What is data protection, and why is it important?
Data protection refers to the practices, policies, and measures implemented to protect and safeguard the privacy, confidentiality, and integrity of personal and sensitive information.
For the purposes of data protection laws in the UK, personal data refers to information relating to individuals from which these individuals may be identified. For example, names and addresses.
Anyone who uses personal data (other than for personal reasons) must comply with data protection laws. Using personal data is known as ‘processing personal data’. Examples of use include collecting, storing, and analysing the data.
For more information, read Data protection, Processing personal data, and Complying with the GDPR.
Your data compliance checklist
Complying with data protection laws can be a complex process. However, ticking off these key actions can help ensure your business’s compliance:
Action: |
(✔) |
| Only process personal data in accordance with the data protection principles. This means, for example, that you must be clear on what processing is and what your business does with personal data (both internally and externally). |
|
| Ensure that you have a legal ground for any personal data processing. These include, but are not limited to:
|
|
| Review any existing processes for obtaining consent from data subjects and ensure consent is valid. You should keep some form of record of consent (eg of how and when consent was given, and by whom). Ensure that you provide a clear process for individuals to withdraw their consent at any time and notify them of their right to do so. For more information, read Consent for GDPR. |
|
| Take extra care when processing sensitive personal data (eg information about racial or ethnic origin, sexual life, health or vaccination status) or criminal offence data (ie information about criminal convictions and offences), as these are subject to more stringent controls. |
|
| Consider whether your processing of personal data is likely to result in a high risk to the rights and freedoms of individuals (eg if you are processing children’s personal data). If so, make a Data protection impact assessment (DPIA) to help you identify and minimise data protection risks. |
|
| Where a DPIA is carried out, determine whether an Appropriate policy document (APD) is needed. An APD outlines how you ensure compliance with data protection principles in relation to any sensitive personal or criminal offence data processes. Read Appropriate policy documents (APDs) for data protection for more information. |
|
| Ensure that you comply with data protection laws when dealing with staff members’ personal data. Make a Data protection policy to inform your employees about how you use their data and the principles they must adhere to when handling personal data. Consider informing anyone working for you about the types of data you may collect about them and what you do with it, using an Employee privacy notice (for employees) or a Consultant privacy notice (for consultants). |
|
| Make a Website privacy policy that indicates what personal data is being collected on your website, the purpose of collection, and how individuals can access this data. This can help to protect your business against data mining and scraping. |
|
| Ensure you are aware of your obligations when data subjects make a data protection request (eg asking for their data to be erased or corrected), including what steps you have to take and how long you have to respond. |
|
| Be sure to understand the laws and regulations around international transfers of personal data and to only transfer personal data outside the UK where adequate data transfer safeguards (eg standard contractual clauses) have been put in place. |
|
| If you are outsourcing data processing to a third party (eg a cloud service provider), make a Data processing agreement to ensure the safety of the personal data. |
|
| Tale steps to keep all personal data secure, including by:
For more information, read Information security and cyber security. |
|
| Understand your obligations for reporting a data breach (ie a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data). Consider appointing a specific person or establishing a dedicated team to handle data breaches. |
|
| Regularly train staff members to ensure that everyone is aware of relevant data protection procedures their respective responsibilities. |
|
| Keep records of your processing activities (including why you are processing certain personal data, how long personal data will be retained for, and who it will be shared with) and review these regularly. |
|
| Follow a Data retention policy and ensure that you do not store personal data for longer than absolutely necessary. Whether a retention period is appropriate depends on various factors, including why the data was collected in the first place, whether the data is still needed, and your business’s relationship with the data subjects. For more information, read Data retention and document destruction. |
|
| Consider appointing a data protection officer (DPO), who will be responsible for ensuring data protection compliance within your business. The DPO should become familiar with data protection requirements and audit your data processing activities to ensure compliance. | |
| Bear in mind that you may need to comply with the European Union’s (EU) General Data Protection Regulation if you are processing personal data belonging to anyone based in the EU. For more information, Ask a lawyer. | |
| Certain businesses based in the UK must, under the EU GDPR, appoint an EU data representative as a local contact for data subjects and supervisory authorities. Businesses generally need to do this if they offer goods or services and/or monitor the behaviours of individuals in the European Economic Area (EEA). For more information, read EU representatives. |
If you’d like professional help to ensure you’ve ticked every box, you can use our GDPR compliance service. Our team of Legal Pros will work with you to audit your data, update your documents, and help you meet your legal obligations with confidence.
What happens if a business doesn’t comply with data protection laws?
Failing to comply with data protection laws can have serious consequences. The Information Commissioner’s Office (ICO) (the supervisory authority for data protection) has wide-ranging powers to ensure compliance with data protection laws. These include, but are not limited to:
-
auditing businesses to check that they are complying with their data protection obligations (and making recommendations based on their findings)
-
serving enforcement notice orders on businesses that have breached the law, requiring them to take specified steps to comply with the law
-
in England and Wales, prosecuting businesses that fail to comply with an enforcement notice (in Scotland this is done by the Procurator Fiscal Service)
-
reporting any issues or concerns to Parliament
-
issuing fines of up to 4% of a business’s total global annual turnover or £17.5 million (whichever is higher)
For more information, see the ICO’s guidance on enforcement.
For more information on data protection in general, read Complying with the GDPR. Read our General Data Protection Regulation (GDPR) FAQs to find answers to the most common questions about the GDPR. If you have any questions or concerns, do not hesitate to Ask a lawyer. Consider using our GDPR compliance service to ensure your business meets its data protection obligations.
