GDPR, data protection & your business: your guide to compliance
Posted on September 23, 2021 by Dan May
Data protection and its evolving regulations have long been a point of confusion for many businesses across the globe. Whether you’re running a small team, or the entire business by yourself, navigating the various data protection regulations is no easy feat.
Fortunately, we’ve brought together the information and highlighted key points, providing an explanation of what the laws are and what you need to be aware of.
Data protection is an expansive part of business. It’s always best to seek legal advice if you’re unsure about the specifics of your business operations.
What are the data protection laws I need to know about in the UK right now?
If you’re confused about the acronyms and laws when it comes to data protection, there’s no need to worry. We’ve rounded up everything you need to know.
GDPR (General Data Protection Regulation)
GDPR was one of the biggest changes in data legislation since the original data laws were introduced in 1995. With the state of the world having changed so drastically, law needed to keep up with the times.
The low-down on GDPR:
- Created by the European Commission
- Covers member states of the EU
- Applies to anyone processing data of EU persons or transmitting data through the EU/EEA (European Economic Area)
- Created in 2016, it is the modern version of the 1995 Data Protection Directive
- Once enforced, GDPR law had to be in place by 25th May 2018
Enforced by: The EDPS (European Data Protection Supervisor), and the wider European Commission
Applies to: Anyone processing data of any living person in the EU, or holding data in an EU company
What part does the UK play? The UK is now considered a third country in GDPR terms. This means that our rights are considered the same as a country outside of the EU.
Confirmed on June 28th, 2021, The UK received status that shows it has “adequate” protection laws. This means transfers of data from the EU can move unrestricted.
The UK GDPR is what most businesses will now use going forward, and in terms of how it works, not much has changed. The main differences are to do with the reporting and hierarchy of courts (i.e., removing the European Court of Justice.)
The lowdown on UK GDPR:
- The retained version of GDPR has been named UK GDPR simply for clarity.
- The UK GDPR is “is a single regime for general processing activities.” All this means is that the UK GDPR requires any UK data processing to be done to the same standard as previous GDPR.
Enforced by: The ICO (Information Commissioners Office) and the Secretary of State
Applies to: Anyone processing data in the UK, or an extra-territorial country (anyone in a non-UK country) who processes data of UK persons.
What part does the UK play? As the UK is considered the focus of the UK GDPR, our companies and our data are the key focus. The UK GDPR requires a good level of data protection, that anyone who processes or holds data on UK people must comply with.
DPA (Data Protection Act) 2018
Updated from the 1998 version, the Data Protection Act was created to ensure that data protection is prepared for the digital age.
The lowdown on DPA:
- Created to help personalise GPDR for the UK, before the UK GDPR was fully finalised
- Mentions cybersecurity specifically and brings in bespoke UK sectors such as healthcare and academia
- Introduced the children’s code on data processing to ensure that young people using the internet are safe
Enforced by: The Secretary of State for the DCMS (Department for Digital, Culture, Media & Sport) and the ICO
Applies to: Any UK organisations that process data
What part does the UK play? As this exclusively applies to organisations in the UK, it’s all focussed on us.
PECR (Privacy and Electronic Communications Regulations) 2003
One regulation that hasn’t really changed drastically since its creation is PECR. Demonstrating the UK’s world-leading approach to data protection for many years, PECR set regulations for consent and processing very early on.
The lowdown on PECR:
- Covers electronic marketing, cookies and tracking technologies, public electronic communications and privacy of people using communications networks
- You’ll often need to comply with both PECR and UK GDPR
- PECR dictates a lot of how you market and is often brought into rulings when discussing consent and processing
- The UK GDPR standard of consent is applied to PECR now that we are past Exit Day (leaving the EU)
Enforced by: The ICO
What part does the UK play? While this is originally an EU directive, the PECR are firmly embedded in UK law, and are regularly updated with technology. Now we’re out of the EU, PECR will continue to be updated to ensure that digital trade can continue.
How can my business comply with data protection laws?
This is the million-dollar question.
Compliance with the data protection laws listed above varies depending on what you do, what data you hold, and the geographical areas you operate in. However, there are some general areas that should always be considered when you look at data protection.
Storing data securely
As well as collecting and processing data, storing data in a secure manner is a huge part of data protection. While law makers understand that hackers can get through almost anything, you must demonstrate that you have taken reasonable measures to ensure the security of your data.
This falls under the umbrella of cybersecurity, something that ramsac is very passionate about.
ramsac’s advice on cybersecurity
- Your human firewall is every bit as important as your digital firewall. Educating your staff, from junior to board level, is just as important as putting in software procedures to secure the systems you have.
- Creating a secure system requires regular review. As hackers get more intelligent, your systems need to keep up. Out of date software risks vulnerabilities, and the stopping of security updates.
- Understand your risks. Conducting a digital risk assessment can help you to understand your weaknesses. ramsac can help you to cover an IT best practice assessment.
Does where I operate from change the data requirements?
Yes, the economic and geographic area you operate in determines what laws you need to comply with.
I’m a UK headquartered business, but I have some customers in the EU. What do I need to do?
If you’ve got EU customers, you’ll need to comply with GDPR, UK GDPR and DPA 2018. As well as these three regulations, you may also need to comply with additional laws in the specific country of your customer.
For example, for a customer based in Germany who required you to process their data and transfer it back to them in a case of report creation and analysis, you would need to comply with local German law (Schrems II etc.), EU GDPR and processing laws in the UK.
As you can see, the amount of legislation surrounding data processing means that any decision must be carefully considered before it can continue.
Data protection is such a wide, expansive topic, and something we could discuss for hours. The best thing to do is to evaluate what you’re doing, plan everything, design data protection into your systems from the beginning, execute your plan, and document what you’ve done.
Speak to ramsac today if you want to know what we do to comply with GDPR or if you want to understand more about data protection in your business, and how we can help.