GDPR, data protection & your business: your guide to compliance

laptop login visual overlay

Posted on September 23, 2021 by Dan May

Data protection and its evolving regulations have long been a point of confusion for many businesses across the globe. Whether you’re running a small team, or the entire business by yourself, navigating the various data protection regulations is no easy feat.

Fortunately, we’ve brought together the information and highlighted key points, providing an explanation of what the laws are and what you need to be aware of.

Data protection is an expansive part of business. It’s always best to seek legal advice if you’re unsure about the specifics of your business operations.

What are the data protection laws I need to know about in the UK right now?

If you’re confused about the acronyms and laws when it comes to data protection, there’s no need to worry. We’ve rounded up everything you need to know.

GDPR (General Data Protection Regulation)

GDPR was one of the biggest changes in data legislation since the original data laws were introduced in 1995. With the state of the world having changed so drastically, law needed to keep up with the times.

The low-down on GDPR:

  • Created by the European Commission
  • Covers member states of the EU
  • Applies to anyone processing data of EU persons or transmitting data through the EU/EEA (European Economic Area)
  • Created in 2016, it is the modern version of the 1995 Data Protection Directive
  • Once enforced, GDPR law had to be in place by 25th May 2018

Enforced by: The EDPS (European Data Protection Supervisor), and the wider European Commission

Applies to: Anyone processing data of any living person in the EU, or holding data in an EU company

What part does the UK play? The UK is now considered a third country in GDPR terms. This means that our rights are considered the same as a country outside of the EU.

Confirmed on June 28th, 2021, The UK received status that shows it has “adequate” protection laws. This means transfers of data from the EU can move unrestricted.

EU GDPR

UK GDPR

The UK GDPR is what most businesses will now use going forward, and in terms of how it works, not much has changed. The main differences are to do with the reporting and hierarchy of courts (i.e., removing the European Court of Justice.)

The lowdown on UK GDPR:

  • The retained version of GDPR has been named UK GDPR simply for clarity.
  • The UK GDPR is “is a single regime for general processing activities.” All this means is that the UK GDPR requires any UK data processing to be done to the same standard as previous GDPR.

Enforced by: The ICO (Information Commissioners Office) and the Secretary of State

Applies to: Anyone processing data in the UK, or an extra-territorial country (anyone in a non-UK country) who processes data of UK persons.

What part does the UK play? As the UK is considered the focus of the UK GDPR, our companies and our data are the key focus. The UK GDPR requires a good level of data protection, that anyone who processes or holds data on UK people must comply with.

DPA (Data Protection Act) 2018

Updated from the 1998 version, the Data Protection Act was created to ensure that data protection is prepared for the digital age.

The lowdown on DPA:

  • Created to help personalise GPDR for the UK, before the UK GDPR was fully finalised
  • Mentions cybersecurity specifically and brings in bespoke UK sectors such as healthcare and academia
  • Introduced the children’s code on data processing to ensure that young people using the internet are safe

Enforced by: The Secretary of State for the DCMS (Department for Digital, Culture, Media & Sport) and the ICO

Applies to: Any UK organisations that process data

What part does the UK play? As this exclusively applies to organisations in the UK, it’s all focussed on us.

PECR (Privacy and Electronic Communications Regulations) 2003

One regulation that hasn’t really changed drastically since its creation is PECR. Demonstrating the UK’s world-leading approach to data protection for many years, PECR set regulations for consent and processing very early on.

The lowdown on PECR:

  • Covers electronic marketing, cookies and tracking technologies, public electronic communications and privacy of people using communications networks
  • You’ll often need to comply with both PECR and UK GDPR
  • PECR dictates a lot of how you market and is often brought into rulings when discussing consent and processing
  • The UK GDPR standard of consent is applied to PECR now that we are past Exit Day (leaving the EU)

Enforced by: The ICO

Applies to: Anyone who provides an electronic communications network or similar service provider and anyone who markets electronically (including phone calls), uses cookies or compiles a telephone or similar public directory.

