Who do the GDPR and DPA apply to?
The GDPR and the DPA apply to businesses (and other organisations, like charities) that store or handle personal data (ie identifiable information relating to individuals). People handling personal data can either be 'data controllers' or 'data processors':
the controller is the person who says how and why personal data is processed (eg a city council operating CCTV cameras)
the processor is the person who acts on the controller’s behalf (eg IT services)
For more information, read Processing personal data.
The GDPR primarily applies to businesses established in the UK but also applies to businesses based outside the UK that offer goods and services to UK residents. This means that businesses will have to comply with the GDPR regardless of where they store or handle data, as long as they are processing UK citizens’ personal data.
UK businesses will also need to comply with the EU GDPR where they are processing EU citizens’ personal data.
Businesses should ensure they are clear about transfers of personal data in their Privacy policies.
International data transfers
On 1 January 2021, the UK became a ‘third country’ (ie a country outside of the EU), for the purpose of personal data transfer outside the EU.
On 28 June 2021, the European Commission adopted an ‘adequacy decision’ in relation to the transfers of personal data from the EU and European Economic Area (EEA) to the UK.
This means that personal data transfers from the EU and EEA to the UK can be made without the need to put in place additional contractual paperwork, measures or assessments. The adequacy will be reviewed every 4 years (provided the UK continues to ensure an adequate level of data protection) and the Commission will intervene if necessary.
Transferring data from the UK
Transferring personal data from the UK to the EEA is permitted. No additional safeguards (like the adoption of standard contractual clauses) are required as the UK Government currently considers all EEA member states’ data protection regimes adequate.
For more information on transferring data internationally, read International transfers of personal data.
Data protection principles
The GDPR reinforces the established principles governing data protection. These data protection principles include, but are not limited to:
Processing data lawfully
When collecting personal data, you must make sure the data is:
used fairly, lawfully and in a transparent manner
collected for specified, explicit and legitimate purposes
adequate and relevant, and its collection is limited to what is necessary
accurate and kept up to date
kept for no longer than necessary
handled according to the data protection rights of individuals
stored in a way that protects the data against unlawful processing and accidental loss, and
not transferred outside the UK without adequate protection
Complying with the accountability principle
Accountability is one of the data protection principles. Under the accountability principle, you are responsible for complying with the GDPR and need to ensure you demonstrate compliance with the GDPR.
To comply with the accountability principle, you need to put in place appropriate technical and organisational measures (eg adopting and implementing data protection policies, appointing a data protection officer and maintaining documentation of processing activities).
Obtaining valid consent
For consent to be valid, it must be:
limited to a specific purpose
Consent must consist of clear affirmative action, therefore, silence, pre-ticked boxes or inactivity don't constitute valid consent. In addition, consent to process special category personal data (ie particularly sensitive data, such as information about racial origin or health) and consent to transfer personal data outside the UK or EU must be explicit (ie affirmed in a clear statement).
Individuals must be able to withdraw their consent at any time using a one-step process. It must be as easy to withdraw the consent as it was to give it (eg if data subjects simply ticked a box to express their consent, they should be able to withdraw the consent as easily).
For more information, read Consent for GDPR.
Protecting individuals' rights
The GDPR provides additional rights for individuals, including:
the right to erasure - individuals have the right to ask companies holding data about them to erase that data upon request if there's no compelling reason to continue processing the data
the right to access data - data processors must comply with a request to access data without delay, and, typically, at the latest within one month of the request. However, you can refuse to respond to the request if it is manifestly unfounded or excessive
the right to data portability - when data processing is carried out by automated means, individuals have the right to access their personal data in a machine-readable format (which allows access to the data in a portable and safe way)
For more information, read Data protection requests.
Complying with breach notifications
Personal data breaches are breaches of security that lead to, for example, the destruction, loss, alteration or unauthorised disclosure of personal data. Most data breaches must be reported to the relevant supervisory authority. In the UK this is the Information Commissioner’s Office (ICO). If the breach is likely to pose a high risk to the affected individuals’ rights and freedoms, it should also be reported to these individuals. If feasible, the breach must be reported within 72 hours of your becoming aware of it.
For more information, read Data breach reporting.
To find out more about complying with the data protection principles, read Data protection principles.
How to comply with the GDPR and the Data Protection Act 2018?
The GDPR requires you to comply with data protection principles and to demonstrate this compliance through the implementation of specific policies and procedures. Follow these steps to make sure your business complies with the law:
evaluate whether the GDPR applies to your business
make sure you process data lawfully. This might involve applying suitable security measures. For example, if you own a mobile application, your developers should encrypt and secure any data that moves between your app and the server, in addition to adequate hashing of user passwords
review your existing process for obtaining consent from data subjects and ensure consents are valid. You should keep some form of record of consent (ie how and when consent was given, and by whom)
ensure you protect your staff members’ personal data, by adopting relevant policies (eg a Data protection policy, an Employee privacy notice and/or a Consultant privacy notice)
consider how you will deal with individuals' requests relating to their personal data (eg data deletion requests or data access requests)
ensure you offer a proper process for individuals to withdraw consent at any time and notify them of their right to do so
appoint a Data Protection Officer (DPO) within your business to be responsible for ensuring data protection compliance
appoint a specific person or set up a dedicated unit within your business to deal with data breaches
Make sure to protect your business by making all relevant GDPR documents. For more information, read Data protection for businesses and follow our How to make a business GDPR-compliant checklist. If you need assistance evaluating your data protection practices, use our Data protection health check.
What if I do not comply?
Individuals or businesses that do not comply with data protection law will be subject to a fine of up to 4% of their total global annual turnover or £17.5 million, whichever is higher. Supervisory authorities (like the ICO) will also have a wide range of powers, including the power to audit businesses, issue warnings and give temporary or permanent bans on data processing. For more information, read the ICO’s guidance.
Ask a lawyer if you have any questions about data protection compliance under the GDPR and DPA.