‘Trust’ is one of the most important words in business, and when your customers buy your products or services, they’ll expect their personal information to be secure. GDPR has been an important topic for businesses since 2018, but now that the UK has left the European Union (EU), is GDPR still law? We’ll explore what your data responsibilities are in this handy guide.
What is GDPR?
GDPR (General Data Protection Regulation) is a set of EU data protection rules that were introduced in May 2018. The aim of GDPR is to enhance individuals’ data privacy and rights across the 27 EU member countries, as well as the wider European Economic Area (EEA). For any business that handles their customers’ personal data both in the UK and across the EEA, GDPR compliance is essential.
Why is GDPR important?
Technology has transformed the world since previous generations of data protection laws were introduced, and whether we’re shopping online or browsing the web, our personal data is increasingly important in how we go about our lives. It’s also a sad reality that fraud poses a risk to every business and customer, so any rules like GDPR that limit how data can be collected and stored can protect us all.
But the most obvious reason why businesses need to comply with data protection is because non-compliance can lead to penalties and fines, which we’ll be covering later.
What are my GDPR responsibilities?
We’ve put together a GDPR checklist for small and large businesses in terms of steps you should look to follow:.
- Personal data must be processed lawfully, fairly and in a transparent manner. For example, do you have a privacy policy on your website and do you allow users to make changes to their privacy settings?
- It must be collected for a legitimate purpose. Are you collecting data that’s related to your business activity?
- The data must be limited to what is necessary, known as ‘data minimisation’. For example, unless relevant to the transaction, a contact form on a website should not request unnecessary information, such as phone numbers, occupation and gender.
- It must be accurate and kept up to date. Your newsletter subscribers should all have consented to receiving communications; for instance, by clicking on an email link or a checkbox on a webpage.
- You must ensure appropriate confidentiality over individuals’ information data. Some cookies on websites are a way of collecting data, so you could remove plug-ins you don’t need to reduce your cookie count.
- It must be processed in a secure manner.For example, adding a Google reCAPTCHA form onto your contact page can filter out spam and make your customer’s web experience more secure .
As you grow your business, you may need to think carefully about what data your company collects, and which person or team is responsible for data compliance in your organisation. Larger companies may wish to hire a Data Protection Officer to oversee GDPR compliance, but it’s important for everyone in your company to be aware of what a data breach looks like, so that they are able to escalate any problems to the key decision maker.
Does GDPR still apply in the UK?
Technically, EU GDPR no longer applies in the UK following the country’s withdrawal from the EU. However, following the Brexit vote, GDPR was replaced by the Data Protection Act 2018 in the UK, which GOV.UK describes as “the UK’s implementation of the General Data Protection Regulation (GDPR)”. The Data Protection Act is often called ‘UK GDPR’ and is based on similar data protection principles – some even argue the Data Protection Act is an extension of GDPR. The DPA includes some extra safeguards; for example, the age of consent for processing someone’s data is 13, as opposed to 16 as outlined in EU GDPR.
How to comply with GDPR after Brexit
Following Brexit, how you deal with GDPR as a business depends on where your customers are based. This is where it can get complicated.
- If you only process UK customers’ personal data, you must comply with the 2018 Data Protection Act otherwise known as UK GDPR.
- In addition to the above, if you sell goods and services to customers within the EEA, process their data and/or monitor their behaviour, you’ll need to comply with EU GDPR.
If some or all of your customers are based in the EU, there are steps you’ll need to take to ensure compliance with EU GDPR. This includes appointing a representative (an individual or organisation such as a law firm) who is based in the EEA and can act on your behalf for all EU GDPR compliance matters. You’ll also need to update your policies, procedures and contracts to reflect the new EU-UK data transfer rules. The Information Commissioner’s Office (ICO) has helpful guidance on how to comply with your data responsibilities across the continent.
Fines and penalties for GDPR non-compliance
The stakes can be high when it comes to GDPR compliance, as the costs of a data breach can be eye-watering. Under UK GDPR, infringements can result in a maximum fine of £17.5 million, or 4% of global turnover (whichever is higher) which increases to €20 million (about £18 million) under EU GDPR. Lesser penalties include warnings, bans on data processing and orders to erase data.
Need more support?
GDPR can be complicated, but with the right processes and personnel in place, you may be able to rest easy knowing that your customers’ data is being professionally secured. If you’d like to know more about keeping up with your responsibilities in terms of data protection and Brexit, here are some related guides on Tyl Talks:
Disclaimer
This has been prepared by Tyl by Natwest for informational purposes only and should not be treated as advice or a recommendation. There may be other considerations relevant to you and your business so you should undertake your own independent research.
Tyl by Natwest makes no representation, warranty, undertaking or assurance (express or implied) with respect to the adequacy, accuracy, completeness, or reasonableness of the information provided.
Tyl by Natwest accepts no liability for any direct, indirect, or consequential losses (in contract, tort or otherwise) arising from the use of the information contained herein. However, this shall not restrict, exclude, or limit any duty or liability to any person under any applicable laws or regulations of any jurisdiction which may not be lawfully disclaimed.