What part does the UK play? While this is originally an EU directive, the PECR are firmly embedded in UK law, and are regularly updated with technology. Now we’re out of the EU, PECR will continue to be updated to ensure that digital trade can continue.

How can my business comply with data protection laws?

This is the million-dollar question.

Compliance with the data protection laws listed above varies depending on what you do, what data you hold, and the geographical areas you operate in. However, there are some general areas that should always be considered when you look at data protection.

Storing data securely

As well as collecting and processing data, storing data in a secure manner is a huge part of data protection. While law makers understand that hackers can get through almost anything, you must demonstrate that you have taken reasonable measures to ensure the security of your data.

This falls under the umbrella of cybersecurity, something that ramsac is very passionate about.

ramsac’s advice on cybersecurity

  1. Your human firewall is every bit as important as your digital firewall. Educating your staff, from junior to board level, is just as important as putting in software procedures to secure the systems you have.
  2. Creating a secure system requires regular review. As hackers get more intelligent, your systems need to keep up. Out of date software risks vulnerabilities, and the stopping of security updates.
  3. Understand your risks. Conducting a digital risk assessment can help you to understand your weaknesses. ramsac can help you to cover an IT best practice assessment.
gdpr and small business

Does where I operate from change the data requirements?

Yes, the economic and geographic area you operate in determines what laws you need to comply with.

I’m a UK headquartered business, but I have some customers in the EU. What do I need to do?

If you’ve got EU customers, you’ll need to comply with GDPR, UK GDPR and DPA 2018. As well as these three regulations, you may also need to comply with additional laws in the specific country of your customer.

For example, for a customer based in Germany who required you to process their data and transfer it back to them in a case of report creation and analysis, you would need to comply with local German law (Schrems II etc.), EU GDPR and processing laws in the UK.

As you can see, the amount of legislation surrounding data processing means that any decision must be carefully considered before it can continue.

Data protection is such a wide, expansive topic, and something we could discuss for hours. The best thing to do is to evaluate what you’re doing, plan everything, design data protection into your systems from the beginning, execute your plan, and document what you’ve done.

Speak to ramsac today if you want to know what we do to comply with GDPR or if you want to understand more about data protection in your business, and how we can help.

Related Posts

  • What do we know about the Data Protection and Digital Information (DPDI) Bill?
    April 8th, 2024

    What do we know about the Data Protection and Digital Information (DPDI) Bill?

    GDPR

    The Data Protection and Digital Information (DPDI) Bill is a significant legislative proposal currently undergoing scrutiny in the House of Lords [...]

    Read article

  • How to Password Protect Files on Your Computer
    July 31st, 2020

    How to Password Protect Files on Your Computer

    CybersecurityGDPRIT

    Keep all your files safe and secure by adding password protection. Find out how with our step by step instructions on password-protecting PDFs, Word and Excel documents. [...]

    Read article

  • What is cybersecurity monitoring? How important is it in 2024?
    April 29th, 2024

    What is cybersecurity monitoring? How important is it in 2024?

    Cybersecurity

    Cybersecurity monitoring is the continuous surveillance of digital systems to detect and respond to security threats and data breaches in real-time. Discover how cybersecurity monitoring software can protect your [...]

    Read article

  • Examples of sensitive data in your organisation
    April 26th, 2024

    Examples of sensitive data in your organisation

    Cybersecurity

    Any confidential information that’s stored, processed, or managed by an organisation or individual is classified as sensitive data. Read our sensitive data examples today. [...]

    Read article

  • Cultivating success: The power of organic growth and vibrant culture at ramsac
    April 25th, 2024

    Cultivating success: The power of organic growth and vibrant culture at ramsac

    Awards

    As we celebrate our inclusion in the Oxygen Fast Growth Top 50 as one of the fastest-growing Managed Service Providers in the UK, we reflect on our journey [...]

    Read article

  • Understanding the PSTN switch-off: what it means for you
    April 23rd, 2024

    Understanding the PSTN switch-off: what it means for you

    IT

    The old Public Switched Telephone Network (PSTN) is shutting down at the end of this year, we explain the impact this could have on organisations. [...]

    Read article