The General Data Protection Regulations UK are an offshoot of the GDPR laws introduced by the European Courts in May 2018. The terms of the legislation are the same.
Although GDPR has been in force for three years now, it is still the subject of some confusion for many businesses. In this article, we will do our best to tidy up some of the rough edges.
It’s important that you are clued up about GDPR – especially now that regulators are ramping up their efforts to penalise companies that do not meet compliance.
GDPR penalties surged by 113% in the first two quarters of 2021 in Europe and by 39% in the UK.
So why are businesses subjected to GDPR legislation?
We have the likes of Google and Facebook to thank for that. The tech giants were selling the personal data of consumers to advertisers. Does it come as a surprise that Google and Facebook are reaping the benefits of GDPR by growing their marking share?
“The organizations that have taken the biggest hit, it seems, are the smaller companies that had to overhaul their programs to conform to the new GDPR rules. As a result, they likely lost some footing while restructuring their programs. Meanwhile, Google and Facebook continue to grow their domain.” ~ Fast Company
When GDPR was initially rolled out, the legislation was advertised as data privacy laws designed to protect the personal information of internet users that reside in jurisdictions that are governed by the EU.
In the last year, we’re seeing a different story. The regulators tasked with ensuring businesses comply with data protection laws – the Information Commissioner’s Office (ICO) – are also handing out GDPR penalties to businesses that suffer a data breach.
Basically, businesses are subject to GDPR penalties if you share personal data with consent – which includes personal data that is lost, stolen, damaged or illegally changed by a disgruntled employee or hacker.
Consequently, any business that processes the personal data of internet users within the UK and EU are subject to GDPR.
To ensure you meet compliance, you should be organising a “Privacy by Design” policy which involves keeping data collection to a minimum and informing users how you collect, store and use their data.
It also means you need to install adequate cybersecurity systems to ensure your IT network cannot be hacked.
Does GDPR Apply To Your Business?
GDPR will apply to most businesses in the UK and around the world, but not all.
Suffice to say, if you sell products or services online and collect any type of personal data of individuals that live in the UK and European member states, then, yes, GDPR applies to you.
In addition to EU member states, Iceland, Lichtenstein, Norway, and Switzerland are also protected by GDPR.
If you monitor the online behaviour of internet users in EU and UK territory, you are also obliged to comply with GDPR; i.e collecting cookies, IP addresses or location data.
Likewise, if you offer a downloadable newsletter, whitepaper or pdf in exchange for an email address, you are obliged to comply with GDPR rules.
If you’re writing a blog and don’t collect data from protected persons, then you are not subject to GDPR. Or, for example, if your target audience is anywhere else in the world other than the UK and Europe, GDPR does not apply to your business (but the data protection of other jurisdictions will be).
What is GDPR?
GDPR is the abbreviation for The EUs General Data Protection Regulations. The regulatory framework is basically a consolidation of data protection laws that organise procedures and laws businesses are bound by if you collect “personal data” from third parties.
Companies also fall under protective laws because they are deemed as “entities” in the same way as an individual.
The rules of the regulations instruct companies that collect and process the personal data of EU and UK citizens what they can and cannot do. In accordance with the law, internet users that visit your website, have the right to know, and thus must be informed:
- How their data is collected, stored and used (if you share data with third parties this should be declared): (Articles 13/ 14)
- Online businesses must give visitors the option to refuse data processing; for example, the option to not allow tracking cookies, or to decline marketing material: (Article 21)
- Internet users have the right to limit the amount of data they give you under certain conditions (Article 18)
- You must be able to provide information you have collected if an individual requests it. ‘Right of Access’ requests must be fulfilled within one month, free of charge: (Article 15)
- You must update incorrect information if notified of an error: (Article 16)
- Individuals have the right to decline automated processes that lead to decisions being made against them; i.e. profiling
- You must be able to delete data you have requested if an individual submits a ‘right to be forgotten request’: (Article 17)*
- The right to be forgotten gets complicated if you use the ‘retention labels’ in Microsoft 365 backup. Retention labels cannot be changed at any time, which also means they cannot be deleted.
