Brexit has brought about many challenges for UK businesses, including the incorporation of the EU's General Data Protection Act (GDPR) of 2018 into UK data protection law. Whatever the size of your organisation, GDPR impacts everything from how you build your customer database to the way you market your business – and non-compliance can result in a hefty fine.
What is GDPR?
The General Data Protection Regulation (GDPR) is a law, which came into effect in the European Union on 25 May 2018. It governs how organisations process and use personal data to provide consumers with greater protection.
GDPR is an evolution of existing data protection laws to reflect the way individuals and organisations now communicate and share personal information digitally – for example, on smartphones, via social media or email.
Under the GDPR, consumers now control:
- Who collects their data
- What information gets collected
- How companies use this information
- Whether any third parties get access to this information
Every organisation that handles personal data needs to be able to:
- Prove that consent was given to hold it
- Be able to show what the data is being used for
- Demonstrate how it is being protected
- Provide individuals with access and the ability to review, amend or challenge data processing practices
Does GDPR still apply after Brexit?
The GDPR has been added into UK data protection law as the 'UK GDPR', which came into force on 1 January 2021. The UK's post-Brexit version is largely like the EU regulation, so, in practice, there's little change to the data protection principles and obligations. In summary:
- The UK GDPR applies both to UK organisations that collect, store or process personal data of individuals residing in the UK and to non-UK organisations that offer goods or services to UK residents
- The EU GDPR applies both to EU organisations that collect, store or process personal data of individuals residing in the EU and to non-EU organisations that offer goods or services to EU residents
What counts as personal data?
Anything that allows a living person to be identified, either directly or indirectly, counts as personal data. This may be a name, a photo, an address, updates on social networking websites, location details, medical information, or a computer IP address. GDPR defines sensitive personal data as being in 'special categories' of information. These include racial information, religious beliefs, trade union membership, political opinions, and sexual orientation.
Information about companies or public authorities is not classed as personal data. However, there's no distinction between personal data about individuals in their private, public or work roles. Therefore, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable may count as personal data.
What are my business's main responsibilities under GDPR?
When you're running a business, GDPR impacts a range of activities – from the way your sales teams prospect to how marketing activities are managed. Key points include:
- Organisations must prove that consent was given if an individual objects to receiving a communication. This means that any data held must have a time-stamped audit trail that details what the contact opted into and how.
- Organisations must prove that the individual agreed to a certain action, such as receiving a newsletter. It's not allowed to assume or add a disclaimer or just provide an opt-out option.
- Applications and forms must be compliant with double opt-in rules and email marketing best practices. For example, to sign up for communication, prospects must fill out a form or tick a box and then confirm they did so in a further email.
- Business activities will likely need to be reviewed. For example, before GDPR, exchanging business cards at an event and adding contacts to a company's mailing list was allowed. Now, this is no longer legal.
- If you purchase marketing lists, you're still responsible for getting the proper consent information, even if an outsourced partner was responsible for collecting the data.
If you're a UK organisation that operates in Europe and is therefore bound by the EU GDPR, you may also need to:
- Appoint an EU representative
- Identify a lead supervisory authority in the EU (an independent public authority in each EU member state, tasked with protecting cross-border processing of personal data)
- Update any contracts relating to EU-UK data transfers
- Update your policies, procedures and other documentation
Cookies (data that enables a website to remember visitors and their actions to identify browsing trends) can sometimes identify an individual. This means they are counted as personal data. GDPR makes it mandatory for businesses to be transparent about cookies and what data they track.
- Exactly how you manage and collect your users' personal data
- The reasons you collect data
- An explanation of what cookies are used and what data is collected by them
- What happens to the data, and if it's shared with anyone
- How long you keep personal data
- How users can change cookie settings or revoke consent
Making sure you're complying with the GDPR rules should be at the core of your digital marketing strategy.
What are the consequences of breaking GDPR rules?
Data breaches are taken very seriously. Infringements of the EU GDPR can result in fines of up to €20 million (about £18 million) or 4% of annual global turnover – whichever is greater. That's why your business must be – and remain – GDPR compliant.
Can my business be exempt from GDPR compliance?
GDPR and UK GDPR applies to all organisations that process personal data – from small businesses to multinationals. So, if you collect data from, market to, or serve customers located in the EU, you must comply with GDPR.
The only way to be exempt from GDPR is if you:
- Actively discourage the processing of data from EU data subjects (you block your site in the EU)
- Process personal data of EU citizens outside the EU as long as you don't directly target EU data subjects or monitor their online behaviour for marketing purposes
The only differentiation the law makes is for businesses with fewer than 250 employees. If this is you, your company must still comply with the GDPR, but you don't need to keep a written record of your data processing. However, there are exceptions. You'll still need to record any activities that:
- You complete on a semi-regular basis (i.e if it’s more than a one-off occurrence or something you do rarely)
- Are likely to result in a risk to the rights and freedoms of data subjects by revealing sensitive personal data
- Involve special categories of criminal conviction and offence data
GDPR compliance checklist
GDPRâ¯compliance is not a one-off activity but a continual process. To avoid the risk of being slapped with a hefty fine, your organisation must adopt appropriate procedures and keep documentation that proves you're following the GDPR rules. As a guide, here's what to cover:
1. Scope and plan your GDPR compliance project – appoint and train a project manager and a data protection officer if required.
2. Conduct a data inventory and data flow audit to fully understand what data you process and how you process it.
3. Undertake a comprehensive risk assessment to identify risks, analyse and evaluate those risks and set out ways to control them.
4. Conduct a detailed gap analysis to assess your current workflows, processes and procedures to identify any compliance gaps that need addressing.
5. Develop operational policies, procedures and processes that bring existing ones into line with the GDPR's requirements.
6. Secure personal data through encryption and cybersecurity, and put procedures to detect, report and investigate personal data breaches.
7. Ensure everyone involved in processing data is appropriately trained to follow approved procedures.
8. Monitor compliance by undertaking regular internal audits and regularly updating your processes, checking your records and testing security controls.