You’d have to think long and hard to come up with a business that the UK General Data Protection Regulation doesn’t cover. Not everyone keeps up with the law, though. For someone focused on running their business, mistakes can be simple. And costly. That’s why we’ve put together a quick and easy Data Protection Act 2018 summary.
This UK General Data Protection Regulation governs how a business can store, handle, process and transmit personal information. If you use a computer to do things like manage payroll, take payments or keep a list of customer addresses, then you have to make sure your business complies with the UK Data Protection Act 2018.
IT and techie stuff can be intimidating. Forget about having to wade through pages of legalese and tech talk. We’ve compiled everything you need to know about data protection here.
What is the UK General Data Protection Regulation (UK GDPR)?
Let’s start with the nuts and bolts. What exactly is the UK General Data Protection Regulation 2018? Known as the GDPR, this law outlines how personal information can be used by governments, businesses and organisations. It provides rules on how any type of information relating to a person is collected, handled, processed and stored.
Whenever you log onto a website and order a product, whenever you make an electronic payment, whenever you sign up for an online newsletter, how your data is handled is governed by the UK GDPR.
Previously to the UK GDPR, the UK was subject to the European Union’s General Data Protection Regulation. When the UK left the European Union in 2020, a new law had to be drafted. One that covered pretty much the same things and had the same principles but was just especially for the UK. This was the UK General Data Protection Regulation 2018.
What Was the Data Protection Law Before the GDPR?
The EU GDPR replaced a law called the Data Protection Directive, which was enacted way back in 1995 when nobody really had any idea how the internet would evolve.
The Data Protection Directive was problematic because it was a directive, not a set of regulations under EU law. It meant that each country had to come up with its own data protection rules. Sharing data across borders became a massive headache and there was no way to guarantee that people’s information was accurate or would be kept safe. By 2016, it was obvious something better needed to be done.
In the UK, the General Data Protection Regulation 2018 replaced the UK Data Protection Act 1998, which was also no longer fit for purpose. In 1998, we didn’t have Facebook, TikTok, Instagram or smartphones. The World Wide Web was awkward and slow, and we needed noisy dial-up modems to access it. The digital world was a very different place.
Technology has evolved considerably since then. To ensure our information is used responsibly and kept safe, we need the General Data Protection Regulation 2018.
A Quick UK Data Protection Act 2018 Summary
The UK GDPR provides stringent legal protection for data relating to an individual’s personal information. Personal information is anything that can be used to identify you. It includes details about your:
- Race
- Ethnic background
- Political opinions
- Religious beliefs
- Trade union membership
- Genetics
- Biometrics (where used for identification)
- Health
- Sex life or sexual orientation
The UK GDPR’s strict rules are based on well-defined data protection principles. Under the GDPR, personal information must be:
- Used fairly in a lawful and transparent manner
- Used only for explicitly stated specific purposes
- Used in the most relevant and minimal way required to accomplish a specific purpose
- Correct and up-to-date
- Kept for no longer than necessary
- Handled to ensure security
- Protected against unauthorised or unlawful processing, access, loss, damage or destruction
You have distinct rights under the UK GDPR and the EU GDPR. You have:
- The right to be informed of how your data is used
- The right to access your data
- The right to rectify incorrect data
- The right to erase data
- The right to restrict the processing of your data
- The right to transfer your data
- The right to object to how your data is being used
- Rights related to automated decision-making processes
- Rights related to data used for profiling purposes
While these rights and data protection principles are similar in both the UK GDPR and the EU GDPR, there are some differences.
What’s the Difference Between the UK GDPR and the EU GDPR?
There are seven areas where the UK GDPR differentiates itself from the EU GDPR:
- The Age of Consent: Under the UK GDPR, a child can consent to data processing at the age of 13. Under the EU GDPR, the age of consent is 16.
- How Criminal Data is Processed: Under the EU GDPR, processors of criminal data must have official authority. This is not required under the UK GDPR.
- Automated Decision-Making/Processing: Under the EU GDPR, data subjects can refuse automated decision-making or profiling. The UK GDPR allows automated profiling if there are legitimate grounds for doing so.
- The Rights of Data Subjects: Under the UK GDPR, data subject rights can be waived if there is a legitimate need to process the data for scientific, historical or statistical and archiving purposes.
- Privacy and Freedom of Expression: The processing of personal data can be exempt from the UK GDPR if it is in the public interest to do so.
- GDPR Representatives: Non-EU data controllers and processors must appoint a representative in the EU according to the EU GDPR. Non-UK data controllers and processors must appoint a representative in the UK.
- GDPR Penalty Maximums: The EU GDPR’s maximum fine is €20 million or 4% of annual global turnover. The UK GPDR sets a maximum of £17.5 million or 4% of the total annual worldwide turnover.
What About Brexit and the GDPR?
Since Brexit, the rules around data protection in the EU and the UK have gotten a little more complicated. If your business processes the personal data of EU residents, then you have to abide by the EU GDPR. This means:
- You must appoint an EU representative
- You must identify a lead supervisory authority in the EU
- You may have to update contracts dealing with EU–UK data transfers
- And then update policies, procedures and documentation based on these changes
If you only process the data of UK citizens, then you need only comply with the UK GDPR.
How to be Sure Your Business Complies with the UK GDPR
If you’re still a little wary of whether your business is compliant with the UK GDPR or the EU GDPR, that’s probably a good thing. These laws apply to businesses of all sizes and also to self-employed individuals. It makes good sense to be sure that you’re doing everything you can to abide by them.
Taking our GDPR Training will make sure you know what your data protection responsibilities are.
This training covers the fundamentals of data protection law and teaches you practical ways to put them into practice. You’ll learn how to process data safely and how to prove your business does so. The course covers the roles and responsibilities of both employers and employees.
You can complete the course online in segments whenever you like. The course is certified and accredited and of course all your data will be handled in strict accordance with the UK GDPR and, if required, the EU GDPR.
About the author(s)