Data Protection Compliance

If you’re a small business, Data Protection compliance can be both a worry and a burden, but it doesn’t need to be. We have compiled this Data Protection pack to provide you with all the information required to ensure your company is compliant with UK law. Together with useful explanations, definitions and up to date information regarding Data Protection, this pack also contains a useful Terms and Conditions Document, a Data Protection Privacy Policy template and Data Protection Cookie Policy template, all of which have been designed to enable easy adaptation to suit your company specifically.

1. The Data Protection Act

   The Data Protection Act 2018 sets out the framework for data protection law in the UK. It’s updates replaced the Data Protection Act 1998 and came into effect on 25th May 2018. It was subsequently amended on 1st January 2021 by regulations under the European Union (Withdrawal) Act 2018 to reflect the UK’s status outside the EU. The EU GDPR is an EU Regulation and as such NO LONGER APPLIES TO THE UK. If you operate inside the UK, your business MUST comply with the Data Protection Act 2018 (DPA 2018).

   The requirements of EU GDPR have been integrated directly into UK law as the UK GDPR. The core Data Protection principles, rights and obligations remain practically unchanged.

   The EU GDPR may still apply to you however, if you operate in the EEA, offer goods or services to individuals in the EEA, or monitor the behaviours of individuals in the EEA.

   The DPA 2018 controls how your personal information is used by organisations, businesses or the government and is the UK’s implementation of the General Data Protection Regulation (GDPR).

   UK GDPR currently applies to your processing of personal data. It applies is you are a UK-based business or organisation.

   Now the UK has EU adequacy decisions, you can use this guide to assess the impact of legal changes in key areas:

   • International data transfers
   • EU representatives
   • EU regulatory overtsight of cross-border processing
   • Minor updates to documentation and accountability measures

   The DPA 2018 together with the UK GDPR contains three separate data protection regimes:

   Part 2 – sets out a general processing regime (the UK GDPR)

   Part 3 – sets out a separate regime for law enforcement authorities

   Part 4 – sets out a separate regime for the three intelligence services

   Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

   • Used fairly, lawfully, and transparently
   • Used for specified, explicit purposes
   • Used in a way that is adequate, relevant, and limited to only what is necessary
   • Accurate and, where necessary, kept up to date
   • Kept for no longer than is necessary
   • Handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction, or damage

   There is stronger legal protection for more sensitive information, such as:

   • Race
   • Ethnic background
   • Political opinions
   • Religious beliefs
   • Trade union membership
   • Genetics
   • Biometrics (where used for identification)
   • Health
   • Sex life or orientation

   There are separate safeguards for personal data relating to criminal convictions and offences.

   Your Rights

   Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

   • Be informed about how your data is being used
   • Access personal data
   • Have incorrect data updated
   • Have data erased
   • Stop or restrict the processing of your data
   • Data portability (allowing you to get and reuse your data for different services)
   • Object to how your data is processed in certain circumstances

   You also have rights when an organization is using your personal data for:

   • Automated decision-making processes (without human involvement)
   • Profiling, for example, to predict your behavior or interests
   What is personal information:

