The General Data Protection Regulation received a huge amount of attention when it came in on 25th May 2018. It also caused much last-minute confusion.
Applicable to all businesses throughout the European Union, UK companies had to comply.
Fast forward to 2022…
The Brexit transition period ended in 2020 and we’re no longer an EU member. Should UK businesses still comply with GDPR today?
It’s a fair question. GDPR was an EU law, so it’s no longer applicable in the UK, right?
The answer is more complex than a simple ‘yes’ or ‘no’.
Does GDPR apply to my business?
Whether you’re an SME or a large organisation, UK GDPR applies to you. If you hold individuals’ personal data – whether you use it or not – you must comply with GDPR.
When EU GDPR came into force, this realisation led many businesses to destroy vast amounts of data. Confused by their obligations, some felt it was better to be safe than sorry.
And that’s not surprising when we saw hefty fines slapped on well-known brands. In fact, the maximum fine for a breach of personal data under GDPR is 4% of the last 12 months’ global turnover.
For example, take TalkTalk’s much discussed 2016 fine of £400,000. This was imposed – prior to GDPR becoming law – due to security mistakes that allowed hackers to access customer data. Under GDPR, the fine would have been a staggering £59m.
Whilst rumours suggested businesses with less than 250 employees didn’t need to bother with GDPR, that was simply not the case.
We contacted the Information Commissioner’s Office (ICO) ourselves to clarify which businesses must comply with GDPR. This was their response:
“The GDPR applies to all organisations processing personal data. There are certain provisions that are engaged by different kinds of processing/scales of processing, but no exemptions based on organisation size.”
(Web chat with ICO, 21 July 2017)
What constitutes ‘personal data’?
The other common confusion around GDPR concerns personal data. How should you interpret this definition?
The obvious answer includes name, email address, and other contact details. But it goes further than that.
The ICO’s definition of personal data asks whether you can identify the individual from it. If you can, it’s personal data.
With that in mind, National Insurance numbers, bank details, and even IP addresses could be personal data. Not to mention video footage and images.
Of course, UK GDPR applies whether you’re holding such data for customers or staff within your business.
What should I be doing to comply with UK GDPR?
To comply with UK GDPR, you must know:
- What data you hold about people (customers, staff, stakeholders, suppliers etc.)
- What documented permission you have, and how you can use that data
- How old the data is, and how long you can justify holding it
So, you must know where your data is. Every software system, every email list, every filing cabinet.
Done correctly, it’s a sizeable task to manage and maintain.
Not sure where certain data originated from? The safest answer is to destroy it. If you haven’t used it until now, you probably don’t need it anyway.
What about your customer data? You don’t need permission to use their information for transactions taking place (or for historical record keeping). For example, holding their information in your accounting software. Yet, you do need their permission if you wish to include them in your marketing activities.
You must also ensure the data you hold is secure.
That means securing your IT networks and preventing unauthorised access. Use encryption where necessary – for example, with sensitive personal data. Password protect laptops and mobile devices when not onsite. Also, fully train your staff on the importance of data security.
Need a hand?
UK GDPR is a huge topic. One article doesn’t do it justice. You can find out more by reading the official regulations. That’s not as daunting as it sounds – the early pages are written in plain English.
You can also contact the Information Commissioner’s Office (ICO) directly via web chat or phone. They’re a helpful bunch and respond promptly.
Should you need help assessing and upgrading your current data storage systems, we’re happy to chat. You might have legacy systems no longer fit for purpose or specific software needs resulting from your business growth. Please get in touch to discuss how you could go forward, always remaining on the right side of UK GDPR.