UK GDPR:
New Guidance on Data Security
Why has GDPR changed — and how does it impact your business activities?
TABLE OF CONTENTS
Introduction
Chapter One: How Has GDPR Changed Since Brexit?
Chapter Two: The Background of GDPR
Chapter Three: How Does GDPR Impact Your Business?
Chapter Four: What Can You Do to Ensure Compliance?
Introduction
If you work with data in any shape or form, you should be familiar with GDPR: the General Data Protection Regulation.
GDPR is a framework in European Union (EU) law designed to standardise data privacy laws across EU member countries, regulating how businesses share information and improving consumer protection. This mutually agreed legislation came into force in 2018 to replace previous data protection rules across the continent, which existed long before data was created and shared at the scale and volume it is today.
On the same day in 2018, the UK government published a new Data Protection Act (DPA) — a legal framework governing personal data and the flow of information in the United Kingdom. Like the EU GDPR, this law updated the existing Data Protection Act of 1998 and came into effect on 25 May 2018.
Much has changed since these frameworks were first announced, and the guidance for data protection has evolved. New UK-based legislation came into effect on 1 January 2021. Consequently, even if your business was compliant in 2018 when the GDPR legislation was first published, that doesn’t mean it still is today.
According to IBM’s Cost of a Data Breach Report 2022, the cost of a cyber attack has reached an all-time high. And with 83% of organisations surveyed suffering more than one breach between March 2021 and March 2022, there’s no time to waste to ensure your compliance with data protection laws.
So, how have the rules changed, and what must businesses do to ensure they aren’t falling short of the mark?
83% of organisations suffered more than more data breach between March 2021 and March 2022.
CHAPTER ONE:
HOW HAS GDPR CHANGED SINCE BREXIT?
Overall, the fundamental principles, rights and obligations associated with GDPR haven’t changed — more details to follow. However, some differences between the UK and EU GDPR have already impacted businesses — or are likely to soon.
The amended ‘UK GDPR’ and DPA 2018 apply to UK organisations that store, collect or process personal data pertaining to individuals residing in the UK and to non-UK organisations that offer goods or services to UK residents. Alternatively, the EU GDPR applies to organisations and individuals living in or trading with any country in the EU.
The future UK data protection framework outlined by the government’s 2021 data strategy consultation, ‘Data: A new direction’, will favour a more risk-based approach and permit greater flexibility for businesses. Once implemented, these amendments will influence the way organisations are required to record and assess data privacy.
The UK GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
According to Article 83(5)(a), failure to comply with the principles may leave you open to substantial fines — as much as £17.5 million, or 4% of your total worldwide annual turnover, whichever’s higher.
Still, GDPR shouldn’t be viewed as a box-ticking exercise to avoid a fine. In the event of a data breach, reputational damage, remediation costs and the impact on the business’ share price are more immediate concerns.
Something to note…
Legislation concerning data protection is constantly changing. For example, in the EU, the Privacy and Electronic Communications Regulations (PECR) directive was due to be replaced by the ePrivacy Regulation (ePR) in 2018 — an update intended to clarify how website operators should handle the use of cookies and complement GDPR. However, this regulation isn’t expected to be implemented before 2023.
It’s unclear whether the UK will fully implement the ePR’s requirements. Still, as UK companies are likely to continue doing business in EU countries, this legislation may impact UK businesses.
In July 2022, the government presented a Data Protection and Digital Information Bill to Parliament, marking the first significant post-Brexit change to the UK’s data protection regime. So, it’s crucial for any business handling data — especially transferring data between the UK and EU — to follow changing UK GDPR and DPA rules.
CHAPTER TWO:
THE BACKGROUND OF GDPR
According to GDPR laws, all organisations that process personal data must comply with data protection legislation, regardless of size.
GDPR and the DPA 2018 state that organisations must:
- Have a clear purpose for collecting personal information.
- Allow individuals to review, amend or challenge data processing practices.
- Implement appropriate security measures to mitigate cyber attacks and data misuse.
- Disclose any security incidents involving customer data.
The size of a business will determine the extent of its GDPR obligations. The Information Commissioner’s Office (ICO), which is responsible for upholding information rights in the public interest, may grant exemptions case-by-case, but businesses shouldn’t routinely rely on exemptions.
Failure to comply with GDPR can increase a company’s risk of experiencing a data breach and the reputational and financial damage that follows. What’s more, it can lead to hefty compliance fines. So, it’s in business leaders’ best interest to ensure they achieve and retain GDPR compliance for their organisation.
To protect your business and the individuals’ data your company processes, you need to understand a few basics …
What counts as personal data?
Simply put, personal data or personally identifiable information (PII) is anything that someone could use to identify a living person, including names, email and home addresses, identification numbers and IP addresses.
The GDPR requires businesses to process personal data in a manner that ensures its security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
What constitutes data processing?
If you handle client data in some capacity, you’ll likely participate in processing data. Processing covers any operation or set of procedures performed with personal information, including:
- Collection
- Recording
- Organisation
- Structuring
- Storage
- Adaption or alteration
- Retrieval
- Consulting
- Disclosure by transmission
- Dissemination (or otherwise making available)
- Alignment or combination
- Restriction
- Erasure or destruction
What’s a personal data breach?