   At a glance

   • Understanding whether you are processing personal data is critical to determining if the UK GDPR applies to your activities.
   • Personal data is information that relates to an identified or identifiable individual.
   • What identifies an individual could be as simple as a name or a number, or it could include other identifiers such as an IP address, a cookie identifier, or other factors.
   • If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
   • If you cannot directly identify an individual from that information, you need to consider whether the individual is still identifiable. You should take into account:
     • The information you are processing
     • The means reasonably likely to be used by you or another person to identify that individual
   • Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
   • When considering whether information ‘relates to’ an individual, you need to take into account:
     • The content of the information
     • The purpose(s) for which you are processing it
     • The likely impact or effect of that processing on the individual
   • The same information may be personal data for one controller’s purposes but not for another controller.
   • Information that has had identifiers removed or replaced (pseudonymised data) is still personal data under UK GDPR.
   • Truly anonymous information is not covered by UK GDPR.
   • If information that appears to relate to a particular individual is inaccurate (i.e., factually incorrect or about a different person), it is still personal data, as it relates to that individual.
   What are identifiers and related factors?
   • An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from others.
   • A name is the most common identifier, but whether it actually identifies someone depends on context.
   • A combination of identifiers may be needed to identify an individual.
   • The UK GDPR provides a non-exhaustive list of identifiers, including:
     • Name
     • Identification number
     • Location data
     • Online identifier (e.g., IP address, cookie identifier)
   • Other factors can also identify an individual.
   Can we identify an individual directly from the information we have?
   • If, by looking solely at the information you are processing, you can distinguish an individual, they are identified or identifiable.
   • You don’t need to know someone’s name for them to be directly identifiable—a combination of other identifiers may be enough.
   • If an individual is directly identifiable from the information, it may constitute personal data.
   Can we identify an individual indirectly from the information we have (Together with other available information)?
   • It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
   • Even if you may need additional information to be able to identify someone, they may still be identifiable.
   • That additional information may be information you already hold, or it may be information that you need to obtain from another source.
   • In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of UK GDPR. You must consider all the factors at stake.
   • When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.
   • You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments).
   What is the meaning of ‘relates to’?
   • Information must ‘relate to’ the identifiable individual to be personal data
   • This means it does more than simply identifying them—it must concern the individual in some way.
   • To decide whether or not data relates to an individual, consider:
     • The content of the data – Is it directly about the individual or their activities?
     • The purpose for processing the data
     • The results or effects on the individual from processing the data
   • Data can reference an identifiable individual without being personal data if it does not actually relate to them.
   • In some cases, it may be difficult to determine whether data is personal data. As a good practice:
     • Treat the information with care
     • Ensure you have a clear reason for processing it
     • Store and dispose of it securely
   • Inaccurate information may still be personal data if it relates to an identifiable individual.
   What happens when different organisations process the same data for different purposes?
   • It is possible that although data does not relate to an identifiable individual for one controller, in the hands of another controller it does.
   • This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the data therefore does not relate to them.
   • However, when used for a different purpose, or in conjunction with additional information available to another controller, the data does relate to the identifiable individual.
   • It is therefore necessary to consider carefully the purpose for which the controller is using the data in order to decide whether it relates to an individual.
   • You should take care when you make an analysis of this nature.
   Further Reading:

   Relevant provisions in the UK GDPR – See Articles 2, 4, 9, 10 and Recitals 1, 2, 26, 51

   External link

   In more detail – Please also see: ICO published guidance on determining what is personal data.

2. Who does the UK GDPR apply to?

   • The UK GDPR applies to ‘controllers’ and ‘processors’.
   • A controller determines the purposes and means of processing personal data.
   • A processor is responsible for processing personal data on behalf of a controller.
   • If you are a processor, the UK GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
   • However, if you are a controller, you are not relieved of your obligations where a processor is involved – the UK GDPR places further obligations on you to ensure your contracts with processors comply with the UK GDPR.
   • The UK GDPR applies to processing carried out by organisations operating within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK.
   • The UK GDPR does not apply to certain activities, including processing covered by the Law Enforcement Directive, processing for national security purposes, and processing carried out by individuals purely for personal/household activities.

3. Does the GDPR still apply?

   The EU GDPR is an EU Regulation, and it no longer applies to the UK.

   GDPR is however retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. If you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018).

   The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

   The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:

   Offering goods or services to individuals in the UK; Or Monitoring the behaviour of individuals taking place in the UK.

   There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA.

   The EU GDPR still applies to this processing, but the way you interact with European data protection authorities has changed.

   This guidance covers the key issues you need to consider regarding cross-border processing.

   Otherwise, you should continue to follow the existing guidance on your general data protection obligations.

   The UK General Data Protection Regulation (GDPR) is a UK law which came into effect on 1st January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies. GDPR was built primarily around two key principals:

   1. Giving citizens and residents more control of their personal data
   2. Simplifying regulations for international businesses with a unifying regulation.

