09 July 2019

The increase in online availability has changed how we receive personal data.

An individual just visiting your website can provide you with a lot of information. And you're responsible for keeping that data safe.

EU member states understandably promote the importance of data protection through the General Data Protection Regulation (GDPR). When it comes to handling personal information, all businesses need to comply with GDPR. Failure to do so can lead to significant fines for your business.

In this guide we’ll explain what GDPR is, who is subject to compliance, and how to manage the rules in your business.

What is GDPR?

General data protection regulation (GDPR) is legislation which outlines data privacy laws within the European Union (EU).

GDPR ensures companies who collect sensitive personal data do so in the most responsible and legal way. The regulations protect data that is, ‘necessary in relation to the purposes for which they are processed’.

These regulations have been approved by the European Parliament and came into play in May 2018. Despite the UK not being members anymore, they still must comply with data privacy laws.

(General data protection regulation (GDPR) is legislation which outlines data privacy laws).

What data does GDPR protect?

There are several examples of personal data which are protected under GDPR. This includes data relating to, ‘the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.

Some of the most common data includes:

  • Identification numbers.
  • Location information.
  • Biometric data.
  • Racial, ethnic, religious beliefs, or political information.
  • Union membership.

Who is subject to GDPR obligations?

Every business that collects information on UK or EU citizens is subject to GDPR and public authority compliance.

The GDPR laws outline three personal data factors to consider:

  1. Data subjects: This is the owner of the personal data.
  2. Data controllers: This is the individual or business who decides what information will be collected and how.
  3. Data processors: This is the individual or business who processes personal data for the controller.

What are GDPR principles?

Legal obligation regarding GDPR revolves around seven basic principles. These include:

  1. Fairness and transparency: The data subjects must be told how their personal data will be used.
  2. Purpose limitation: Personal data is only collected for specific or vital interests.
  3. Data minimisation: The amount of information that's collected must be limited to what is needed for data processing.
  4. Processing accuracy: Businesses collecting information must be sure data flows are accurate and updated. And that individuals are given the option of changing or deleting what they provide.
  5. Storage limitation: Any collected data must not be kept for longer than needed.
  6. Integrity and confidentiality: All appropriate steps must be followed to secure personal data. These steps must include methods to protect sensitive information from theft or unauthorised use.
  7. Legal compliance: The data processor and systems must ensure compliance with GDPR.

In these cases, companies also have a right to refuse data protection requests, but only if they can provide a legally valid reason.

(There are seven basic principles which revolve around GDPR).

UK laws on general data protection regulation

There are specific legal rules which outline general data protection regulation in the UK.

The main law on GDPR is the Data Protection Act. Under the act, companies need to follow legally correct means when collecting or using personal data.

Under data protection principles, there are specific rights which all data subjects have. For example, GDPR's implementation allows the:

  • Right to opt-out: They can ask for their information to be deleted from any company’s database.
  • Right of access: They can review their own data collected by companies.
  • Right to object: They can reject any request for unlawful processing of personal data.
  • Right to rectification: They can ask for information to be changed and amended. ● Right to portability: They can ask for access to their own data and transfer it.

What are employer rights' regarding GDPR?

Under UK laws, businesses are not allowed to process any individual’s personal identifiable information (PII) without consent. However, there are particular situations where the rights of employers and other organisations come first. For example:

  • When express consent is needed from the data subject.
  • When current or future contracts are being drafted.
  • When compliance is needed for a legal basis.
  • When you need to protect the interests of the data subject. .
  • Where supervisory authorities must be considered.
  • For specific legitimate interests (except when it neglects public interest, rights, or freedoms of the data subject).

What about GDPR and third-party data?

There are several things to consider when sharing personal data with third-parties or international organisations.

This can only be done if:

  1. The data controller has permission from the data subject to share their personal data with other parties or international organisations.
  2. The personal data was collected from a source other than the data subject. (Here, the data controller must provide origin details to data subjects).

As mentioned, the UK is not considered as an EU country or member states anymore. However, despite leaving, they still acknowledged the new GDPR legislations and updated the data protection act. The new law states what UK businesses must do when ensuring compliance with GDPR as non-member states.

(Despite leaving the EU, the UK still considers data protection rules).

What are the consequences of breaching GDPR rules?

The penalties of data breaches can be detrimental for some businesses.

The outcome of a GDPR violation is based on the severity and length of the breach, as well as how many people are affected by it.

When an individual suffers from a data breach, the data controller must notify supervisory authorities within 72 hours without delay. They must also contact the person or parties involved in the information security breach.

Breach notifications must include details on what happened, who’s involved, and which information systems need reviewing. After evaluation, data controllers must outline the current or potential consequences of the breach. And state which public authorities need to be contacted.

Other things which are considered include:

  • Whether the GDPR breach was caused by negligence or with intent.
  • Whether the company failed to process data appropriately. (This can lead to GDPR fines of up to 20 million euros or 2% of annual revenues).
  • Whether the company failed to adhere to supervisory authority guidelines. (This can lead to fines of up to 20 million euros and 4% of total revenue).

How to manage GDPR in the workplace

When it comes to data protection, having sufficient management is so important. Without it, you could end up facing detrimental impacts to your business.

Here are some methods to follow when managing GDPR compliance in the workplace:

  • Conduct GDPR pre-checks beforehand: Make sure all data subjects have consented to sharing their personal data. Only collect relevant information and avoid sharing it without permission. And ensure standard contractual clauses are lawful and agreed to.
  • Follow GDPR procedures efficiently: Make sure all individuals are fully aware of your GDPR procedures. This responsibility doesn't only fall to IT or HR department; everyone must be aware and adhere to strict rules.
  • Create your GDPR policy: These are guidelines which implement measures on how to use, store, and protect personal data.
  • Conduct data protection impact assessments: This risk assessment is conducted to action regular and systematic monitoring. They allow you to determine how secure your data collection procedures are. And check the system for flaws which need to be fixed or escalated as a potential risk.
  • Appoint a data protection officer: A data protection officer (DPO) is in charge of data protection measures, legal compliance, and liaising with the official authority. Businesses on a large scale must have a data protection officer or team in place.

Get expert guidance on managing GDPR with Peninsula

These days, businesses gather information from numerous sources. That's why it can be difficult to manage personal data relating to staff or clients. But failing to do so can be disastrous for your business.

Peninsula offers expert guidance on managing general data protection regulation (GDPR) compliance. Our team offers 24/7 HR employment advice which is available 365 days a year. We also provide advice through multi-lingual support and fully trained counsellors who are ready to help with certain circumstances.

Want to find out more? Book a free chat with one of our HR consultants. For further information, call 0800 028 2420.

Suggested Resources