UKAS-accredited
Feefo Feefo Star Feefo Star Feefo Star Feefo Star Feefo Star
Get a quote

GDPR Update: Everything You Wanted To Know About GDPR in 2021

  • GDPR

The GDPR has been in existence for over five years now. But other than a flurry of activity when it came to everyone’s attention in 2018, for many companies it has faded into the background. This article gives an overview of what it is and where it came from, the changes that have come about since the UK left the EU, and a quick run through of the obligations it puts on UK businesses.

What is GDPR?

In the EU, GDPR stands for the General Data Protection Regulations or to give them their full name: the European Union’s General Data Protection Regulations (EU) 2016/679.  (The regulations are therefore a group of ‘multiple things’, but GDPR is usually described as a single thing.)

Much of GDPR is based on the UK’s Data Protection Act 1998, which was considered to be Best Practice at the time – i.e. it provided the strongest protection of an individual’s rights over their own personal information. The source of many of the concepts found in today’s GDPR, is the UK 1998 Act.

Why was GDPR introduced?

The EU introduced GDPR in order to harmonise data privacy laws across the EU. This harmonisation makes it easier to trade across the bloc, without having to worry about there being different rules governing personal data protection in each country.

When did GDPR come into force?

GDPR became EU Legislation in April 2016. There was then a two year ‘grace period’ for companies to prepare for the changes, and it finally came into force on May 25th, 2018.

Has anything changed since Brexit?

The UK effectively left the EA and EEA at the end of the transition period, on 31st December 2020. So in 2021, does GDPR still apply to the UK post-Brexit? Well yes and no.

As we are now a ‘third country’ in relation to the EU, the EU GDPR does not apply. However, as part of the European Union (Withdrawal Agreement) Act 2020, the UK created a new law called the UK GDPR, which with a few tweaks is word-for-word identical to the EU regulations.

Who enforces GDPR?

We’ve established that GDPR does still apply, but it is the UK’s own regulation, overseen by the UK justice system and administered by the UK’s Information Commissioner’s Office (ICO), whereas the EU’s GDPR is overseen by the European Court of Justice, and administered by the European Data Protection Board (EDPB), composed of the representatives of the national data protection authorities of the countries that make up the EU and EEA.

Is GDPR worldwide and to who does it apply?

GDPR applies globally. The EU does not allow the processing of EU citizens’ personal data in ‘third countries’ (any country which is outside of the EU/EEA), unless they have decided it is safe to do so. There are different ways at different levels that this decision can be made. The simplest way for this to happen is if the EU decides that the data protection laws in the third country give the same level of protection as does GDPR, and it would therefore be safe to allow EU citizen’s personal data to flow between the EU and that country, and then be safely processed there.

This decision is called a ‘Data Adequacy Agreement’ and is made between the EU and a third country.

As part of the end of the transition period, the EU allowed the UK a further six months where the status quo was maintained, and personal data could flow freely between the two, while they considered whether or not to give the UK a ‘Data Adequacy Agreement’.

On 28th June 2021, two days before the transition period expired, the UK’s Data Adequacy Agreement was finally announced by the EU. This decision will be reviewed by the EU in four years’ time, in 2025. The decision means data can flow as it always has between the UK and EU/EEA, although UK companies still have to abide by EU GDPR if they are processing EU citizens’ data – at present, this remains.

In just the same way, The UK does not allow the processing of UK citizens’ personal data in ‘third countries’ (any country which is outside of the UK), unless they have decided it is safe to do so. The UK has retained the list of countries that the EU had determined to be adequate, and has added all EU/EEA countries to that list.

What is personal data under GDPR?

Personal data is also known as ‘personally identifiable information’. The name “John Smith” by itself does not identify a person. But combine the name with an address – physical or electronic – or other ID such as a passport, driving license or national insurance number, and that person can be uniquely identified. GDPR identifies different categories of personal data, with different levels of control around each:

  • Personal data: e.g. email address, photograph, CCTV footage
  • Special category data: more personal information, e.g. health\genetic data, ethnic, political or religious information, requires more stringent controls to be in place if it is to be processed safely
  • Criminal record data: information related to offences and convictions is strictly controlled, though in the UK access to it is not completely banned

What is a data controller in GDPR?

A data controller is a person or organisation that has the responsibility for maintaining the integrity and confidentiality of the personal data they are processing. A data controller may process the personal data themselves, internally, or they may pass the data on to another organisation to process on their behalf.

It is the data controller’s responsibility to inform a data subject about their rights in relation to the personal data that the controller has gathered and is processing, also to inform them of a breach of their data that could affect their rights and freedoms

What is a data processor in GDPR?

A data processor is a person or organisation that processes personal information on behalf of a data controller. Their main responsibilities are also to ensure the integrity and confidentiality of the personal data they are processing, and to inform the controller if there has been a breach of personal data. In addition, the processor must stick to the conditions laid out in the data processing agreement that is in place between the data controller and themselves.