   UK GDPR is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context.

   You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. The EU GDPR is regulated separately by European supervisory authorities, and you may need to seek your own legal advice on your EU obligations.

   If you hold any overseas data collected before 01 January 2021 (referred to as ‘legacy data’), this will be subject to the EU GDPR as it stood on 31 December 2020 (known as ‘frozen GDPR’). In the short term, there are no significant changes between the frozen GDPR and the UK GDPR.

   Aside from the law, responsible data handling is a basic principle of good business upkeep.

   Becoming GDPR compliant can also add real value to your business. No one likes having their data lost, stolen, damaged, misused, or shared without consent. By proving to new and existing customers that your organisation is fully compliant with a new legislation which protects the rights of customers and citizens just like you, your business will gain the trust of clients whilst attracting more business.

4. Data Protection and the EU

   On 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before, in the majority of circumstances.

   Both decisions are expected to last until 27 June 2025.

   The General Data Protection Regulation has been kept in UK law as the UK GDPR.

   This guidance is aimed at UK businesses who receive data from or have offices in the EU and European Economic Area (EEA). It gives a basic overview of the changes to data protection since the UK left the EU and now has an approved adequacy decision.

   What does adequacy mean?

   ‘Adequacy’ is a term the EU uses to describe countries, territories, sectors, or organisations it deems to have an “essentially equivalent” level of data protection to the EU.

   The EU Commission have adopted adequacy decisions for the UK GDPR and the Law Enforcement Directive. This means data can continue to flow freely from the EU to the UK, in most cases.

   Data transferred from the EU to the UK for the purposes of UK immigration control is not included in the adequacy decision. Neither is data that would fall within the scope of the immigration exemption in the Data Protection Act (DPA) 2018.

   If you receive EU GDPR data that falls within the scope of the DPA 2018 immigration exemption you should read the ICO’s detailed guidance.

   What do I need to do now the UK has adequacy?

   The EU adequacy decisions apply to the whole of the UK, including Northern Ireland.

   If your UK business or organisation receives personal data from the EU or EEA it can continue to flow as before, and you do not need to take further action unless the data falls within the scope of the DPA 2018 immigration exemption.

   If you are a UK business or organisation with an office, branch, or other established presence in the EEA, or if you have customers in the EEA, you need to comply with both UK and EU data protection regulations. You may also need to designate a representative in the EEA.

   What if we lose adequacy?

   The EU Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an “essentially equivalent” level of data protection.

   The Commission can amend, suspend, or repeal the decisions if issues cannot be resolved.

   EU data subjects or an EU data protection authority can also challenge the decisions. The Court of Justice of the European Union would then decide whether the UK provides “essentially equivalent” protection.

   In the absence of an EU GDPR adequacy decision, the ‘Frozen GDPR’ would apply to personal data that:

   • Was processed in the UK under the EU GDPR before 01 January 2021; or
   • Is being processed in the UK based on the Withdrawal Agreement (for example, in order to comply with legal obligations under the Withdrawal Agreement).

   If the ‘Frozen GDPR’ applies, you may need to identify any personal data about individuals located outside the UK collected before the end of 2020.

   If applicable, you may also need to identify any new non-UK personal data you process to comply with the provisions of the Withdrawal Agreement .

   The ICO remains the independent supervisory body regarding the UK’s data protection legislation.

   The ICO will not be the regulator for any European-specific activities caught by the EU GDPR, although they hope to continue working closely with European supervisory authorities.

   Transfers of data from the UK to the EU and Gibraltar can also continue based on UK adequacy regulations.

5. Does the UK GDPR Apply to My Business?

   The UK GDPR applies to you if your business is based in the UK or processes the personal data of UK residents, and the following applies:

   You collect, store or process personal data in any format. For example:

   • CCTV
   • Website cookies
   • Emails
   • Payment information
   • Delivery details
   • Employee personal data
   • Collection, storage and processing of personal data on behalf of another company
   • IP address (the unique string of numbers that identifies every Internet-communicating computer), regulation has clarified now that even things like an IP address count as personal data.

