Understanding GDPR and the UK’s Data Protection Rules

  • Blog

We deal with data every day, but the simple task of processing data carries risk.
The Data Protection Act 2018, now known as the United Kingdom’s General Data Protection Regulation (UK GDPR) was implemented to help all businesses and individuals protect the data they process. In short, we must process data responsibly, accurately and transparently.
All data controllers must be registered with the Information Commissioner’s Office (ICO).

The Lawful Bases for Processing Data (Article 6)

Prior to processing personal data you should ensure that you have a valid reason for processing personal data.
There are six lawful bases for processing personal data, all of which require that processing must be necessary. If you can’t demonstrate a lawful basis you will likely be in breach of the UK GDPR.
The six lawful bases are:

  • Consent – This was often thought to be the silver bullet. However, you should remember that even where consent is provided, if you have no lawful reason to process data then consent may not be legal. This could happen, for example, if someone placed an automated opt in on their website which inadvertently tricked the user into providing consent. Consent must be fair and transparent.
  • Contract – Where you enter into a contract to undertake work this will likely be the most suitable lawful basis as, without the contract, you would not be able to proceed with the transaction.
  • Legal obligation – A legal obligation will be the correct reason if you have to comply with the law to carry out a transaction.
  • Vital interests – this would be the correct lawful basis if the data was collected in order to protect someone’s life.
  • Public task – this is more applicable to organisations who have to carry out tasks in the public interest or for their official functions.
  • Legitimate interests – this basis would be necessary for the legitimate interests of the individual. Further information can be obtained from the ICO website.

You should therefore review what the lawful basis is for processing any data prior to commencing with the processing, and also document this in a structured way. Drafting a clear and transparent privacy notice will also help your clients/customers understand why you require specific data.

An Individual

Personal data is that relating to an individual. An individual is defined as someone who can be identified as a result of the information they provide – this could be a single piece of data e.g. a name or it could be a combination of data e.g. name, date of birth, address, IP address etc.

Processing obligations

The UK GDPR is based on 7 key principles, which should be the foundations that you work towards, when processing personal data:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

Article 5

Article 5(1) sets out:

  • You must have a valid reason for storing and collecting data – Principle 5(1)(a)
  • You should collect data for “specific, explicit and legitimate purposes” – Principle 5(1)(b)
  • You should only collect data that is needed i.e. limit this to what is necessary to carry out the work– Principle 5(1)(c)
  • You must take all reasonable steps to ensure data is accurate. You should update this if appropriate and correct any inaccuracies when they are noticed – Principle 5(1)(d)
  • The general rule of thumb is that you must not keep data for longer than necessary. You should ensure that your business has a carefully drafted policy which specifies retention periods, in order to comply with Principle 5(1)(e)
  • When processing data you must have adequate security measures in place, including measures to prevent unauthorised use, accidental loss, damage or destruction – an example of this would be to password protect data – Principle 5(1)(f)

Article 5(2) further sets out:

  • “The controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (accountability)”

Special Category Data – Article 9

Special category data includes:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical belief
  • Trade union membership
  • Genetic or biometric data
  • Health information
  • Sex life or sexual orientation

This data requires greater protection because of its sensitivity. You must therefore identify a lawful reason as well as a special condition for processing under Article 9.

Summary

Since leaving the EU the provisions of the EU GDPR have been incorporated into UK law so in practice there is little change. However, many businesses continue to flout the law via direct marketing strategies which dupe clients into providing information.
The ICO remains the independent body and they will continue to issue fines for any breaches.