What Constitutes Personal Data – and What Doesn’t?
To better understand your legal obligations, it’s important to understand what information is classified as personal data.
Essentially, personal data is considered any piece of information that might be used to identify an individual.
Think of personal data as a jigsaw puzzle. If a hacker is able to collect various pieces of information from multiple sources, they are able to piece the information together and create a profile of an individual. They can then use this information for nefarious causes.
Examples of personal data include:
- Name
- Address
- Phone number
- Email address
- Family members
- Personal ID numbers
- Date of Birth
- Location data
- Race
- Ethnicity
- Religion
- Political persuasion
Firms that store this data are obliged to protect the data from hackers and are forbidden to sell personal information to third parties.
Consider this when you are creating a GDPR/cybersecurity strategy.
If you only store an individual’s first name, for example, it would not be considered as personal data under GDPR because the individual cannot be identified.
However, if you also have a location and the individual has an unusual name, the ICO could deem the record to be personal data. For example, if you keep a record of someone called Byron and he lives in a small fishing village – let’s say, Robin Hoods Bay, the chances are there is only one (2 or 3 at most) Byron in that village.
In other words, a hacker or other unsavoury character could use this type of information to narrow down their targets.
If possible, keep the information you store as vague as possible; for example, Byron, Whitby (or North Yorkshire).
It’s also worth noting that GDPR comes into force at the time data processing takes place – even if the individual is not from Europe.
Let’s say a Mable from Canada visits London for a month. Ordinarily Mable, as a Canadian citizen, wouldn’t qualify as a protected person under GDPR.
However, whilst Mable is in London she visits your website and pays for goods and services online; i.e, she books a coach tour to Cambridge through a UK travel company.
Because the transaction takes place in the UK, the location takes precedence rather than the country of origin the individual is from.
What Constitutes a ‘Breach’ Under GDPR?
The ICO consider the rules of GDPR have been breached if personal data is:
- Stored without the individual’s consent
- Sold or shared to a third party without the individual’s consent
- Misused (see H&M example below)
- Lost or destroyed (i.e. system failure, fire etc) – See our article on how to create a Disaster Recovery Plan
- Stolen by cybercriminals or rogue employees
- Updated without the individual’s consent
- Failure to appoint a data protection officer
The majority of fines issued under GDPR are for “non-compliance of general data processing principles (no notification of how data is collected, stored etc) or inadequate technical measures and cybersecurity.
One of the more unusual examples involved H&M in what you might call a scandal. The e-commerce company was slapped with a £32.1 million fine for illegally storing the personal data of their employees they had no right to store and using it as a surveillance tool.
The type of data they were storing included medical symptoms, religious and political beliefs. Not only that, the company used the information to make decisions about employees which were considered a “gross disregard” of GDPR rules.
What Are the Penalties for Violating the GDPR?
The penalties for violating GDPR are judged on a case for case basis. The general rule is that companies will be fined a maximum of £17m or 4% of their annual turnover (whichever is higher) or up to £8.7m or 2% of annual turnover for lesser offences.
Mitigating circumstances may also help to reduce the penalty.
To get a better idea of the reasons and amounts of fines, check out the GDPR Enforcement Tracker. Some fines are as low as £900 whilst others run into tens of thousands. Large corporations have been slapped with penalties up in the millions.
However, it’s not necessarily the fine that can be destructive to your business. Under the terms of GDPR, businesses must inform all affected parties of the violation within 72 hours.
Affected parties may include customers, suppliers, investors, employees etc. Informing people of a data protection breach may result in major problems for your business. A lack of trust prompts customers to switch to your rivals, investors to withdraw their funding, suppliers to cancel contracts etc.
The consequences of breaching GDPR may not be failing to comply with the legislation but that other people know you failed to comply.
What are Your Obligations Under GDPR UK?