   Businesses whose activities involve ‘regular or systematic’ monitoring of data subjects on a large scale (in other words processing extensive personal information), or which involve processing large volumes of ‘special category data’ must employ a Data Protection Officer (DPO).

   Their role will be to ensure the company complies with the obligations under the UK GDPR. They’ll also be the direct contact for any data protection queries.

   GDPR applies to any business that processes the personal data of EU citizens, including those with fewer than 250 employees (contrary to common misunderstanding).

6. What happens if the GDPR is breached?

   Serious breaches (that is, any breach which has an impact on the rights of data subjects) must be reported to the regulator (in the UK this is the Information Commissioner’s Office (ICO)) within 24 – 72 hours. The report must include information regarding what led to the breach, how it is being contained and the planned next steps.

   Individuals will have more rights on how businesses use their data. In some instances, they have the ‘right to be forgotten’ if they no longer want you to process their personal data and you have no other legal grounds (for example the individual is no longer a customer so your contract with them no longer gives you a legal right) to keep the data.

   Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines: a maximum fine of £17.5 million or 4 per cent of annual global turnover – whichever is greater – for infringement of any of the data protection principles or rights of individuals.

7. GDPR checklist for UK small businesses:

   Your checklist must include:

   • Past and present employees
   • Suppliers
   • Customers
   • Anyone else’s data you’re processing which includes collecting, recording, storing and using the personal data in any way.
   Quick check:

   Concentrate on your lists. Does your business hold HR records, customer lists and contact detail records, for example? Most do.

   This is confirmed by the ico.org.uk, who state; “You can assume that if you hold information that falls within the scope of the DPA (Data Protection Act), it will also fall within the scope of the GDPR”.

   • We have checked whether we are a competent authority as defined by Schedule 7 of the DPA 2018.
   • We have checked that the recipient is a relevant authority.
   • We have confirmed whether the data was received from another competent authority.
   • The transfer is necessary for one of the law enforcement purposes.
   • The transfer is covered by adequacy regulations.
   • If not, we are satisfied that the data will be subject to appropriate safeguards once transferred, and have notified the ICO about the categories of transfer we make on this basis.
   • We are satisfied that the data will be subject to appropriate safeguards once transferred, and have notified the ICO about the categories of transfer we make on this basis.
   • If not, we have identified special circumstances which still require the data to be transferred.
   • We have taken steps to ensure that the data will not be further transferred elsewhere, and we have ensured that appropriate safeguards and conditions for any such onward transfer are in place, including limits on the extent of these transfers.
   • If the transfer is to a recipient who is not a relevant authority, we have checked it meets the additional conditions, and we have notified the ICO.
   • We have documented the transfer.

   Manual vs. auto-filing Whether you are keeping a spreadsheet of customer contact details, or an automated digital capture system, the GDPR will apply.

   Diligence It is important as a company you understand the different types of personal data your business may process. For example, name, address, email, bank details, photos, IP addresses and sensitive (or special category) data; for example, health details or religious views that you may hold, where they’re coming from, where they’re going and how you’re using that data.

   Identify whether you’re relying on consent to process personal data. If you are (for example, as part of your marketing), these activities are more difficult under the UK GDPR because the consent needs to be clear, specific and explicit. For this reason, you should avoid relying on consent unless necessary.

   Scrutinise your security measures and policies, ensure they are up to date to ensure compliance. If you don’t currently have any, ensure you get them in place immediately. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.

   Prepare to meet access requests within a one-month timeframe. Subject Access Rights are changing, and under the UK GDPR, citizens have the right to access all of their personal data, rectify anything that’s inaccurate and object to processing in certain circumstances, or completely erase all of their personal data that you may hold. Each request carries a timeframe and deadline of one month (which can only be extended in mitigating circumstances), from the original date of request.

