GDPR: Your Business's New Data Protection Reality

02/07/2017

★★★★★Rating: 4.16 (11566 votes)

The General Data Protection Regulation (GDPR) has fundamentally reshaped the landscape of data privacy for businesses across the United Kingdom and beyond. Far from being a mere bureaucratic hurdle, GDPR represents a significant shift in how organisations must approach the collection, processing, and storage of personal data. At its heart lies the principle of accountability, placing a clear onus on businesses to not only comply with the regulation but also to demonstrate that compliance.

What is the government doing about taxi licensing standards? — Ministers have vowed to pass laws to tackle inconsistent taxi and private hire standards amid fears some vehicles "are a dangerous place for many children and young people". Labour MP for Tipton and Wednesbury Antonia Bance spoke in the Commons on Thursday to ask what the government was doing about local taxi licensing standards.

Table

Understanding the Core Principle: Accountability
Key Steps for GDPR Compliance
GDPR Impact: A Comparative View
Frequently Asked Questions
Conclusion

Understanding the Core Principle: Accountability

Accountability, as enshrined in GDPR Article 5(2), is a cornerstone of the regulation. It means that businesses are not only responsible for adhering to the GDPR's legal requirements but must also be able to prove their adherence. This isn't about a one-off checklist; it's about embedding data protection into the very fabric of your organisation's operations. In practice, this translates to a proactive and demonstrable commitment to protecting personal data.

Key Steps for GDPR Compliance

To translate the principle of accountability into tangible actions, businesses need to undertake several crucial steps:

1. Data Mapping and Inventory

Before you can protect data, you need to know what data you have, where it resides, and why you have it. This involves creating a comprehensive data map or inventory. For each piece of personal data, you should document:

What data is collected: Be specific. Is it names, addresses, email addresses, financial details, health information, or something else?
Where the data is stored: This includes cloud storage, on-premise servers, employee laptops, and even physical files.
Why the data is collected (lawful basis): GDPR requires a valid legal basis for processing personal data. Common bases include consent, contract, legal obligation, vital interests, public task, or legitimate interests. You must be able to articulate and justify your chosen basis for each type of data processing.
Who has access to the data: Identify internal departments and external third parties who access the data.
How long the data is retained: Establish clear data retention policies and delete data securely when it's no longer needed.
How the data is protected: Detail the security measures in place, such as encryption, access controls, and pseudonymisation.

This detailed understanding is the bedrock of accountability. Without it, demonstrating compliance becomes an impossible task.

2. Reviewing and Updating Privacy Notices

Your privacy notice is the primary way you inform individuals about how their personal data is processed. Under GDPR, these notices must be:

Transparent and easily accessible: Customers should be able to find and understand them without difficulty.
Concise, transparent, intelligible, and easily accessible: Using clear and plain language is paramount. Avoid jargon and legalese.
Specific about the purposes of processing and the lawful basis: As mentioned earlier, clearly state why you are collecting data and your legal justification.
Informative about data subject rights: Individuals have rights to access, rectify, erase, restrict processing, object to processing, and data portability. Your privacy notice must inform them of these rights.

Regularly reviewing and updating your privacy notices to reflect current data processing activities is a key aspect of ongoing accountability.

3. Implementing Robust Consent Mechanisms

Where consent is the lawful basis for processing, GDPR sets a high bar. Consent must be:

Freely given: Individuals must have a genuine choice and not feel pressured.
Specific: Consent should be for particular purposes, not bundled together.
Informed: Individuals must understand what they are consenting to.
Unambiguous: It requires a clear affirmative action, such as ticking a box (pre-ticked boxes are invalid).

You must also make it as easy for individuals to withdraw their consent as it was to give it. Keeping records of consent is vital for demonstrating compliance.

4. Establishing Data Subject Rights Procedures

Businesses must have clear procedures in place to handle requests from individuals exercising their GDPR rights. This includes:

Subject Access Requests (SARs): You must respond to requests for access to personal data without undue delay and within one month of receipt.
Requests for rectification, erasure, restriction, or objection: Have a process to efficiently manage and respond to these requests.
Data portability requests: Be prepared to provide data in a structured, commonly used, and machine-readable format.

Training staff on how to handle these requests and maintaining records of all requests and responses is crucial for accountability.

5. Data Protection by Design and by Default

This principle, outlined in Article 25 of GDPR, requires businesses to integrate data protection into their systems and processes from the outset. This means:

Data protection by design: Consider data protection implications at the earliest stages of any new project, product, or service development.
Data protection by default: Ensure that only the personal data that is necessary for each specific purpose is processed, and that this data is not made accessible to an indefinite number of people without that person's intervention. Settings should be privacy-friendly by default.

