information Commissioner can issue a fine for a GDPR data protection breach, and the level is decided on a case-by-case basis. There are two tiers of penalty
In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles. The standard maximum applies when there is an infringement of other provisions, such as administrative requirements of the legislation.
Large fines for data breaches are not uncommon and can have a significant impact on a company or organisation. This is why investment in compliance with UK GDPR laws should be an important mitigation in your management of organisational risks.
Under UK GDPR law, you must appoint a DPO if
Whether you fit this criteria or not, you do need to make sure that your company or organisation has sufficient staff and resources to comply with GDPR laws. This duty is why companies will often outsource the DPO role.
Appointing experts such as CaPS ensures you have the capacity and expertise for GDPR compliance.
Money laundering and terrorist financing remain significant threats to the UK, its economy, stability, and the welfare of its citizens, as well as to people
What is a ‘risk-based approach’ and how does it affect my business? Whether you operate as a sole trader or as part of a multinational
‘To Have or Have Not’ – The DPO Question Whilst many shy away from the legal, and sometimes scary, General Data Protection Regulation requirements, you