   Ensure your employees understand what constitutes a personal data breach and build processes to pick up any red flags, ensuring any breach is reported within 72 hours. Furthermore, all employees should be trained to understand that mistakes need to be reported to the company DPO or the team responsible for data protection compliance, as this is the most common cause of a data breach.

   To avoid breaching the UK GDPR and incurring consequential penalties it’s important to conduct due diligence on your supply chain. As well as ensuring all suppliers and contractors are GDPR-compliant, it’s also important to ensure you have the correct contract terms in place with third-parties (which puts important obligations onto the suppliers and alike, for instance the necessity to notify you immediately if they have a data breach). See ‘How can I check my suppliers are UK GDPR-compliant?’ further down the page.

   You must create fair processing notices, under UK GDPR you are required to describe to individuals what you will be doing with their personal data. (See ‘Fair processing notices’ below for more information)

8. What is a DPO and do I need one?

   A DPO is a Data Protection Officer. Whilst most small businesses will be excepted from requiring a DPO; it’s important you understand whether you require one. If your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale or involve processing large volumes of ‘special category data’ then it is imperative, you employ a Data Protection Officer (DPO).

   The UK GDPR doesn’t yet fully define what constitutes ‘large-scale’ data processing, but some examples include the processing of patient data by hospitals, travel data and transport services, and customer data by an insurance company or bank.

9. How long should I retain data?

   One of the fundamental principles of GDPR is that it requires companies not to hold on to personal data for longer than necessary and not to process said data for purposes that the individual is not aware of.

   By identifying your data categories i.e. what personal data you have and why; this can really help you to ensure that you’re compliant with the GDPR.

   The guideline period for most types of UK GDPR retention policy is six years after the end of the current tax year according to HMRC. This does not apply to every situation, as businesses may keep hold of data for many different reasons – each requiring different lengths of time.

10. How does the UK GDPR define ‘consent’?

    Clear ‘consent’ must be given whether it be from individuals, companies or clients. Requests for consent must be well defined and evident, it cannot be hidden in small text or presented as a pre-ticked box, it must be depicted separately to other policies or communications on your website.

    Consent may not be required for pre-existing personal data, if you have a legal basis that’s compliant with the current legislation (the DPA). However, the principle here is that inactivity is no longer a legitimate way to confirm consent. This works both ways, as a consumer with personal data rights of your own this applies to you too!

11. Fair processing notices

    A fair processing notice is about giving people clear information about what you’re doing with their personal data. Your fair processing notice should describe:

    • Why you’re processing their personal data (the purpose), including the legal basis you have, such as consent (check the ICO’s privacy notices page for more information)
    • The categories of recipients you may be sending the personal data to (customer, employee, supplier, etc)
    • How long you’ll be holding onto the data (the ‘retention’ period’), or the criteria used to determine these time periods
    • You’ll also need to notify individuals of the existence of their personal Data rights.

12. Is your data ‘sensitive’?

    The UK GDPR defines ‘special categories of personal data’ and this includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. They also cover genetic data, biometric data, data concerning health and data concerning a person’s sex life or sexual orientation. Generally, you’ll need explicit consent from individuals whose special category personal data you want to process, although Article 9 sets out several exceptions to this rule.

13. How is the UK GDPR law different from the DPA?

    There are similarities between the UK GDPR and current Data Protection Act (DPA). However, crucial developments and rulings within the UK GDPR mean you’ll need to get clear on the new legislation, whether you’re up to date with the DPA or not

    The UK GDPR changes your accountability. One thing that really sets the UK GDPR apart is the changes made to the ‘accountability’ of data processors. This is a change from under the DPA, which placed more responsibility on the data controller (note, it’s still worth brushing up on your DPA compliance, as lots of its basic principles are pretty much repeated in the UK GDPR). These are basic principles you’ll need to think about. Whether you’re a controller or processor; both parties are required to make changes in order to comply with UK GDPR. At this stage, the key thing is to think about the personal data your small business collects, holds, uses, and shares, and how confident you are that the new principles hold true.