Most organisations will be data controllers. If they have employees, the HR and payroll records will contain personal data. Similarly, if they hold the contact details of individuals working for suppliers or customers, they will be the controllers of that personal data.

Some organisations will also process data on behalf of their customers. For example, HR software providers, mailing houses, event coordinators – anyone that holds or otherwise processes personal data on behalf of their customers, will be a data processor.

 

What are the 7 principles of GDPR?

Whenever you are processing personal data, GDPR provides guidelines on how this data should be handled. GDPR sets out seven personal data protection principles, that every organisation that processes personal data should understand and adhere to.

Before getting into what they are, let’s start with a definition of ‘processing’:

“…collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”, of personal data

i.e. anything you could possibly think of to do with data!

The Seven Principles are:

  1. Lawfulness, fairness and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy;
  5. Storage limitation;
  6. Integrity and confidentiality (security);
  7. Accountability.

Let’s take a brief look at each one in turn:

1.      Lawfulness, fairness, and transparency

Lawfulness – What is GDPR article 6 and why is it so important?

This is one of the most important principles of GDPR – it even has its own section in the regulations: Article 6.

The default that GDPR assumes is that personal data should not be processed, ever, by anyone!

The only way that a company may process personal data, is if they have a reason permissible by GDPR. This is called a ‘lawful basis of processing’.

A lawful basis can be any one of just six valid reasons for processing personal data:

  1. Consent: the person whose data it is – the “Data Subject” – gives you explicit permission to process their data.
  2. Performance of a Contract: personal information is required in order to execute a contract between yourself and the Data Subject.
  3. Legitimate Interest: the personal information is required in order for the company to ‘do what it does in relation to the Data Subject
  4. Vital Interest: personal information is processed to serve a vital purpose, such as saving the Data Subject’s life
  5. Legal Requirement: the Data Subject’s personal information must be processed in order to comply with legislation
  6. Public Interest: the Data Subject’s personal information is processed by or at the direction of a government body

Fairness

GDPR expects that any and all processing of personal information is fair – that processing is what would be reasonably expected, not unreasonably damaging to the Data Subject, and that they are not deceived in any way about the purpose of the data processing when it is being collected.

Transparency.

GDPR expects that before starting any collection and processing of a Data Subject’s personal information, the reason for that collection and processing is explained clearly; nothing is hidden from them. An organisation must be open and honest about its purpose at all times.

2.      Purpose limitation

If you have determined that you are going to collect personal information for a particular purpose, the processing should be limited to that purpose – and nothing else.

A good example of the abuse of purpose limitation: You have a list of existing customers and their contact details, whose information was originally collected to communicate with them about the product or service they purchased from you. It is a breach of the principle of purpose limitation if you start using that list as a marketing database to sell your other products or services. (What you can do is establish another lawful basis, by contacting existing customers to ask if they would like to join your mailing list, and only sending them marketing material if they agree to it.)

3.      Data minimisation.

Only collect the information required for the purpose; if you don’t need it, don’t ask for it!

4.      Accuracy.

The controller should ensure that the personal information held is as accurate as possible. This means that, when notified by the Data Subject that their information has changed, their records are swiftly and correctly updated. Also, if the data controller has passed that information on to another organisation, they are obliged to inform that organisation of the change.

5.      Storage limitation. How long can you keep personal data under GDPR?

Once a lawful basis of processing has ended, the data controller is breaking the law if they continue to keep personal data. The data controller should establish data retention periods: the length of time after which personal data must no longer be stored. The length of time will vary according to the lawful basis. Looking at the information held relating to an employee, for example:

  • Some health records must be retained for 30 or more years.
  • Tax law requires PAYE records to be retained for six years following the end of the tax year.
  • Other personal information such as next-of-kin contact details are unlikely to be required beyond the end of an employment contract

6.      Integrity and confidentiality (security)

Whenever you are processing personal data, you must do so in a way that ensures appropriate security. This includes protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. This should be done using whatever physical (e.g. locks and keys), organisational (e.g. processes to ensure safe handling) or technical (e.g. data encryption, password protection) means are available.

7.      Accountability.

Once you have implemented the controls to comply with all the other principles, you must ensure the effectiveness of those controls. This means you must have appropriate measures and records in place to be able to demonstrate your compliance.

 

Learn More About GDPR

If you’d like to learn more about GDPR, British Assessment Bureau offers a low-cost e-learning course, which covers the essential information and responsibilities that those handling personal data should be aware of. Click here to find out more.

Back to all articles
profile image of Clement Hopking
Written by Clement Hopking

Clement Hopking is a data protection and information security professional with over 30 years’ commercial experience in IT. His specialities include the implementation of personal information, information security and business continuity management systems for certification to ISO 27701, ISO 27001 and ISO 22301. Clement is a certified lead auditor for all three of these standards. He provides virtual data protection officer (DPO) services to his clients and also works as an external auditor of quality and information security management systems.

Share

Cookies policy

Please review your cookie preference options before continuing.