What is data protection and why is it important?
Data protection refers to the practices, policies and measures implemented to protect and safeguard the privacy, confidentiality, and integrity of personal and sensitive information.
For the purposes of data protection laws in the UK, ‘personal data’ refers to information relating to individuals from which these individuals may be identified. For example, names and addresses. Anyone who uses personal data (other than for personal reasons) must comply with data protection laws. Using personal data is known as processing personal data. Examples of use include collecting, storing and analysing the data.
For more information, read Data protection, Processing personal data and Complying with the GDPR.
Data compliance checklist
Complying with data protection laws can be complex. However, ticking off these key actions can help ensure your business’ compliance:
Action |
(✔) |
| Only process personal data in accordance with the data protection principles. This means, for example, that you must be clear on what ‘processing’ is and what your business does with personal data (both internally and externally). |
|
| Ensure that you have a legal ground (or ‘legal basis’) for processing any personal data. Legal bases include, but are not limited to:
|
|
| Review any existing processes for obtaining consent from data subjects and ensure consent is valid. You should keep some form of record of consent (eg of how and when consent was given, and by whom). Ensure that you offer a proper process for individuals to withdraw consent at any time and notify them of their right to do so. For more information, read Consent for GDPR. |
|
| Take extra care when processing sensitive personal data (eg information about racial or ethnic origin, sexual life, health or vaccination status) or criminal offence data (ie information about criminal convictions and offences), as these are subject to more stringent controls. |
|
| Consider whether your processing of personal data is likely to result in a high risk to the rights and freedoms of individuals (eg if you are processing children’s personal data). If so, make a Data protection impact assessment (DPIA) to help you identify and minimise data protection risks. |
|
| Where a DPIA was carried out, determine whether an Appropriate policy document (APD) is needed. An APD outlines your procedures for ensuring compliance with data protection principles in relation to any sensitive personal or criminal offence data processes. Read Appropriate policy documents for more information. |
|
| Ensure that you comply with data protection laws when dealing with staff members’ personal data. Make a Data protection policy to inform your employees how you use their data and what principles they must adhere to when handling personal data. Consider informing anyone working for you about the types of data you may collect about them and what you do with it, using an Employee privacy notice (for employees) or a Consultant privacy notice (for consultants). |
|
| Make a Website privacy policy that indicates what personal data is being collected on your website, the purpose of collection, how individuals can access this data. This can help to protect your business against data mining and scraping. |
|
| Ensure you are aware of your obligations when data subjects make a data protection request (eg asking for their data to be erased or corrected), including what steps you have to take and how long you have to respond. |
|
| Be sure to understand the laws and regulations around international transfers of personal data and to only transfer personal data outside the UK where adequate data transfer safeguards (eg standard contractual clauses) have been put in place. |
|
| If you are outsourcing data processing to a third party (eg a third-party service provider), make a Data processing agreement (DPA) to ensure the safety of the personal data. |
|
| Tale steps to keep all personal data secure, including by:
|
|
| Understand your obligations for reporting a data breach (ie a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data). Consider appointing a specific person or setting up a dedicated team to deal with data breaches. |
|
| Regularly train staff members to ensure that everyone is aware of relevant data protection procedures and the responsibility everyone has. |
|
| Keep records of your processing activities (including why you are processing certain personal data, how long personal data will be retained for, and who it will be shared with) and review these regularly. |
|
| Follow a Data retention policy and make sure not to store personal data for longer than absolutely necessary. Appropriate retention periods will depend on a variety of factors including, why the data was collected in the first place, whether the data is still needed and the business’ relationship with the data subjects. For more information, read Data retention and document destruction. | |
| Consider appointing a Data Protection Officer (DPO). This is the person responsible for ensuring data protection compliance within your business. The DPO should become familiar with data protection requirements and audit your data processing activities to ensure compliance. | |
| Bear in mind that you may need to comply with the European Union’s (EU) General Data Protection Regulation if you are processing personal data belonging to anyone based in the EU. For more information, Ask a lawyer. | |
| Certain businesses based in the UK must, under the EU GDPR, appoint an EU data representative as a local contact for data subjects and supervisory authorities. Businesses generally need to do this if they offer goods or services and/or monitor the behaviours of individuals in the European Economic Area (EEA). For more information, read EU representatives. |
What happens if a business doesn’t comply with data protection laws?
Failing to comply with data protection laws can have serious consequences. In the UK, the Information Commissioner’s Office (ICO) (the supervisory authority for data protection) has wide-ranging powers to ensure compliance with data protection laws. These include, but are not limited to:
-
auditing businesses to check that they are complying with their data protection obligations (and making recommendations based on their findings)
-
serving enforcement notice orders on businesses that have breached the law, requiring them to take specified steps to comply with the law
-
in England and Wales, prosecuting businesses that fail to comply with an enforcement notice (in Scotland this is done by the Procurator Fiscal Service)
-
reporting any issues or concerns to Parliament
-
issuing fines of up to 4% of a business’ total global annual turnover or £17.5 million (whichever is higher)
For more information, see the ICO’s guidance on enforcement.
For more information on data protection in general, read Data protection for businesses and Complying with the GDPR. Read our General Data Protection Regulation (GDPR) FAQs to find answers to the most common questions about the GDPR. If you have any questions or concerns do not hesitate to Ask a lawyer and consider using our GDPR compliance service to ensure your business complies with its data protection obligations.
