1. What counts as personal data under UK GDPR?
The basic legal test for what counts as personal data under UK GDPR is “any information relating to an identified or identifiable natural person”. In many cases this is obvious, but the areas where it can become more difficult is where an individual is not clearly identifiable but could be with other reasonably available information. Likewise, whether something ‘relates’ to an identifiable individual can be tricky in some cases. The starting point on whether data ‘relates’ to an individual is whether or not it tells you something about that specific individual or their activities, and then there are various tests and guidance that can be applied.
It is generally wise to err on the side of caution, as it is often the case that what is personal data is wider than people think. For example, there is a common misconception that work email addresses are not personal data but assuming they contain a name (often they will be some variation of first name/initial and surname and place of work as the domain) then it is almost certainly personal data.
2. Does UK GDPR apply to small businesses?
Yes – there is no minimum size requirement for UK GDPR and other data protection legislation. Some obligations, or how you meet them, take account of a business’s resources but that does not remove the base requirement.
3. Do I need a privacy policy?
You will almost certainly need at least one privacy policy of some kind. The controller of data is required to give certain information to individuals when it collects or obtains (if the data comes from a third party) personal data, and that is done via a privacy policy (sometimes called a privacy notice or statement). Where a business has employees, it will have to issue one to those employees. Depending on the nature of a business, it is also common to have one for a website and/or customers (sometimes combined as one).
4. Do I need consent to hold people’s personal data?
You do not necessarily need consent to hold people's personal data. Consent is only 1 of 6 lawful bases that can be the grounds to process personal data. In fact, consent is often not appropriate due to the nature of the relationship and the requirements for valid consent, or because another basis is more appropriate. For example, when dealing with employees, consent is rarely ever appropriate as it is considered that employees are unlikely to be able to refuse given the relationship, and so consent is not ‘freely given’ (one of the requirements for valid consent).
One of the lawful basis must apply to what you are doing in order to lawfully process personal data, and it should be the most appropriate to the circumstances that you are in. There are of course additional requirements in certain circumstances, such as when dealing with special category data.
5. What is the difference between opt-in and opt-out consent?
Opt-in consent requires some form of positive action to show consent (think ticking a box or pressing 'accept'), whereas opt-out requires the same actions but in order to indicate that someone does not consent. Opt-out consent mechanisms defunct under UK GDPR due to the requirement for consent to be informed and affirmative.
6. How do I check if my business is GDPR compliant?
There is no singular test that demonstrates GDPR compliance, but rather compliance relies upon a variety of components and is, in some respects, subjective (for example, the requirement for controllers to have “appropriate” data protections policies in place). There is of course plenty of guidance to supplement and inform what the expectations are, but it is generally advisable to have some form of professional guidance or advice when looking at your compliance with data protection requirements.
7. What happens if I don’t comply with data protection law?
The biggest risk of not complying with data protection law comes from data breaches (i.e. a security incident that leads to personal data being compromised), as they are far more likely to lead to ICO (the Information Commissioner’s Office) action and/or private claims by individuals. They are also a major source of reputational damage. A data breach does not automatically equate to a breach of data protection legislation, albeit one does commonly result from the other, and non-compliance with wider data protection obligations can exacerbate a breach.
The ICO has the power to issue substantial fines (the greater of 4% of worldwide annual turnover or £17.5million, or 2% or £8.7million depending on the breach), albeit fines are relatively rare unless a breach is particularly significant or egregious and not typically at anything close to the maximum levels. Private claims are also relatively rare, unless there has been a data breach (i.e. a security incident that leads to personal data being compromised). In the cases of data breaches, a lot hinges on what happened and what the data involved was (both for ICO action and private claims).
8. Do I need a Data Protection Officer (DPO)?
Unless you are a public body/authority, you are only required to have a DPO if your core activities require large-scale regular and systemic monitoring of individuals or large-scale processing of special category data or criminal conviction data. This can be a complicated assessment, but the ICO provide a tool to help analyse this (available here). Many organisations voluntarily appoint someone as a DPO or data protection manager even when not legally required. In those cases, the individual doesn’t necessarily have the same legal obligations as a formal DPO but can be a useful touch point for compliance as it gives a key contact to deal with data protection compliance/issues.
9. What do my contracts need in them to comply with data protection law?
It all depends on the nature of the contract, and particularly what the relationship is between the parties. Where one party is a processor on behalf of the other, the contract must comply with Article 28 of UK GDPR. If parties are controllers, then it depends on whether they are joint or independent controllers, but in either case (and certainly if you are joint controllers) the contract should cover some obligations and arrangements between the parties.
There are of course other factors, such as any international transfers of data between the parties and what may need to be in place to ensure that such transfers are lawful.
10. What should I do if there’s a data breach?
If there is a data breach, you need to act quickly and investigate matters as the controller only has 72 hours from becoming aware of a breach to notify the ICO (if notification is required), and if you are a processor you must notify the relevant controller without undue delay. Notification is required unless it is unlikely that the breach is a risk to the rights and freedoms of the affected individuals (those whose data has been compromised). If the 72 hours is missed then you should still notify the ICO (being late is much better than no notification!) and provide reasons for the delay.
You may also need to notify the affected individuals as well if the breach is likely to result in a high risk to their rights and freedoms. This must be done without undue delay. Beyond notification requirements, thought also needs to be given to mitigating the impact of the breach or a potential breach. Breaches must be recorded by the controller.
Ideally there will be a process for all of this in a data breach policy/procedure. Given it is the arguably the area of highest risk when it comes to data protection, it is strongly advisable to seek professional advice if a data breach, or potential data breach, is identified.
