Complying with the UK GDPR
Data protection is an essential ingredient in modern business. Nearly all businesses will collect a certain amount of personal data about people, whether it relates to their employees, customers, business contacts, or others. Data protection law seeks to ensure that this data is handled properly, protecting individuals’ privacy.
The law governing data protection in the UK consists primarily of the Data Protection Act 2018 and the UK GDPR. The UK GDPR took effect at the start of 2021, as the Brexit transition period came to an end. For most SMEs operating in the UK, the UK GDPR is the go-to source for data protection law. It is the “general processing regime”, as described by the Information Commissioner’s Office (the “ICO”) which applies to most organisations, and which is covered here.
The ICO has a tool, available here , which can help you to determine which data protection regime applies to your organisation.
What is the UK GDPR?
The UK GDPR is the retained EU law version of the EU GDPR. The GDPR (or “General Data Protection Regulation”) came into effect on 25 May 2018 and applied throughout the European Union. It is retained in UK law, with some contextual modifications, by section 3 of the European Union (Withdrawal) Act 2018.
From a compliance perspective, there is generally little difference between the EU GDPR and the UK GDPR. The core terms, principles, rights, and obligations remain unchanged. In general terms, if you were compliant with the GDPR before the Brexit transition period ended, you should be in good shape under the UK GDPR.
So, what practical steps should your business be taking in order to comply? Provided below are links to a variety of documents and detailed information to help you comply with the UK’s data protection regime.
Review and Understand your Current Data Protection Position
The starting point is to complete a data protection audit of your business. First, read the Data Protection Audit Guidance Notes and then complete the Data Protection Audit itself:
Put ‘Privacy by Design’ Front and Centre
If you are using personal data in a new project, or perhaps using existing personal data for a new purpose, it is important to ensure that data protection compliance is built in from the beginning. In some cases, a Data Protection Impact Assessment (DPIA) also known as a ‘privacy impact assessment’ is required by the ICO. Even if it is not required, a DPIA can be a useful tool in the planning stages of a project. We offer two DPIA templates (long and short-form) and an accompanying set of guidance notes to assist in this process:
- Data Protection Impact Assessment Guidance Notes
- Data Protection Impact Assessment
- Data Protection Impact Assessment (Short Form)
Make Sure your Key Policies are Up-to-Date and UK GDPR-Compatible
The UK GDPR puts a lot of emphasis on safeguarding the rights which it bestows upon data subjects. Where any personal data is collected and processed, you must tell data subjects what you are collecting, what you are going to do with it, and why. We provide a range of Data Protection Policy templates, which enable you to set out in detail the measures and procedures in place within your business for compliance with the law. If appropriate, complement this with an IT Security Policy and/or a Data Security Policy. Furthermore, to ensure that personal data is not retained for any longer than necessary and is deleted or otherwise disposed of correctly, our Data Retention Policy (with accompanying guidance notes) is an important step for compliance:
- Data Protection Policy
- Data Protection Policy (Short Form)
- Data Protection Policy (Home Working)
- Employee Data Protection Policy
- Employee Data Protection Policy (Short Form)
- IT Security Policy
- Data Security Policy
- Data Retention Policy
- Data Retention Guidance Notes
In an ideal world, nothing would go wrong; but this isn’t an ideal world. From a data protection perspective, it is vital to have a procedure in place for dealing with personal data breaches. Our Data Breach Policy should be used to set out the measures and procedures in place to deal with breaches, those breaches should be recorded in a Data Breach Register, and for ease of reporting data breaches within your business, try our Data Breach Report Form. Guidance notes on handling personal data breaches are also available:
For those collecting personal data through websites, our Website Privacy Policy templates are essential. Many websites use cookies and similar technologies as well. These remain governed by the Privacy and Electronic Communications Regulations 2003 (PECR) for the moment, but the standard for consent is now derived from the UK GDPR. A new EU “ePrivacy Regulation” was intended to come into effect at the same time as the GDPR, in May 2018. As of May 2021, however, it remains a work in progress. From a UK perspective, the regulation will not apply when it does become law, being an EU instrument, but it is likely that something very similar will be introduced in the UK due to the importance of regulatory alignment with the EU on matters relating to privacy and data protection.