14. Am I a data controller or a data processor?

    The UK GDPR applies to data ‘controllers’ and ‘processors. In general, processing is defined as any operation performed on personal data, such as storing, collecting, recording, organising, sharing, erasure, consulting, etc. A controller is a data processor too, but they will also decide the purpose of the data processing activities.

    For example, if you’re a small business offering a plumbing service and your customer details are managed using a contacts management app on your phone, hosted by a third party, this would generally make you the controller and the third party the processor. If on the other hand, you manage all of your data on a spreadsheet you’ve built yourself, you’re both controller and processor.

    If you’re a data processor:

    For processors, the UK GDPR carries a specific set of legal obligations some of which require you to:

    • Keep up-to-date personal data records and details of your processing activities and categories, including details of your ‘data subject categories’ (customers, employees, suppliers, etc), the categories of processing carried out (transferring, hosting, altering, receiving, disclosing, etc).
    • Keep details of any transfers to countries outside the UK.
    • Implement appropriate security measures, which may include pseudonymisation and encryption, and prove you’re regularly testing these measures.
    • Be ready with a general description of the technical and organisational security measures you keep in place.
    • If responsible for a breach, you’ll have more legal liability than under the DPA. If a data subject, maybe one of your customers, has suffered as a result of a data breach, they could make a claim against the data processor directly.

    As a data processor, the severity of your penalty will reflect how serious the consequence of your failure to comply with your obligations placed on you by the UK GDPR or followed the instructions of your data controller. These obligations include ensuring you have sufficient security measures in place, and you’ll suffer further penalties (see ‘What are the GDPR penalties?’ further down) if you fail to report the breach within the given time frame (a maximum 72 hours).

    As well as this, if you’re a data processor and have paid compensation that the controller is partly or fully responsible for, you may be entitled to claim back the relevant damages from the controller themselves if you have a contract in place that states this. This area of claims is where cyber or professional indemnity insurance can come in handy, although you’ll always need to match the policy to your activities.

    If you’re a controller:

    All controllers are by nature also processors and therefore subject to the same basic requirements. As a controller, the UK GDPR places obligations on you and your business to ensure any contracts you have with processors are compliant. As per the section for processors above, it may be worth checking that their security measures and processes are UK GDPR-compliant before signing or renewing any contract.

15. How can I check my suppliers are UK GDPR-compliant?

    Working with UK GDPR-compliant suppliers and contractors will reduce the risk of being impacted by a data breach and any consequent fines and claims.

    You could ask suppliers and contractors to complete a form that confirms the security measures they have in place, or you could conduct an on-site visit. If their existing measures are not enough, you should review your relationship to ensure they are compliant with UK GDPR.

    Where your suppliers (as processors) are processing personal data on your behalf (as a controller), you have an obligation to update your contracts with them to include a number of mandatory clauses that can be found in Article 28(3) of the UK GDPR. These ensure that processors are contractually obliged to provide GDPR-compliant data protection standards.

16. UK GDPR consent – how do I get consent from my customers to use their data?

    Consent is a key concern tackled by the UK GDPR and the ICO has a dedicated page on its website covering consent.

    UK GDPR consent checklist and basic principles:

    • Check your consent practices and existing records. Refresh where necessary.
    • Offer individuals genuine choice and control.
    • Where using an opt-in, don’t rely on pre-ticked boxes or default options.
    • Explicit consent means a very clear, specific statement of consent.
    • Keep your consent requests separate from other terms and conditions.
    • Be specific, granular, clear, and concise.
    • Name any third parties who will rely on the consent.
    • Make it easy for people to withdraw consent (and tell them how).
    • Keep evidence of the consent (who, when, how, and what you’ve told people).
    • Avoid making consent a precondition of your business services.
    • Consent should put individuals in control, build trust and engagement, and enhance your reputation.

17. What are the UK GDPR penalties?

    The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.

    The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.

