UKGDPR Compliance

Try our GDPR Training for Free!

Start Now

Key Definitions

Personal Data

Within the context of data protection legislation, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Data Controller

Both these two terms (data controller and processor) are interdependent terms used frequently within data protection literature and refer to discrete roles that are fulfilled in the data journey. To understand whether you are a controller or processor you are required to consider your role and responsibilities in relation to your data processing activities.

Controllers assume the highest level of compliance responsibility and are the main decision makers. Exercising overall control over the purposes and means of the processing of personal data.

Controllers in the UK must pay the data protection fee, unless exempt.

Data Processor

This term refers to the party or organisation responsible for performing ‘processes’ (operations) upon personal data or data sets. This includes both manual and automated processing.

According to information provided by the ICO, if you do not have any purpose of your own for processing data, and only act on a client’s instructions, you are likely to be a processor – “ even if you make some technical decisions about how you process the data.”

Processors do not have the same obligations as controllers under the GDPR and do not have to pay a data protection fee.

How Does GDPR Apply to Me?

Though what is GDPR compliance in the UK? could be considered a complicated question, put simply, data protection applies to any information kept on staff, customers or account holders and will likely inform many elements of an organisation’s operations, from recruitment, managing staff records, marketing or even the collection of CCTV footage.

Depending on the types of processing, storage or transportation your organisation enacts upon personal data, at least some methods of encryption, segmentation and pseudonymisation will likely need to be applied, as failure to do so may result in a breach of personal data.

At the heart of the legislation are the Seven Principles of Data Protection. Principles which provide general guidance regarding the obligations and responsibilities under the GDPR.

The Seven Principles of the Data Protection Act

1. Lawfulness, fairness and transparency

Data must be processed lawfully, fairly and transparently. Data subjects must be able to easily understand what they are giving consent to, and that data is processed in a lawful manner.

2. Purpose limitation

The stated purposes for data collection must not be extended after the fact. processing for public interest, scientific or historical research or for statistical purposes is not necessarily considered ‘incompatible’ with this right.

3. Data minimisation

Organisations must limit the collection of data to the minimum needed for the intended and stated purpose.

4. Accuracy

Organisations are obliged to go to reasonable lengths the keep personal data as accurate as possible. Should it be known that information is not accurate and cannot be corrected or rectified, then that data must be deleted.

5. Storage limitation

Data should not be kept for an indefinite period. Once data is no longer needed for the intended reason, then it should no longer be kept. Once again, there are provisions allowing prolonged retention for some purposes (scientific, statistical etc.).

6. Integrity and confidentiality

Organisations must take appropriate measures to ensure the security of personal data and protect against the possibility of a data breach, in the form of both technical and organisational measures.

7. Accountability

Absent from the DPA 1998, the accountability principle places the responsibility of data protection directly upon organisations handling personal data. Not only are organisations responsible for compliance, but also for the documentation of said compliance.