A number of our Privacy Policy templates include sections on cookies, but a separate Cookie Policy template is also available for those that want to keep things separate for easier navigation by users:
Not all personal data is collected through a website. It is nevertheless important to keep data subjects informed. Our Privacy Notice templates are designed for this and follow the same structure as our Website Privacy Policies, providing much the same information, but for ‘offline’ situations:
Respond Promptly to Data Subject Access Requests
Key among data subjects’ rights is the ‘right of access’. This enables people to confirm that you are using their personal data, to obtain a copy of that personal data, and (essentially) to find out what you are doing with it (note that this information should already be provided in your Privacy Policy or Privacy Notice). To make it easy for individuals to make a data subject access request, we suggest making our Subject Access Request Form readily available. In addition to this form, we also offer a set of template letters for responding quickly and easily to data subjects in a variety of different scenarios:
- Subject Access Request Form
- SAR Letter - Acknowledgement
- SAR Letter - Fee and/or Additional Time
- SAR Letter - Receipt of Additional Information/ID
- SAR Letter - Receipt of Fee
- SAR Letter - No Data Found
A similar set of documents is also available for the other data subject rights under the UK GDPR, such as the right to rectification and the right to be forgotten. In addition to template letters for handling requests by data subjects to exercise their rights, a policy is available which explains each right to data subjects:
- Data Subject Rights Policy
- Data Subject Rights Guidance Notes
- Data Subject Rights Letter - Acknowledgement
- Data Subject Rights Letter - Acknowledgement + ID Request
- Data Subject Rights Letter - Acknowledgement + Fee Request
- Data Subject Rights Letter - Receipt of ID
- Data Subject Rights Letter - Receipt of Fee
- Data Subject Rights Letter - Additional Time Required
Transferring Data to Third Parties
If you are using a third-party data processor to process personal data (e.g. of your customers or staff) on behalf of your business, an agreement should be in place which clearly sets out your respective data protection obligations. Such provisions can be built into another contract (e.g. a service agreement) using data processing clauses, or they can be contained within a dedicated agreement. Three data processing agreements are available. The first is for situations in which the data controller and the data processor are both in the UK, the second covers a UK-based controller who transfers personal data to a processor either within the UK or EEA (such transfers remain permitted without additional safeguards), and the third deals with processing which moves personal data from a UK controller to a processor (or subcontractor) located outside the EEA:
- Data Processing Clauses
- Data Processing Agreement (UK)
- Data Processing Agreement (UK and UK to EEA)
- Data Processing Agreement (UK to non-EEA)
Alternatively, if you are sharing personal data on a controller-to-controller basis, try our Data Sharing Agreement:
All the above documents and guidance can be found here and are available as part of our Business Documents Folder. Just £35+VAT will provide you with one year’s unlimited access to all of our data protection documents plus much, much more.
UK GDPR Compatible Employment Documents
If you are an employer, you will collect, hold, and process personal data about your employees. Our Employee Data Protection Policy provides detailed coverage of the rights of data subjects under the UK GDPR, and the obligations of your business as data controller.
Keeping your employees informed about your collection and use of their personal data is vital. Our Privacy Notice for Employees and Contractors and our Interviewee Privacy Notice are essential starting points here.
The UK GDPR allows individuals to access information from organisations that process their personal data by means of a data subject access request. Our Employee’s Subject Access Request Form can be used for this purpose.
The following data protection documents can be found in our Employment Document Folder, also available for just £35+VAT for one year’s unlimited access:
- Employee Data Protection Policy
- Guidance Note: Managing the Retention of Employee Data
- Employee's Subject Access Request Form
- Letter Acknowledging Subject Access Request
- Letter Acknowledging Subject Access Request and Asking for Administrative Fee and Time to Respond
- Letter Acknowledging Subject Access Request and Asking for More Information
- Privacy Notice for Employees and Contractors
- Interviewee Privacy Notice
- Employment Contracts and Directors’ Service Contracts