GDPR first came into force back in 2018, but with the confusion surrounding Brexit, some businesses have been left wondering whether they’re still bound by the legislation.
Initial GDPR rules may have been drafted and passed by the European Union, but UK GDPR – which mirrors the EU version – became UK law on the 1st January 2021.
While changes are minimal, it may be necessary to amend certain documentation to reflect the UK as independent of the EU; such documentation may include privacy notices, data subject access requests, data protection impact assessments, and data flow documentation.
If you’re unsure of whether GDPR applies to you – irrespective of Brexit – you’ll find some useful guidance below.
GDPR applies to you
Many businesses assume that GDPR will not apply to them. Don’t make this mistake – the regulation is massive in scope and is aimed at all businesses. It’s not just for organisations that process large volumes of personal data; if you process data (which according to the regulation, you probably do), it applies.
The regulation acknowledges that businesses with less than 250 employees pose a smaller risk to data security. However small and medium-sized enterprises (SMEs) are still obligated to comply.
In short, you need to comply if:
- Your company captures, stores, or otherwise processes personal data in the UK, regardless of where the individual is from. So, if someone from South Africa provided you with their personal data and it is captured, stored or otherwise processed in the UK, then it is subject to the requirements of GDPR.
So as a business you need to get on board. Let’s see what data you hold.
What is personal data?
Firstly, understand exactly what ‘personal data’ you hold. The GDPR’s definition is broad and encompasses a range of information and categories. It includes any information relating to an individual, who in reference with an identifier, can be directly or indirectly identified.
So what does this mean?
There is the instantly recognisable personal data that most people are familiar with, such as passport or driving license information, your contact details, etc. These are pieces of information that relate directly to you and are classed as Personally Identifiable Information or PII.
Then there is less obvious data such as; ‘The young girl with brown hair and green eyes who drives a red ford fiesta and works in the accounts department at ABC solicitors’ This is still personal data and is important, because it can be used to indirectly derive someone’s identity.
On top of this, the regulation identifies special categories of personal data that require special treatment to ensure better protection. These categories are classed as having a higher degree of sensitivity, with a higher risk of harm or distress if inadvertently processed or disclosed.
Special categories of personal data:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Processing of genetic data or biometric data
- Health or data concerning a person’s sex life or sexual orientation
View our Personal Data Infographic
Now you should have a clearer understanding of what types of personal data your business holds – the first step in your data discovery.
Audit your data
Next, you need to document the data you hold and where it came from. At the same time, identify why you have it and how you use it.
For example, are you tracking orders? Emailing previous customers?
Is the information shared with any third parties, such as product suppliers or delivery companies?
The audit is crucial for data transparency and will help you throughout the GDPR process.
|Data held||Data source||Reason for data||How you use it|
|Customer address||Customer online order||Logistics – to deliver order||Shared with 3rd party delivery company|
|Customer email address||Website opt-in registration||Marketing – to communicate with customers||Stored by 3rd party email service provider|
Once you have a clear idea of the data you hold and why; you need to understand if you should be applying new rules for storing and processing data. This will help you to define clear policies for data compliance, as well as what to do if someone makes an information request or if there is a data breach.
Are you a Data Controller or a Data Processor?
GDPR specifies two areas, of data ‘controllers’ and data ‘processors’. A controller decides how and why personal data is collected, stored and processed by your business. If you are a Data Controller GDPR places obligations on you (your business) to ensure that your contracts with processors and/or suppliers meet the terms of GDPR.
As a Data Processor, you are responsible for processing the personal data on behalf of the Controller. This includes storing data on servers, handling addresses for logistics or email addresses for marketing. Processors have specific legal obligations to maintain records of personal data and processing activities and have legal liability if responsible for a data breach.
Often businesses can be both Controllers and Processors and it’s important to have policies in place that distinguish both. Is your business part of a supply chain, or service related – for example outsourced IT? You’ll have obligations as processors on behalf of your customers, but are also controllers of your own data.
If you use Data Processors, then you are required to have specific requirements regarding the handling and security of personal data as part of your contractual arrangements.
There is lots of information about GDPR online and it can be confusing for businesses to know exactly what to do to achieve compliance.
Remember, GDPR is designed to give all of us more control over our personal data. The Regulations serve to unify laws and make them ‘fit for a digital world’. For businesses, this also means embracing a spirit of clear and transparent data policies.
There are millions of UK businesses affected by the Regulations across a variety of sectors. These businesses all collect different data, from different customers in different ways for different reasons.
You know your business best. Use PRISM to work through the compliance process; by working rationally you can complete the required steps for GDPR and implement systems to ensure ongoing compliance.