For example, when developing a new app, privacy considerations should be built into the design, not added as an afterthought. Default settings should be the most privacy-protective available.

6. Appointing a Data Protection Officer (DPO)

While not mandatory for all businesses, appointing a DPO is required for public authorities and organisations whose core activities involve regular and systematic monitoring of data subjects on a large scale, or processing of special categories of data. Even if not legally required, appointing someone responsible for data protection oversight can be a valuable step towards demonstrating accountability.

What is the new taxi and private hire licensing policy? — The new taxi and private hire licensing policy includes: Conditions attached to any licence granted. The Department for Transport’s Statutory taxi and private hire vehicle standards - GOV.UK were published in July 2020 (updated November 2022) and we have previously taken steps to reflect a number of these priorities.

7. Data Breach Notification

GDPR mandates that businesses notify the Information Commissioner's Office (ICO) of a personal data breach without undue delay, and where feasible, not later than 72 hours after having become aware of it, if it is likely to result in a risk to the rights and freedoms of individuals. If the breach is likely to result in a high risk to individuals, you must also notify those concerned directly. Having a robust incident response plan is essential.

8. Maintaining Records of Processing Activities (ROPA)

Article 30 of GDPR requires businesses to maintain records of their processing activities. These records should include:

The identity and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the DPO.
The purposes of the processing.
A description of the categories of data subjects and of the personal data.
The categories of recipients to whom the personal data have been or will be disclosed.
Where applicable, details of transfers of personal data to a third country or an international organisation.
Where possible, the envisaged time limits for erasure of the different categories of personal data.
Where possible, a general description of the technical and organisational security measures.

These records are a direct manifestation of your accountability and are crucial for demonstrating compliance to the ICO.

GDPR Impact: A Comparative View

The impact of GDPR can be significant, affecting various aspects of your business operations:

Area of Business	Pre-GDPR Approach (Generalised)	Post-GDPR Approach (Mandatory)
Consent	Often implied, pre-ticked boxes common, vague wording.	Explicit, freely given, specific, informed, unambiguous. Easy withdrawal.
Privacy Notices	Brief, legalistic, sometimes hard to find.	Transparent, clear, concise, easily accessible, detailing purpose, lawful basis, and rights.
Data Storage	Indefinite retention, less emphasis on security unless critical data.	Defined retention periods, secure storage, data minimisation.
Data Breaches	Notification often discretionary or based on older laws.	Mandatory notification to ICO (72 hours) and potentially individuals for high-risk breaches.
Data Subject Rights	Responses varied, often slow, less formal processes.	Formalised processes, strict time limits (1 month), clear procedures for access, rectification, erasure, etc.
Data Protection by Design	Often an afterthought, implemented late in development.	Integrated from the outset of any project or system.

Frequently Asked Questions

Q1: Do all UK businesses need to appoint a Data Protection Officer (DPO)?

A1: No, not all businesses are legally required to appoint a DPO. It is mandatory for public authorities and organisations carrying out large-scale systematic monitoring or processing of sensitive data. However, having someone responsible for data protection oversight is highly recommended for demonstrating accountability.

Q2: What is considered 'personal data' under GDPR?

A2: Personal data is any information relating to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also less obvious ones like location data, IP addresses, cookie identifiers, and even opinions or assessments about an individual.

Q3: How long do I have to respond to a Subject Access Request (SAR)?

A3: You must respond without undue delay and at the latest within one month of receipt of the request. This period can be extended by a further two months if the request is complex or if you have received a number of requests from the same individual.

Q4: What are the penalties for non-compliance with GDPR?

A4: Penalties can be severe. Under GDPR, fines can reach up to €20 million or 4% of your company's annual global turnover, whichever is higher. There are two tiers of fines, with the higher tier applying for more serious infringements. Reputational damage is also a significant consequence.

Conclusion

GDPR's emphasis on accountability is not just a legal requirement; it's an opportunity for businesses to build trust with their customers and stakeholders. By understanding and implementing the principles of data protection by design and by default, maintaining transparent practices, and being prepared to demonstrate compliance, UK businesses can navigate the GDPR landscape effectively. It requires a cultural shift towards a privacy-first mindset, ensuring that personal data is treated with the respect and security it deserves. Embracing GDPR is not just about avoiding penalties; it's about fostering a more responsible and trustworthy business environment.

If you want to read more articles similar to GDPR: Your Business's New Data Protection Reality, you can visit the Business category.