1. Get Consent
If you collect any type of information, including cookies, IP addresses etc, you must request consent to obtain the information and give internet users the option to refuse or limit the information they give you.
2. Opt-in must be clear
The terms and conditions of individuals opting in must be clearly stated in your privacy policy; how you store and use data. There must also be an easily accessible link placed on your website that directs web visitors to your privacy policy page.
3. Permission must be fair
It is not permitted to use a blanket consent form to get permission for every piece of data you collect or share. You may have noticed that most websites have a pop-up box informing users the website uses cookies and asks for consent. This does not give you permission to use that same information to share with a third party, for example, a payment gateway. Another permission must be given to access payment details during the checkout process.
4. Keep consent records
You must be able to show when an individual gave you permission to collect data. For example, if they download a pdf from your website, the date of the download must be recorded.
5. 30-day Deadline to fulfil requests
Individuals have the right to request information you hold about them, update information, or remove it. Submissions that fall into these categories must be completed within 30 days of the request.
6. Install adequate technologies and processes that ensure personal data is not lost, stolen or destroyed or illegally changed.
What Should you Include in a Privacy Policy?
Any business that collects personal data is required to draft a privacy policy that explains what they do with users’ information.
A privacy policy must include:
- Contact details of the company and its representatives
- A description of why the company is collecting personal data and how you intend to use it
- How data is stored
- A timescale for how long the information will be kept on file
- Outline the rights of users
- Name third party companies you may share data with
- Provide contact details of your Data Protection Officer (if necessary)
- Use simple language that is easily understood by readers
GDPR Terminology
Whilst you’re getting to grips with GDPR you will come across specific terminology – which may not be clear to you. We have provided a brief description below.
Data Subject – This is the individual or company that you are collecting and storing data from; i.e lead generation prospect
Data Controller – A business that collects and stores data – your company.
Data Processor – This won’t apply to everybody, only large corporations that uses a third party company to process data; i.e a payroll company
Supervisory Authority – This is the regulatory authority companies much report to – or answer to if you have been reported – if they are in breach of GDPR legislation. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).
Data Protection Officer (DPO) – This is the person appointed by your company to ensure your business is GDPR compliant.
High-Risk Cases for GDPR Compliance
There are other use cases that will affect some businesses but not all. Companies that are deemed to process and store personal data that is considered “sensitive” must also complete a Data Protection Impact Assessment (DPIA).
High-risk information is anything that could potentially impact the legal rights of an individual, their freedom or their safety.
Examples of high-risk activities include:
- Using new technology
- Tracking the location of individuals that would expose their address or whereabouts
- Medical information
- Collecting genetic or biometric data
- Marketing to children
How to Prevent a Data Breach
Whilst most legal obligations that will make you GDPR compliant are a quick-fix, there is one long-running threat: cybercrime.
Reports reveal that 60% of companies that suffer data breaches fail within six months. Oftentimes, the collapse of a business is not due to the penalty, but a loss of customers or investors.
The only way to prevent a data breach is to ensure your cybersecurity measures are airtight.
Technology is your best defence against cybercriminals. Security firms report that anti-virus, encrypted software and cloud storage can prevent around 90% of cyber attacks.
Most data breaches are actually caused by human error, either by weak passwords, the victim of malware or misconfigured settings.
Providing your staff with cybercrime awareness training help resolve this problem. We show you how to create strong passwords, how to identify phishing attempts (suspicious emails) and best practices for reporting and isolating malware.
We also recommend patch management services. When software is released by a tech company hackers always try to find vulnerabilities in the code that gives them a gateway into your network.
As a consequence, tech companies have to stay one step ahead of hackers by updated their security codes. However, this can cause a problem for companies that use multiple software, apps and plugins – your staff is constantly updated software.
You also have to rely on your staff to perform updates. Patch management services eliminate the risks. Some updates can be performed automatically, and the rest are taken care of by our consummate IT support professionals in London.
Still confused about GDPR. Contact our knowledgeable team to settle your concerns and ensure you are GDPR compliant.