The UK General Data Protection Regulations (UK GDPR) came into force on January 1 2021 and sets out the key principles, rights and obligations for processing data in the UK. It is almost entirely based on the EU GDPR (which applied in the UK before January 2021) and sits alongside the Data Protection Act 2018 (DPA).
With the plethora of initialisms, some small businesses are understandably overwhelmed. Some actively ignore what they deem to be an administrative burden, while others unknowingly stray into breach of data protection regulations. Regardless of your view of the UK GDPR, one thing is clear; overlooking it could have costly repercussions by way of hefty fines and reputational damage to your business.
The body in charge of enforcing data protection breaches in the UK is the Information Commissioner’s Office (ICO). Much of the enforcement action pursued by the ICO relates to aggressive direct marketing techniques, such as nuisance calls and emails. For example, ColourCoat Ltd, a home improvements business based in Hastings, was fined £130,000 by the ICO in June 2021 following a substantial amount of direct marketing calls.
Businesses should also be mindful of the Privacy and Electronic Communications Regulations (PECR). Whilst UK GDPR covers processing of personal data, PECR is designed to protect privacy and security of personal data when using electronic communications. PECR covers aspects of your business such as electronic marketing and the use of cookies on your website. It is therefore important that businesses are aware of your responsibilities in this regard also, although it is important to note that these regulations are currently under review.
However, the ICO’s enforcement action is not limited to the deliberate flouting of regulations. Mermaids, a charity supporting transgender youth, was fined on July 8 2021 for failing to keep the personal data of its users secure. In its report, the ICO found there to be a “negligent approach” towards data protection, with inadequate data protection policies and a lack of face-to-face data protection training. Despite Mermaids being a charity with just 18 employees, and the ICO acknowledging it took immediate action to mitigate the damage to data subjects as soon as they were made aware of the breach, Mermaids were handed a fine of £25,000.
This fine demonstrates the severe consequences that could await small businesses in breach of the UK GDPR, and SMEs should be aware the degree of culpability will be assessed when calculating monetary penalties. The good news is that because the UK GDPR largely replicates the EU GDPR, if your business was compliant with EU GDPR you should find you will already be largely compliant with UK GDPR. However, in light of the changes, a data audit or review is advisable to ensure continued compliance. With that in mind, let’s consider what can be done to ensure your business fulfils its data obligations.
>See also: 9 steps to GDPR compliance for your first business website
6 steps to ensure you’re UK GDPR compliant
Update policies and procedures
The individuals’ data your business uses must be informed through a privacy notice of the personal data types you hold relating to them; how their personal data is to be used; and for what purpose(s).
An internal-facing data protection policy (a privacy standard) should be implemented. It should set out principles and legal conditions you must satisfy when obtaining, handling, processing, transporting or storing personal data and provide for customers, client, suppliers and employee data. An updated policy will demonstrate how your organisation processes personal data and make employees aware of their obligations.
Businesses are required to review contracts with third parties where the processing of personal data is involved and ensure they’re updated with each parties’ obligations, whether as a data controller or data processor.
Educate your organisation
All employees need to be aware of their data regulation obligations. Keeping them trained on your new policies, notices and procedures will ensure they’re followed consistently and promptly. As demonstrated in Mermaid’s case, face-to-face training for employees is also good practice to ensure that your staff understand their obligations. In some organisations, a mandatory data protection officer (DPO) must be appointed for formulating and implementing strategies on data processing and keeping the organisation educated. It is sensible to appoint someone to be responsible for data protection in your organisation (such as a data manager), even if a mandatory DPO appointment is not required. However, SMEs may not have capacity to make this appointment, due to lack of resources. If so, it’s worth outsourcing a legal data protection expert to ensure everyone knows their responsibilities.
Re-evaluate consents
The UK GDPR sets a high standard for consent. It must be explicit, freely given and unambiguous. Review your organisation’s consent mechanisms. In particular, make sure approval requires an affirmative “opt-in” action. This bans pre-ticked boxes as a legitimate form of giving consent, since no positive indication can be provided. It’s advisable to keep consent separate from other T&Cs and it shouldn’t be a precondition of signing up to a service. You must notify individuals about their right to withdraw consent, offering them easy ways to do so at any time.
If your existing consent mechanisms comply with the UK GDPR, you don’t necessarily need fresh consent but do review and consider whether fresh consent is appropriate, in particular if there has been a significant time lapse or there is a possibility that the purpose or scope of the processing for which consent was obtained has changed in any way.
>See also: GDPR: company campaigns that are ‘on brand’
The right to be forgotten
One rule under the UK GDPR is the right to have personal data erased (“the right to be forgotten”). Although the right only applies in certain circumstances, your organisation must have the capability and procedures to comply with such requests. You’ll have one month to respond substantively.
Subject access requests
Every individual has right of access to their data and you’ll need suitable procedures to deal with subject access requests. In the employment setting, access requests are often made in the context of ongoing disputes or tribunal claims. Requests are increasingly made by individual customers who are dissatisfied with customer service. An individual may genuinely wish to see what personal data is being processed and if it’s accurate. Others make requests because of the time, effort and expense they can cause, and to achieve a settlement. Regardless of motivations, be helpful, respond substantively within a month (as opposed to 30 days under the old legislation) and provide the data in a machine-readable format. Under the UK GDPR you aren’t allowed to charge a fee, save in limited circumstances.
Responding to data breaches
It is essential employees are fully trained, equipped to understand and recognise what constitutes a data breach. Your data manager or data protection officer will need specialist training around responding to a data breach.
Employee error is highly likely to cause security threats in SMEs and you will need to adopt internal procedures and require the same from third-party processors to deal with data breaches. Include how to identify a data breach, how it will be investigated and how to perform an assessment of the implications. Remember certain breaches must be notified to the information commissioner within 72 hours of when it was discovered, and the affected data subjects must be informed where there is a substantial risk of harm.
Small businesses should take actions to ensure their data is securely managed and those that comply with the UK GDPR will not only avoid potential fines and reputational damage, but will find their data handling, compliance processes and contractual relationships are robust, reliable and will keep their business secure for years to come.
Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.
Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.
Chris Cook is a partner and head of employment and data protection at SA Law