    The UK GDPR penalties are far more severe than existing penalties under the DPA. Existing DPA penalties include:

    Maximum fines of £500,000

    Prosecutions, including prison sentences for deliberate breaches

    Obligatory undertakings, where your company must commit to specific action to improve compliance

    New UK GDPR penalties are much tougher; businesses in breach are liable to a dramatic increase in fines as below:

    • Penalties reaching an upper limit of GBP 17.5 million or four per cent of annual global turnover, whichever is higher.
    • Insolvency will be a real risk for non-compliant businesses as a result of these fines.
    • Individuals can also sue you if they suffer as a result of your data management. This could be for material damage or non-material suffering, such as distress.

18. GDPR compliance checklist, helpful links and resources

    The below website and checklist above are a great resource for small businesses looking to step in-line with the GDPR:

    ICO resource centre (small organisations and the GDPR)

    ICO 12-step checklist

    Further overview information is provided within the below website links: –

    ICO GDPR overview

    EU GDPR portal

19. Brexit

    • How has Brexit affected international data transfers?

      The UK has now been reclassified as a ‘third country’ now that it’s no longer an EU member state.

      Under the EU GDPR, the transfer of personal data from the EEA to third countries and international organisations is permitted only in certain circumstances:

      • If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
      • If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
      • Based on approved codes of conduct, such as the EU-US Privacy Shield.
      • Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative under Article 27 of the EU GDPR.

      The UK GDPR primarily applies to controllers and processors located in the United Kingdom, with some exceptions.

      People risk losing the protection of the UK data protection laws if their personal data is transferred outside the UK.

      On that basis, the UK GDPR contains rules about transfers of personal data to receivers located outside the UK. People’s rights about their personal data must be protected or one of a limited number of exceptions must apply.

      The transfer rules apply where the receiver is a separate controller or processor and legally distinct from the sender. The receiver can be a separate sole trader, partnership, company, public authority or other organisation, and includes separate companies in the same group.

      The transfer rules do not apply where the receiver is an employee of the sender, or the sender and receiver are part of the same legal entity, such as a company.

      We refer to a transfer of personal data to these receivers located outside the UK as a ‘restricted transfer’.

      For further information, please go to:

      https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/

    • Adequacy decisions

      You may make a restricted transfer if the receiver is located in a third country or territory, or is an international organisation, or in a particular sector in a country or territory, covered by UK ‘adequacy regulations’.

      UK adequacy regulations set out in law that the legal framework in that country, territory, or international organisation, or in a particular sector in a country or territory, has been assessed as providing ‘adequate’ protection for people’s rights and freedoms about their personal data.

      What countries or territories are covered by adequacy regulations?

      The UK has adequacy regulations about the following countries and territories:

      • The European Economic Area (EEA) countries;

      These are the EU member states and the EFTA States.

      • The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.

      The EFTA states are Iceland, Norway and Liechtenstein.

      • EU or EEA institutions, bodies, offices or agencies;
      • Gibraltar;
      • The Republic of Korea; and
      • Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020).

      These include a full finding of adequacy about the following countries and territories:

      • Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay.

      In addition, the partial findings of adequacy about:

      • Canada – Only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA. Please read the guidance on the scope of PIPEDA from the Office of the Privacy Commissioner of Canada for further information.
      • Japan – Only covers personal data transferred to private sector organisations subject to Japan’s Act on the Protection of Personal Information. This does not include transfers of the types listed in the EU’s adequacy decision for Japan.

      • The United States of America – Only covers data which is transferred under the UK Extension to the EU-US Data Privacy Framework. You can find more information about the UK Extension, including a factsheet for UK organisations, on gov.uk and on the US Department of Commerce’s Data Privacy Framework Program website.

        In August 2021, the UK Government announced that it is working in partnership with a number of priority destinations which may be the subject of adequacy regulations in the future, including Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya and Singapore.

    • Potential penalties for non-compliance

      Violations of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines up to €20 million or 4% of annual global turnover – whichever is greater.

      Organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached.

      *External Information resourced from ICO updates September 2024.