How can I comply with UK GDPR?

UK GDPR, or United Kingdom General Data Protection Regulation, came into effect on January 31, 2020. It sets out rules for how companies collect, use, and share personal data. This regulation is a British data law with the aim of protecting the privacy and right of individuals and ensure that their personal data is not misused or mishandled. UK GDPR was introduced as a part of the UK’s commitment to data protection standards after leaving the European Union. It essentially mirrors the European GDPR, with some specific provisions tailored for the UK’s legal and regulatory framework. Within United Kingdom, UK GDPR regulates data protection along with the Data Protection Act of 2018 and 2003’s Privacy and Electronic Communication Regulations (PECR).

UK GDPR applies to you if:

• You process personal data as a company established in the UK
• Your company processes the personal data of people in the UK

Therefore, if you do business in the UK or offer goods and services to people in the UK, make sure you are familiar with UK GDPR and how it affects your day-to-day activities.

UK GDPR is derived from the European GDPR, which it shares key principles with. Here is how you can comply with them:

1. Process data fairly and lawfully, and tell people what you do with their data and why.
2. Collect personal data only for specific, explicit and legitimate purposes.
3. Limit data you collect to only what is adequate, relevant and needed for your stated purposes.
4. Keep personal data accurate and up to date. Correct or erase inaccurate or incomplete data.
5. Do not keep personal data when you no longer need it for its original purpose.
6. Take measures to protect data from unauthorised access, loss, destruction or damage.
7. Be accountable and demonstrate your compliance with documentation.

According to UK GDPR, “sensitive personal data” refers to special categories of personal data. These special categories are similar to those outlined in the EU GDPR, and they include:

• Race or ethnicity
• Political opinions
• Religion
• Union
• Genetics
• Biometrics
• Health
• Sexual information

Additionally, there are specific safeguards required for data about criminal convictions and offences. If you want to collect any of the above data, you must show you have an exceptionally good reason. For instance, to protect public health, or to conduct important scientific research. Otherwise, you would need explicit consent from the person.

There are six lawful bases you can use to collect and process personal data.

1. To perform a task in the public interest or as part of an official function.
2. For your legitimate interests or for a third party’s interests.
3. To fulfil a contract you have with the data subject.
4. To comply with legal or regulatory obligations or to prevent or detect a crime.
5. In order to protect the vital interest of someone, usually to protect their life and safety.
6. When you get clear, informed consent to process someone’s personal data.

You must have at least one of these legal bases to collect personal data that can be used to identify someone. Remember to specify your legal basis and purposes for collecting personal data in your privacy policies.

Under DPA and UK GDPR consent should be:

• Freely given. Above all, give people a choice and full control over whether you get their personal data. Then, give them a chance to refuse consent or withdraw consent at any time without any negative consequences.
• Informed. Always let people know why you need their data and what you will do with it when asking for consent. Make this information clear, concise and easy to understand.
• Specific. Get specific consent for specific data processing purposes. To this end, separate consent forms from other terms and conditions.
• Unambiguous. Use clear affirmative action, such as unticked checkboxes to get consent. Do not use pre-ticked checkboxes.

Currently, in the UK, the age at which a child can give their consent for you to process their personal data is 13 years old. Therefore, if a child is under the age of 13, their parent or guardian must give consent on their behalf.

This is known as the “digital age of consent”. It is intended to protect children’s privacy while recognising that young people do use digital services. The GDPR, which applies in the UK, sets this age limit at 16 years old, but the UK government has chosen to lower the age limit to 13.

Meanwhile, it is important to note that the age limit only applies to the processing of personal data for online services. For example, social media, all types of mobile apps and webshops. Other types of processing, such as for medical treatment or legal proceedings, may have different age limits or requirements for parental consent.

If you are going to share or sell someone’s personal data, you must make this very clear to them in advance. You must specify with whom you will share the data, why, what is your legal basis for doing so, and how the person can opt-out. You should also be sure that anyone you share personal data with will protect it properly.

UK GDPR and the DPA require you to protect all the data you collect with technical, physical and organisational security controls, such as:

• Strong passwords
• Access controls
• Encryption and pseudonymisation, depending on the data’s risk level.
• Policies to guarantee confidentiality, integrity, availability of data; and upkeep of data storage systems.
• A plan and procedures to restore access to personal data quickly in case of a security incident.
• Regular testing, assessments and evaluations to make sure all these measures are effective.

Yes. UK GDPR includes a familiar series of rights to give people more control over their own data. Usually, when a person asks you to honor one of these rights you should respond within 1 month. In the UK, people have the right to make requests asking you to:

• Tell them about how you use their data.
• Give them access to their personal data.
• Update incorrect data about them.
• Forget them/erase their data.
• Restrict the way you process their data.
• Forward their data to a third party. (For example, when they want to change services.)
• Stop using their data altogether.
• Stop automated decision-making and profiling.

Here are some other administrative rules under UK GDPR:

• Record keeping. Maintain a record of all your data processing activities.
• Data breach reporting. Report data breaches within 72 hours.
• DPIAs. Certain types of data processing activities require a data protection impact assessment.
• Cross-border protections. Check if countries you send data to have adequacy decisions with the UK, or if organisations you share with guarantee adequate protections.
• DPOs. Appoint a DPO if you are a public authority, you conduct large-scale, regular and systematic monitoring (including tracking and profiling); or if your core activities include large-scale processing of special categories of data, or data related to criminal convictions and offences.

Overall, the principles, requirements, and even the wording of UK GDPR are very similar to EU’s GDPR. But here are a few key differences between EU’s GDPR and UK GDPR:

• A child can consent to data processing at age 13, while the GDPR sets it at 16 by default.
• Private companies can process data about criminal offences, in some cases.
• Automated decision-making is allowed with legitimate grounds and built-in protections.
• Exceptions to data subject rights for historical, scientific, statistical and archiving purposes.
• Additional lawful bases for processing sensitive personal data (with appropriate safeguards).
• Some exemptions when you process personal data for publication in the public interest.
• Prosecution or unlimited fines in some cases. For example, if you knowingly or recklessly obtain or disclose personal data without consent.