The Beginner’s Guide to The General Data Protection Regulation (GDPR)
Are you new to the GDPR or unsure how it affects you and your business? Here's a brief overview of the main things you need to know.
What does GDPR stand for?
GDPR stands for General Data Protection Regulation
When did GDPR come into effect?
The Data Protection Act 2018 enacts the GDPR into UK domestic law and came into effect on 25th May 2018. On the 1st January 2021, upon leaving the European Union the ‘UK GDPR’ sits alongside the amended version of the DPA 2018. The UK government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the amendments.
What are the 6 principles of GDPR?
There are 6 core principles of the GDPR are:
- Fairness, Lawfulness and Transparency. You much be fair, honest, and transparent with individuals whose data you are processing.
- Purpose Limitation. You much be clear about your purpose(s) for processing personal data.
- Data Minimisation. You should only process the information that you need to make a decision.
- Accurate and relevant. keep personal data accurate and up to date.
- Storage Limitation. You should only keep the individual’s data for as long as is necessary.
- Integrity & Confidentiality. You must keep personal data safe and secure.
Accountability. Whilst not a core principle, it does underpin the above principles. You must be responsible and adhere to the rules of GDPR. (Under the original Data Protection Act (DPA) 1998, there were 8 principles. 6 of these were like the current GDPR principles above. Originally, they were fairness and lawfulness, purposes, adequacy, accuracy, retention, rights, and security).
GDPR vs DPA – what's the difference?
The General Data Protection Regulation (GDPR) is a 2016 EU regulation that was incorporated into the UK Data Protection Act 2018 to maintain a Europe-wide standard and introduce stronger legislation on the handling of personal data. While the UK remained part of the European Union, the DPA 2018 continued to reference the EU GDPR. As of the 1st January 2021, the DPA 2018 now references UK GDPR.
Who does GDPR apply to?
The EU GDPR applies to:
- Any organisation (large or small) that has an office in the EU that processes personal as part of its business activities.
- Any organisation outside of the EU that offers goods/services to EU residents (paid or free).
- Any organisation that monitors behaviour of EU residents.
Example: if you are a UK organisation with no offices in the EU, yet you are offering goods/services to EU residents, then the EU GDPR applies to you.
The UK GDPR applies to
- Any organisation (large or small) that has an office in the UK that processes personal as part of its business activities.
- Any organisation outside of the UK that offers goods/services to UK residents (paid or free).
- Any organisation that monitors behaviour of UK residents.
Example: if you are a US-based organisation with no offices in the UK, yet you are monitoring behaviour of UK residents (i.e., Strava), then the UK GDPR applies to you.
Why is GDPR important?
It serves to protect people's personal data and ensure that companies that process personal data do so correctly and legitimately.
What steps should I follow to become GDPR-compliant?
The first and most important step is to map all your data, followed by updating your GDPR policies and procedures, and then training everyone involved (usually the whole company). So:
- Step 1
- Review all your data and list all the different sources it comes from.
- Step 2
- From this data mapping, create a register of all your processing activities, and update your policies and procedures.
- Step 3
- Educate your team/staff on how to manage personal data, including how to report a breach and handle subject access requests (SAR).
- Step 4
- Build in regular review dates to ensure that your policies and procedures are still accurate and up to date.
What is classed as 'personal data'?
Any information relating to an individual that directly or indirectly allows them to be identified or distinguished from other individuals.
How long can I keep personal data for?
Only for as long as you are actively and legitimately using it. As soon as you no longer need the data, you should destroy it. Exceptions are reasons that relate to archiving purposes in the public interest, scientific or historical research, or statistical purposes.
Can users opt out of GDPR?
No. Any business or organisation that processes personal data must comply.
How can users find out what information companies hold on them?
By submitting a subject access request (SAR) either verbally or in writing. If you receive a SAR, you must respond within one month of receiving the request.
Does GDPR apply to small businesses, charities and clubs?
Yes, GDPR applies to *anyone processing personal data. So, if you're a small business, charity or club and hold people's names and contact details or other personal information on members, customers or donors, you must adhere to UK data protection law.
You may also need to pay a data protection fee* (you can check this by going to https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/).
* The only exception is when you process someone's data as part of your everyday personal or domestic activities (e.g., in a non-professional, non-commercial capacity such as personal correspondence or social networking).
What’s the difference between a data controller and a data processor?
A data controller refers to the person and/or organisation who decides for what purposes and how any personal data will be processed, whereas a data processor is any person and/or organisation who processes the data on behalf of the data controller.
Example: your organisation (data controller) decides it wants to start sending out a monthly newsletter to its existing customers to keep them up to date with “latest news”. To do so, it needs the name and email address of its customers. You decide to use MailChimp (data processor) as the platform for you to use to design and distribute your monthly newsletter to your customers.
Mailchimp (data processor) is processing the personal data of your customers on your behalf (data controller).
How does GDPR affect things like Google Analytics?
Before you can drop a Google Analytics cookie onto a user's device, you must first get their consent to do so – usually by a notification asking them if they want to accept cookies or not. In instances when a user doesn't give consent, expect your website analytics to dip as you won't be logging every page view or visit to your site. This also applies to other technologies such as Facebook Pixels.
How do I know if I've suffered a data breach?
Receiving lots of antivirus alert messages can often be an early indication. (To investigate further, it's worth checking dedicated data breach websites such as Have I Been Pwned.) You might also start getting phone calls from your clients or social network saying that they've received an unusual email from you, or, in extreme cases, you may find that you've been locked out of your account(s) altogether.
I hate having to set my cookie preferences on every website. What can I do?
You can choose to delete existing cookies, allow or block all cookies, and set preferences for certain websites. If you've consented to cookies, you shouldn't have to set your cookie preferences every time you visit the same website (as the website host should have recorded your decision and remember your preferences for future visits). However, if you've declined cookies, you may still be prompted to make a consent choice the next time you visit that site, if the website has not recorded your preferences.
Want a quick and easy way to get on top of the GDPR? Sign up to our helpful online courses.
The Introduction to Data Protection course provides essential training for new starters, anyone new to data protection or those needing a GDPR refresher. Just 60 minutes long, it gives you everything you need to understand the GDPR better. Click here for more details.
The GDPR for Business e-learning course is ideal for business owners new to the GDPR. Packed full of easy-to-follow tips and relevant examples, it will give you a solid and practical understanding of the GDPR and how best to use it in your business. Click here for more details.