As you are no doubt aware, Data protection changed considerably in 2018 with the introduction of the General Data Protection Regulation (GDPR). This placed new obligations on any business or individual that collects and processes personal data (i.e. any information that can identify an individual) and provided enhanced rights for individuals.
Whilst this came into force nearly 3 years ago, there are still many businesses which are not fully compliant and even a few that have taken no steps at all towards compliance.
Some of these businesses may now be thinking that as this was an EU piece of legislation, we have finalised Brexit and are no longer part of the EU, they no longer need to comply with the GDPR.
This is definitely not the case. And you may want to read on if you wish to know more.
What Data Protection Legislation applies to me?
Firstly, the “EU GDPR”, being an EU Regulation, no longer applies to the processing of personal data in relation to UK residents as of 1st January 2021. What this means is that if you are not processing EU resident personal data, the EU GDPR is likely to not apply to your processing.
However (and this is a big however), where the GDPR has been incorporated into UK law, under the Data Protection Act 2018, as the “UK GDPR” the core principles, obligations and rights contained within the EU GDPR will be the same in practice, with minor differences.
To add another hurdle, if you are processing both EU and UK residents’ personal data then you will have to comply with both the EU and UK GDPR!
So, the extent that the above legislation applies to you and your business will depend entirely on the data you collect and process.
You will also need to consider any suppliers / partners that you deal with that are based in the EU. Not only will these suppliers need to comply with the EU GDPR, but you will also need to ensure that you are compliant with the UK GDPR and ensure that there are sufficient safeguards between the parties to allow for the free flow of data. It all starts with the contractual documentation between both parties.
What should I be doing now?
Firstly, data protection compliance is not a task that you can complete once and then never worry about again. Compliance is a constant requirement to ensure that your processes and policies are consistently updated in line with the latest guidance and legislation.
You should be constantly assessing your current policies, processors and your own continual processing of personal data. This also includes understanding what personal data you are collecting, how you are collecting it and, most importantly, why you are collecting it.
Once you understand the data, you can then establish your lawful basis for processing this personal data – for example, under consent or legitimate interest. To make it crystal clear, to process personal data (whether under UK/EU GDPR) you must have a lawful basis for doing so and you need to know this prior to any data processing.
The individuals themselves will also need to know what data you are collecting, along with the how and the why. This would usually be contained in any privacy notice / policy that the individual should have access to. This policy needs to be very clear and transparent so that individuals can understand it easily and be specific to you and your business. This is not a copy and paste job.
This is an information piece and not a complete guide to ensuring your compliance. Hopefully, however, it has helped to make clear that the GDPR, in on form or another, is here to stay and if you process personal data it is quite simple – you need to comply.
You can find plenty of useful resources on compliance on the ICO’s website (www.ICO.org.uk), which is free to access. If you have any specific questions, or require assistance with your compliance, Hybrid Legal are experienced in such matters and are happy to help.
This blog is provided for general information purposes only. Nothing in this blog constitutes legal or other professional advice. The content of the blogs published on this website are current as of their original date of publication but should not be relied upon as accurate or suitable for any particular purpose. Professional legal advice should always be sought before relying on, or taking action relating to, the content of this article.