What is GDPR? Why the GDPR Matters for Your Business

Millions of people in the UK use the internet for everything from buying groceries to booking medical appointments, applying for work, doing their jobs or just having fun. Unthinkably large amounts of data are floating in cyberspace, some containing highly sensitive personal information.

Businesses can’t just collect and use our data as they did pre-GDPR. The GDPR outlines what companies can do with our personal information.

The General Data Protection Regulation — GDPR for short — was enacted by the European Union in May 2018. At the time, the UK hadn’t yet enacted Brexit and left the European Union, so we had to adhere to the GDPR.

Which UK Act of Parliament was created to incorporate GDPR? When the UK did leave the European Union in 2021, parliament enacted the Data Protection Act 2018. It’s basically the same as the GDPR, with minor tweaks. We’ll get to those differences shortly.

The bottom line is that the GDPR gives private individuals rights over how their personal data is collected, stored and used. It protects our privacy and safeguards our personal data from misuse.

Your personal data is any information that can be used to identify you. Personal data includes details about:

• Your gender
• Your age
• Your location
• Your family
• Your genetics
• Your culture or background
• Your social identity
• Your sexual orientation
• Your finances
• Your political opinions
• Your health

The GDPR wasn’t just thought up over a weekend. It was the most significant change in data privacy laws in the European Union since 1998, and it took four years of political wrangling to develop. Eventually, seven principles have developed that form the basis of the GDPR.

The seven principles of the GDPR are:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitations
6. Integrity and confidentiality
7. Accountability

Companies can’t just collect our data because they like the look of it. They must have a lawful reason to gather, store or process personal data. They must also have consent from the data subject or have a legal obligation to do so. Data can also be processed if the company or organisation acts to protect the person or if doing so would be in the public interest. The purpose of data collection and use must be made clear and all data must not be misused or mishandled.

The GDPR states that data must only be collected for “specified, explicit and legitimate purposes.” What a company or organisation will do with your data must be clearly explained. How your data is used cannot be changed in the future unless you give your explicit consent.

Companies and organisations aren’t allowed to hoover up all available information about you. Only the bare essentials are permitted under the GDPR. A company or organisation can only use the minimal amount of data needed to complete a task and no more.

All personal data must be as accurate as possible. This responsibility lies with the data subject and the data controller/processor. So, a company must make every reasonable effort to ensure that data is accurate and we need to make every reasonable effort to ensure that our data is correct. It’s a reasonable request, really.

Companies can’t hang onto your data forever. The GDPR sets out what data can be collected and how long companies and organisations can keep it. Data can only be kept for as long as necessary. Any data that is no longer being used must be securely destroyed.

We’re entitled to be sure our data is being used correctly and accurately and isn’t mishandled. All data must be kept confidential. Personal data must be stored in a way that provides complete protection against any unauthorised access, but it can also be made accessible to the data controller upon request.

Lastly, it’s not enough for companies to just say they comply with the GDPR. They have to be able to prove it as well. If required, the data controller must be able to produce detailed records that demonstrate the steps they’ve taken to comply with all GDPR requirements.

The GDPR gives everyone the right to decide how their personal data is stored, collected and used. Your rights under the GDPR are:

• Your data can only be collected and used if you’ve given consent
• You have the right to access your personal data
• You have the right to know how your personal data is used
• You can withdraw consent and demand that your personal data be deleted
• You can move your data from one service provider to another
• You must be kept informed of any changes to how your data is managed or used
• You have the right to have erroneous information corrected
• You have the right to object to how your data is stored or used
• You must be informed within 72 hours if a data breach has occurred

The principles behind the GDPR and the UK Data Protection Act 2018 are the same. So much so the UK Data Protection Act 2018 is called the UK GDPR. There are, however, some key differences:

• Under the UK GDPR, the age of consent for data processing is 13. Under the EU GDPR, it’s 16
• The UK GDPR provides exceptions to data protection rules regarding immigration matters, intelligence services and national security issues
• Under the UK GDPR, the Secretary of State has special powers relating to adequacy decisions
• The UK GDPR states that the Information Commissioner’s Office (ICO) enforces, regulates and supervises data protection matters in the UK

The GDPR applies to data controllers or processors that handle people’s data in the UK or the EU. Data controllers are defined by the ICO as any entity that exercises “control over the purposes and means of the processing of personal data.” Data processors are defined as any entity that acts “on behalf of, and only on the instructions of, the relevant controller.”

Basically, if your business collects personal data from any customers in the UK or the EU, then you have to comply with the GDPR.

GDPR breaches and fines are no laughing matter. The standard maximum penalty amount is “£8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.” The maximum amount is “£17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”

The UK’s biggest fine for a GDPR breach was over 22 million euros. A company was fined €1.2 billion in the EU for breaching the GDPR.

The best way to ensure GDPR compliance is to fully understand its scope and meaning. Business owners must ensure that all staff members understand the GDPR and how to handle data accordingly. Your business should have a clear GDPR policy and a set of procedures in place to ensure compliance.

If you’re not tech-savvy, GDPR compliance can seem like a colossal hassle. But, if you follow a few simple data protection procedures, you can ensure you’re always in line with the GDPR.

Our GDPR Awareness Training is a great way to learn the fundamentals of data protection.

Designed for employees at every level of an organisation, this course provides an in-depth look into the GDPR principles. It explains practical ways to collect, store, process and handle data. Sign up for our course and learn everything you need to know.