Who Does GDPR Apply To?

GDPR governs how an organisation stores and uses (processes) personal data.

It prevents the malicious collection or use of personal data. It also ensures that data is never shared without the owner’s consent.

The General Data Protection Regulations came into force in the European Union in 2018. They apply to all 28-member states.

The UK implemented the rules outlined by the GDPR through the Data Protection Act 2018 (DPA), effectively creating what is now known as UK GDPR. This was to ensure a continuance of these protections post-Brexit.

GDPR and UK GDPR are technically distinct, but the differences are minimal. Both sets of legislation have the same aims and implications for your business.

In the UK, data protection law is enforced by the Information Commissioner’s Office (ICO).

If they find that an organisation is failing to meet regulations, the ICO can impose significant fines. These can reach up to £17.5 million or 4% of a company’s annual global turnover, whichever is greater.

British Airways has been forced to pay the most significant fine for a GDPR breach. The ICO issued a fine of £20 million after it was found the airline allowed the personal data of 400,000 customers to be stolen by hackers in 2018.

And while £20 million sounds steep, the ICO originally planned to fine the airline £183 million. This was only reduced because of the Covid-19 pandemic and its financial impact on airlines.

British Airways also suffered the reputational damage that comes with a data breach. Consumers are unwilling to do business with companies that are careless with their personal data.

Yes. When a UK-based company transfers personal data outside of the UK, this is known as a ‘restricted transfer’.

Any restricted transfer needs appropriate safeguards to ensure data is protected by both the sender and receiver. This is guaranteed if an ‘adequacy decision’ exists between the UK and the territory where the receiver is based.

The UK currently has adequacy decisions with all members of the European Economic Area and a few other territories. More information can be found on the ICO website, including a list of countries covered by adequacy decisions.

GDPR makes it a legal requirement for businesses to handle personal data safely, responsibly and transparently. It outlines a number of data protection principles to follow. These can be read in more detail here.

Essentially, GDPR makes it a legal responsibility for organisations to:

• Collect data legally under strict guidelines and with consent
• Protect collected data from mistreatment or exploitation, both from within the organisation or outside attacks
• Respect an individual’s right to privacy and to access their own data

As mentioned, UK data protection law applies if your business or organisation collects, holds or uses personal data. This is regardless of the size or type of your operation.

Personal data includes names, email addresses and phone numbers – anything that can be used to identify someone directly or indirectly.

Not every organisation is subject to the same obligations under GDPR, however. The ICO sets out different rules for data controllers and data processors. To understand your data protection responsibilities, you must first know if your organisation qualifies as a controller or processor.

An organisation is classed as a controller if it decides how and why personal data is used.

An organisation is classed as a processor if it uses personal data on behalf of a controller.

For example, a gym collects personal data – names, addresses, emails – from its members. It decides how to do this and what it will use the information for. This makes it a controller.

The gym might then run a promotional campaign and send personalised invitations to a handful of its members. It then passes on names and addresses to a separate printing company so they can make and send the invitations. The printing company is using personal data on behalf of the gym under their instructions. This makes them a processor.

The controller must meet all relevant UK GDPR, but the processor must ensure they help the controller do this. The processor must also keep personal data safe and flag any potential violations immediately.

If you’re not sure if your organisation qualifies as a controller or a processor, you can find more guidance here.

UK GDPR doesn’t just put obligations on organisations to keep data safe. It also strengthens data privacy rights for individuals.

These rights give people some powers, including the right to:

• Know why their data is being collected and how it’s being used
• Confirm if their data has been used
• Access their collected data
• Correct any inaccurate or incomplete data
• Have data erased (also known as ‘the right to be forgotten)

You must also make your terms and conditions easy for your customers to understand. This means a clear one-page summary that reads like it was written by a human.

While most business leaders are more concerned with GDPR compliance, it’s important to remember that consumers are also growing more data-savvy. They expect integrity and robust data protection from companies handling their data. Having solid policies in place can help impress potential customers and avoid potential fines.

Data protection must be a priority for your organisation. Personal data is more valuable than ever before for both businesses and individuals. Customers and legal authorities are reacting accordingly.

Since January 2022, fines totalling around £1.5 billion have been handed out for failures to protect personal data. And although the most significant of these fines have been racked up by multi-national corporations, every business needs to know data protection law and ensure they’re compliant.

Our GDPR training course teaches you the fundamentals of GDPR and the latest industry best practices. Whatever your role in the business, you’ll be armed with practical, everyday strategies to handle data securely and confidently. You can win customers’ trust, ensure compliance and avoid the reputational and financial damage that can come with a GDPR breach.