A personal data breach is more than simply ‘losing’ data. It describes a cyber attack or security breach leading to the destruction, loss, alteration or unauthorised disclosure of — or access to —personal data.
‘The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible’. Guide to the General Data Protection Regulation (GDPR), ISO
High-profile attacks always appear in the news, impacting millions of users worldwide and demonstrating the massive costs and critical damage involved in data breaches. These incidents serve as a warning to companies that hold large quantities of sensitive personal information to ensure they have the most effective cyber security protocols in place before such an event occurs.
Although many people are aware of GDPR, some businesses are still unclear on how it affects them and what they should do — especially now that the rules could change for companies in the UK. If you’re unsure whether your organisation is compliant, now’s the time to investigate.
CHAPTER THREE:
HOW DOES GDPR IMPACT YOUR BUSINESS?
Many businesses leverage digital networks to market their services in the modern world, sending targeted communications to customer bases. This process is known as ‘direct marketing’, defined in Section 122(5) of the DPA 2018 as ‘the communication (by whatever means) of advertising or marketing material which is directed to particular individuals’.
GDPR mandates that consent must be freely given, specific, informed, unambiguous and articulated by a ‘clear affirmative action’. As such, you can only directly market to individuals where you have clear evidence of permission to market to that person, by whichever means you’re contacting them.
The ICO hasn’t been shy about handing out fines for failure to comply with GDPR rules on unsolicited marketing communications.
In 2021, We Buy Any Car, Saga and Sports Direct were issued £495,000 in fines for sending more than 354 million unwanted messages to their customers. The ISO also imposed a £20,000 fine on Royal Mail Group Limited in March 2022 for violating Regulation 22 of the PECR following an investigation into a breach and failure to obtain valid consent for direct marketing emails.
In another case, American Express (Amex) was fined £90,000 in 2021 for sending more than four million unwanted marketing emails to its customers. Although Amex argued that the messages were ‘service emails’, permitted without prior consent under the PECR, the ICO upheld that the emails were promotional.
These incidents demonstrate how easy it is to blur the line — and how significant the consequences can be.
Obtaining permission: a marketing opportunity?
For professional services industries such as accountancy, finance and law that regularly deal with large volumes of sensitive data, it’s crucial to ensure direct marketing activity complies with data protection laws on electronic mail. Electronic mail is any text, voice, sound or image message sent over a public electronic communications network.
Of course, all businesses want the opportunity to communicate with customers and prospects. Still, GDPR requires organisations to obtain consent from individuals and ensure they understand what the company will use their data for.
Opting in for marketing communications must be clear and separate from any other messaging. It mustn’t be confused with checkout processes on e-commerce sites or with sending a proposal or quote for services. Individuals shouldn’t be penalised for not opting in — although they may miss out on discounts and offers.
The examples below are both clear and compliant.
In our opinion, there’s a great opportunity with GDPR to get your customers’ data in order and deliver more effective direct marketing campaigns in the future. Customers who opt-in knowing what they’re signing up for will be much more receptive to your communications, meaning your business will be able to target them with messages that result in actions.
CHAPTER FOUR:
WHAT CAN YOU DO TO ENSURE COMPLIANCE?
GDPR is a journey. It may seem like you’ll never reach your destination, but that doesn’t mean you shouldn’t try!
We think the focus on GDPR’s hefty fines has distorted many people’s views on this legislation, viewing it as an onerous box-ticking exercise rather than an opportunity.
Yes, it requires putting procedures and systems in place.
Yes, it means auditing the personal data your company processes.
Yes, it may mean investing in new cyber security and data protection solutions.
However, there are clear benefits to ensuring your business is GDPR compliant.
If you work in a legal or accountancy firm, note that your business is likely to be considered a ‘controller’ of data; you’re responsible for determining how and why personal data is processed. As such, we recommend businesses seek the advice and support of a technical GDPR consultant that can make organisations aware of the latest legislation and ensure they’re meeting their obligations under new laws.
Whilst your business may benefit from expert support, there are steps you can take today to ensure your compliance. These steps focus on two key areas: organisational and technical.
Organisational actions
- Run GDPR training — online or face-to-face.
- Conduct a performance gap analysis.
- Build a GDPR plan and execute against it.
- Implement (or modify) policies and procedures to comply with the GDPR.
- Form a cross-business GDPR team and make one person responsible for leading it.
- Foster a GDPR culture within your organisation.
- Discard data that is no longer used.
- Know where data is and why it’s being processed.
Technical actions
- Identify ‘shadow IT’ (Skype Evernote, Dropbox, etc.) and its implications.
- Secure mobile devices and data syncing.
- Oversee data destruction.
- Encrypt personal data.
- Ensure a good level of visibility on networks.
- Establish effective anti-malware technologies.
- Update and patch systems regularly.
- Assess, evaluate and health-check system security routinely.
- Install strong identity and access controls.
- Develop disaster recovery and backup systems.
- Protect data in the cloud and get statements of compliance.
By implementing these processes, you can take control of personal data and how it’s processed, helping streamline systems and improve cyber security. Doing so also benefits customers, who’ll likely become more receptive to marketing communications. A win-win solution all around!
The ICO provides complete guidance on GDPR in this document. For further help with IT issues concerning data protection and cyber security, please contact our team on 0330 124 3599 or email sales@prodriveit.co.uk.