Updated 22 March 2022
Brexit has brought about many challenges for UK businesses, including the incorporation of the EU's General Data Protection Act (GDPR) of 2018 into UK data protection law. Whatever the size of your organisation, GDPR impacts everything from how you build your customer database to the way you market your business – and non-compliance can result in a hefty fine.
The General Data Protection Regulation (GDPR) is a law, which came into effect in the European Union on 25 May 2018. It governs how organisations process and use personal data to provide consumers with greater protection.
GDPR is an evolution of existing data protection laws to reflect the way individuals and organisations now communicate and share personal information digitally – for example, on smartphones, via social media or email.
Under the GDPR, consumers now control:
Every organisation that handles personal data needs to be able to:
The GDPR has been added into UK data protection law as the 'UK GDPR', which came into force on 1 January 2021. The UK's post-Brexit version is largely like the EU regulation, so, in practice, there's little change to the data protection principles and obligations. In summary:
Anything that allows a living person to be identified, either directly or indirectly, counts as personal data. This may be a name, a photo, an address, updates on social networking websites, location details, medical information, or a computer IP address. GDPR defines sensitive personal data as being in 'special categories' of information. These include racial information, religious beliefs, trade union membership, political opinions, and sexual orientation.
Information about companies or public authorities is not classed as personal data. However, there's no distinction between personal data about individuals in their private, public or work roles. Therefore, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable may count as personal data.
When you're running a business, GDPR impacts a range of activities – from the way your sales teams prospect to how marketing activities are managed. Key points include:
If you're a UK organisation that operates in Europe and is therefore bound by the EU GDPR, you may also need to:
Cookies (data that enables a website to remember visitors and their actions to identify browsing trends) can sometimes identify an individual. This means they are counted as personal data. GDPR makes it mandatory for businesses to be transparent about cookies and what data they track.
Making sure you're complying with the GDPR rules should be at the core of your digital marketing strategy.
Data breaches are taken very seriously. Infringements of the EU GDPR can result in fines of up to €20 million (about £18 million) or 4% of annual global turnover – whichever is greater. That's why your business must be – and remain – GDPR compliant.
GDPR and UK GDPR applies to all organisations that process personal data – from small businesses to multinationals. So, if you collect data from, market to, or serve customers located in the EU, you must comply with GDPR.
The only way to be exempt from GDPR is if you:
The only differentiation the law makes is for businesses with fewer than 250 employees. If this is you, your company must still comply with the GDPR, but you don't need to keep a written record of your data processing. However, there are exceptions. You'll still need to record any activities that:
GDPRâ¯compliance is not a one-off activity but a continual process. To avoid the risk of being slapped with a hefty fine, your organisation must adopt appropriate procedures and keep documentation that proves you're following the GDPR rules. As a guide, here's what to cover:
1. Scope and plan your GDPR compliance project – appoint and train a project manager and a data protection officer if required.
2. Conduct a data inventory and data flow audit to fully understand what data you process and how you process it.
3. Undertake a comprehensive risk assessment to identify risks, analyse and evaluate those risks and set out ways to control them.
4. Conduct a detailed gap analysis to assess your current workflows, processes and procedures to identify any compliance gaps that need addressing.
5. Develop operational policies, procedures and processes that bring existing ones into line with the GDPR's requirements.
6. Secure personal data through encryption and cybersecurity, and put procedures to detect, report and investigate personal data breaches.
7. Ensure everyone involved in processing data is appropriately trained to follow approved procedures.
8. Monitor compliance by undertaking regular internal audits and regularly updating your processes, checking your records and testing security controls.