Understanding the General Data Protection Regulation and UK Compliance

What is GDPR Compliance UK? The General Data Protection Act is a piece of European wide legislation introduced to help protect personal information and data collected across the region. Applicable to organisations, businesses and governments, the legislation was designed to address the constantly adapting landscape of technology and data collection.

GDPR Compliance UK

Introduced in 2016 and made enforceable in 2018, the act was adopted into UK law as The Data Protection Act. Consisting of data protection principles, rights, and obligations, the GDPR is far reaching in its breadth and applies to any organisation that holds or collects data pertaining to identifiable individuals, i.e. ‘data subjects’.

Key Definitions

Personal Data

Within the context of data protection legislation, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Data Controller

Both these two terms (data controller and processor) are interdependent terms used frequently within data protection literature and refer to discrete roles that are fulfilled in the data journey. To understand whether you are a controller or processor you are required to consider your role and responsibilities in relation to your data processing activities.

Controllers assume the highest level of compliance responsibility and are the main decision makers. Exercising overall control over the purposes and means of the processing of personal data.

Controllers in the UK must pay the data protection fee, unless exempt.

Data Processor

This term refers to the party or organisation responsible for performing ‘processes’ (operations) upon personal data or data sets. This includes both manual and automated processing.

According to information provided by the ICO, if you do not have any purpose of your own for processing data, and only act on a client’s instructions, you are likely to be a processor – “ even if you make some technical decisions about how you process the data.”

Processors do not have the same obligations as controllers under the GDPR and do not have to pay a data protection fee.

How Does GDPR Apply to Me?

Though what is GDPR compliance in the UK? could be considered a complicated question, put simply, data protection applies to any information kept on staff, customers or account holders and will likely inform many elements of an organisation’s operations, from recruitment, managing staff records, marketing or even the collection of CCTV footage.

Depending on the types of processing, storage or transportation your organisation enacts upon personal data, at least some methods of encryption, segmentation and pseudonymisation will likely need to be applied, as failure to do so may result in a breach of personal data.

At the heart of the legislation are the Seven Principles of Data Protection. Principles which provide general guidance regarding the obligations and responsibilities under the GDPR.

The Seven Principles of the Data Protection Act

  1. Lawfulness, fairness and transparency

Data must be processed lawfully, fairly and transparently. Data subjects must be able to easily understand what they are giving consent to, and that data is processed in a lawful manner.

  1. Purpose limitation

The stated purposes for data collection must not be extended after the fact. processing for public interest, scientific or historical research or for statistical purposes is not necessarily considered ‘incompatible’ with this right.

  1. Data minimisation

Organisations must limit the collection of data to the minimum needed for the intended and stated purpose.

  1. Accuracy

Organisations are obliged to go to reasonable lengths the keep personal data as accurate as possible. Should it be known that information is not accurate and cannot be corrected or rectified, then that data must be deleted.

  1. Storage limitation

Data should not be kept for an indefinite period. Once data is no longer needed for the intended reason, then it should no longer be kept. Once again, there are provisions allowing prolonged retention for some purposes (scientific, statistical etc.).

  1. Integrity and confidentiality

Organisations must take appropriate measures to ensure the security of personal data and protect against the possibility of a data breach, in the form of both technical and organisational measures.

  1. Accountability

Absent from the DPA 1998, the accountability principle places the responsibility of data protection directly upon organisations handling personal data. Not only are organisations responsible for compliance, but also for the documentation of said compliance. 

Who Enforces GDPR?

Across Europe, each state has their own official authorities which are responsible for the governance and enforcement of the data protection legislation. In the UK it is the Information Commissioner’s Office (ICO) that fulfils this role.

Responsible for providing advice, guidance, and investigating breaches of GDPR, the ICO is headed by the Information Commissioner Elizabeth Denham.

As the independent official responsible for enforcement, the Commissioner’s ‘mission’ is to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”.

Since it is founding in 1984, the ICO’s role has grown significantly since the introduction of the GDPR, and is increasingly often involved in high profile cases, e.g. the 2018 investigation into social media giant Facebook.

Fines Under GDPR

Part of the ICO’s role is to hold accountable organisations who fail to meet the standards of GDPR. As such the ICO has the ability to levy fines far greater than previously possible.

Prior to the DPA, the maximum fine possible was £500,000, though since its introduction, the authority now has the ability to fine organisations up to 20 million Euros (the equivalent in GBP) or 4% of the given organisation’s total annual global turnover, whichever is greater.

At the time of its introduction, the Information Commissioner noted that the authority would not be looking to ‘make examples’ out of non-compliant organisations, though now, several years hence, there is little excuse for parties not to be compliant.