A business must comply with the Data Protection Act 2018 and the UK GDPR.
This page describes the main features of data protection and how the rules may impact your business.
Data protection in the UK is governed by the retained EU law version of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The Information Commissioner’s Office is the independent public body responsible for upholding information rights in the public interest, and the law is there to ensure that data processing is lawful, fair and transparent, but some have argued the current system requires draconian levels of compliance.
Data protection law is currently under reform, since the Government published its consultation in September 2021 on proposals to reform the UK’s data protection regime, to reduce the burdens on businesses and deliver better outcomes for people. This will hopefully be promising news to those who have had any previous experience with the levels of data protection compliance and the number of hoops that must be jumped through in order to satisfy such required compliance.
Personal data: any information relating to a data subject. A data subject is the identified, or identifiable, person to whom the personal data relates. Personal data includes, among other things, personal details, financial details and contractual details (for example, goods and services provided to a data subject).
Processing: widely defined in the UK GDPR and covers, among other things, collecting, recording, storage, use and erasure or destruction of data. Just having the name of an identifiable individual on a database will amount to processing personal data.
Controller: a person (including a company) who determines the purposes and means of processing personal data. Most obligations under the UK GDPR fall on controllers.
Processor: a person who processes personal data on behalf of the controller. The UK GDPR introduces specific and separate duties for processors.
The key principles apply to both controllers and processors. These can be summarised as:
It is important to ensure that your business and you or your team have the necessary policies and procedures in place and keep sufficient records as required by law.
The Information Commissioner’s Office has published a guide called “The data protection fee: A guide for controllers” which is helpful to understand the different fee tiers that are required to be paid and the information that needs to be provided when paying a fee.
Additional methods to ensure compliance are to conduct a data protection audit, have a written data protection policy available to employees and staff and, if required, appointing a data protection officer.
If you would like any further information or assistance to ensure your compliance with data protection please contact a member of our Commercial and Privacy & Data teams.