It’s no secret that data has become a valuable commodity in today’s digital age and as a result, protecting personal information has become increasingly important.
That’s where the UK General Data Protection Regulation (UK GDPR) comes in.
The UK’s data protection laws may have “UK” in the name, but they are almost identical to the EU’s General Data Protection Regulation (GDPR) opens in new window.
UK GDPR is designed to give individuals more control over their personal data.
This includes everything from collecting data online to recording data on paper.
If your website processes personal data opens in new window, such as through cookies and third-party trackers, you need to make sure you have each user’s explicit consent before processing their data (the only exception is essential cookies).
You also need to ensure that it’s easy for users to change or withdraw their consent at any time.
Furthermore, users have a set of rights under these laws, including the right to have their data corrected and the right to have it erased.
If you collect and store personal data, you’re considered a ‘ Data Controller opens in new window’.
Data Controllers have specific responsibilities when processing personal data and often requires them to register with the Information Commissioner on their Register of Fee Payers.
There is a fee and small businesses generally pay around £40 or £60, but if you’re not sure, you can use the ICO’s self assessment to see if you have to register Registration self-assessment opens in new window.
To better understand the terminology around the legislation, have a read of our UK GDPR Glossary opens in new window.
Starting a business doesn’t come with a set of instructions.
We know that understanding the many different types of financial product in the marketplace can be difficult.
Our Making business finance work for you guide is designed to help you make an informed choice about accessing the right type of finance for you and your business.
The UK GDPR key principles
When it comes to data protection, UK GDPR may seem like a whole new ball game.
But, in reality, most of its principles are nothing new.
Of the seven principles listed in the UK GDPR, only one – accountability – is actually novel to data protection laws.
The other six principles have all been present in data protection legislation for quite some time, including in the UK’s Data Protection Act 1998.
So, while UK GDPR may be stricter in enforcing these principles and potentially imposing harsher penalties for non-compliance, at its core it is simply an update and strengthening of existing data protection guidelines opens in new window.
Data protection can be complex and it may seem intimidating, but it has been around for a long time and just by thinking about how you process personal data – what you collect and why, where is it stored and is it safe, can I find it, can I respect people’s privacy, do I delete it securely – goes a long way to helping make sure you are compliant.
The Information Commissioner publishes guidance for SMEs opens in new window to help with data protection, which can be useful.
The government recognises the burden data protection can have on smaller businesses and announced a reform to UK GDPR with the proposed Data Protection and Digital Information Bill.
The Bill is still to be agreed and its intention is to make it easier for businesses to comply, so watch this space!
1. Data must be collected and used fairly, transparently, and within the law
When collecting consumer data, you must provide them with key information about your business, why you need to collect personal data, and the intended use of their data.
This is called a privacy notice or fair processing statement and it should be available to them when the personal data is collected.
It must be obvious how an individual can access and change the data stored, and you cannot misguide or lie to your customers opens in new window.
If you are collecting a customer’s consent to use their personal data, you must make the consent a free affirmative choice (opt-in, not opt-out) and it must be clear what they are consenting too and not be packaged as part of terms and conditions.
If someone feels forced to provide consent to get a service, it’s not true consent and you need another lawful basis to process their personal data.
Images captured on CCTV are included in the UK GDPR and so notices must be displayed if you use CCTV on your premises.
2. The information held must be adequate for its purpose, relevant and limited to only what is necessary
You cannot hold more data than your intention deems necessary – only take the data you directly need to use.
For example, an online retailer opens in new window may only need a customer’s name, email address, and mailing address in order to fulfil their orders.
It would not be necessary or ethical for them to also collect information such as political opinions or health conditions.
Adhering to data minimisation helps to protect customers from having their personal data unnecessarily collected and potentially lost, stolen, or misused.
In short, data minimisation ensures that organisations do not overreach with their data collection efforts and helps to build trust with customers.
3. Information must be accurate and where necessary kept up-to-date
Information is a business asset, so you have to manage it and make sure it is accurate and up to date.
It’s a good idea to regularly confirm with your customers their data is accurate and update where necessary, for example if your customer changes their address or phone number.
You may also want to enable consumers to update their own information manually online.
A consumer can ask you to correct their information (as one of their individual rights), which if you don’t do or explain why you can’t do it, it can lead to enforcement action opens in new window and potential legal action and penalties.
4. Data should only be used for specified, explicit purposes
When it comes to data collection, there are certain guidelines that need to be adhered to in order to ensure data protection.
Data can only be collected for explicitly stated purposes and should not be processed in a way that goes against those initial intentions.
However, data may be further processed for archiving, research opens in new window, or statistical purposes if they are deemed to serve the public interest.
It’s important to remember that data should always be collected and used responsibly, and not treated frivolously or without purpose.
By staying aware of these guidelines and limitations, we can ensure that data is protected and used ethically.
5. Data must not be stored longer than needed
You cannot store data indefinitely.
You need to know how long the information is kept for.
If there are no legal requirements to keep the information, then make a business decision, but you are obliged to tell the customers how long you expect to keep their information for.
When you no longer need the personal data, you need to manage it and either delete ir anonymise it.
6. The information must be safe and stored away from unauthorised access
You must keep your information safe opens in new window from physical damage, loss, theft, or unauthorised access, alteration or misuse.
Appropriate information security protections must be put in place to make sure information isn’t accessed by friends, family, colleagues, hackers or accidentally leaked as part of a data breach.
While a bank may need to implement stronger protocols than a shop, there are still steps every business can take to ensure the safety of personal data.
You should keep track of how data is being handled and make sure only authorised individuals have access to it.
This includes implementing proper access controls, making sure as few people have access to the data as possible, and encrypting websites to prevent data breaches.
Keeping data secure also involves training staff in data protection measures opens in new window and continuously evaluating your data handling processes.
In the event of a data breach, if there is a serious risk of harm to the rights or privacy of any data subjects, the Data Controller is required by law to report the incident to the ICO opens in new window, as well as informing the individuals who may be impacted by the breach.
This allows those affected to take steps to mitigate any potential damage, such as financial loss or harm to their reputation.
In the UK, data breaches must be reported to the ICO within 72 hours of discovery.
7. You must be accountable for your use and storage of data
As data protection becomes increasingly important, the accountability principle within UK GDPR helps to ensure that organisations are transparent and responsible in their handling of data.
Being able to demonstrate accountability can be crucial if a company is under investigation for potentially breaching UK GDPR principles.
Having an accurate record of all data processing systems, procedures, and any steps taken to prevent errors can prove to regulators that the company takes its data protection obligations seriously.
The accountability principle also encourages continuous improvement by regularly reviewing and updating data protection policies and practices.
Learn more about entrepreneurship with our free online courses in partnership with the Open University.
Our free Learn with Start Up Loans courses opens in new window include:
- Making decisions opens in new window
- Entrepreneurial impressions – reflection opens in new window
- Entrepreneurship – from ideas to reality opens in new window
Plus free courses on finance and accounting, project management, and leadership.
Reference to any organisation, business and event on this page does not constitute an endorsement or recommendation from the British Business Bank or the UK Government. Whilst we make reasonable efforts to keep the information on this page up to date, we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. The information is intended for general information purposes only and does not take into account your personal situation, nor does it constitute legal, financial, tax or other professional advice. You should always consider whether the information is applicable to your particular circumstances and, where appropriate, seek professional or specialist advice or support.