What is GDPR and UK GDPR? Your Basic Guide to Data Compliance in the EU and UK

In the Internet Age, data is currency. Therefore, it’s unsurprising that regulatory bodies and governments are trying to secure data capture and transfer to limit the risk of breaches.

According to PrivacyAffairs.com, since GDPR's ratification in 2018 - more than €1.63 billion in GDPR fines have been issued - across 1,087 instances. Making the average fine size nearly €1.5 million – when considering the average revenue made in the EU was roughly €177,000 the compliance pressure is obvious.

GDPR touches every business that collects personal data, be that a multinational telecoms giant, or a “mom and pop” firm that keeps supplier invoices.

In reality all businesses are affected by GDPR.

This guide will be your basic what is and how to for all things EU GDPR, UK GDPR, and cross border data transfers.

What is Personal Data?

The regulations differentiate between Personal and Non-personal Data.

Essentially, Personal Data is anything that can identify an individual, think: names, email addresses containing names, IP addresses, cookie identifiers etc. If you can match data to an individual, it is personal data.

Non-personal data lacks this attribution; therefore, it falls outside of the scope of the regulations.

Aliquam ullamcorper malesuada dapibus. Curabitur ac lectus sit amet dui euismod auctor. Suspendisse sagittis id lacus eget vulputate. Ut nec arcu ut sem molestie tincidunt luctus eget tellus. Etiam consectetur, eros eu laoreet sagittis.

Parsley Montana

[email protected] is personal data, [email protected] is non-personal data.

Companies can collect personal data, provided the collection and processing of that data is done so in accordance to seven key principles:

1. Lawfulness, fairness, and transparency: there must be consent in collecting data, it must be done to fulfil a contractual obligation, and the reasons for collection made clear.
2. Purpose limitation: must be collected for a specific purpose only
3. Data minimisation: the smallest possible required level of data must be collected for the purpose
4. Accuracy: data must be accurate (and updated where necessary)
5. Storage limitation: must justify for how long data is collected
6. Integrity and confidentiality: must keep data securely and handle properly
7. Accountability: keep clear records of how data is collected, stored, and audited.

Who are the Actors Involved in Data Collection and Transfer?

• The regulations recognise a number of actors, where data collection and processing is concerned:
• The user – not really defined within the regulations, but essentially these are the parties to whom the personal data relates
• The controller – the party who determines the purpose and means of processing the personal data
• The processor – the party who processes the data on behalf of the controller (a contractor)
• The sub processor – the party who processes some or all of the data on the behalf of the processor (a sub-contractor), not really defined by the regulations.
• The supervisory body – regulatory bodies within each relevant state responsible for enforcing GDPR principals. In the UK, this is the Information Commissioner’s Office (ICO)

An example of how all these parties may work together:

The data controller will be responsible for the entire supply chain of data processing – sub processors, and their sub processors will need to be pre-approved by the data controller before they are subcontracted.

What are Your Responsibilities and How to Comply with Them?

As a data controller you must ensure:

• Your website has a data processing policy, and your customers agree to a copy of this data processing policy in their service agreement.
• You have a privacy policy and cookies policy
• You are a member of the supervisory body in your country (ICO in the UK).
• You conduct an audit of your data processors and their data processors (sub processors).

You will be responsible for the entire supply chain of your data processing.

If your processor or their processor breaches GDPR principles, you will be fined by the regulatory authority.

However, you will need to ensure that you enter into agreements with your data processor on a “back-to-back” basis – so you can recoup potential liability.

Your Data Contractors

As you are the owner of the contract, you will be responsible for the data provided by the customer, you will be responsible for ensuring the seven principles outlined above are adhere to.

A contract must exist between you (the data controller) and your contractor(s) (the data processor(s)).

Where the contractor(s) want to contract to a subcontractor (the sub processor), they must seek the permission of the data controller.

This process will then continue in that fashion throughout the entirety of the supply chain.

You must ensure that your data processors, and their sub processors (and so forth) have the same level data competence:

• Data Processing Policy
• Privacy Policy
• Supervisory body membership
• Ensuring their sub processors have the above

Moving Personal Data between EU and UK

When the UK was part of the EU, personal data could be transferred freely between all EU states and the UK.

The ICO was a recognised supervisory body – which means, so long as you had all your polices in order (and paid the £40 p/a fee) you could process EU personal data without additional systems and policies.

Thankfully, in June 2021, the EU Commission recognised the UK’s data laws as adequate, which means personal data can pass freely between the UK and EU.

Now, UK firms processing EU personal data will need to have a designated EU data representative, who will be EU users’ first point of contact.

They will be responsible for your data compliance in the EU, and will likely enter into a back-to-back agreement to cover any potential financial liability. When you get a data representative, you should outline their corporate details in a separate EU data processing agreement.

You will also need to pay the fee for the supervisory body in EU state within, generally, which the data representative is based.

There are a number of firms that provide this service (many are law firms), so conduct your due diligence before agreeing.

The same process will apply if an EU firm wishes to process UK personal data.

Moving Personal Data outside EU or UK

Exporting data to a non-EU region from either the UK or EU is less straightforward.

Let’s assume you contract a US company to process UK personal data. In order for the data to be exported to the US company you will need to ensure that the transfer doesn’t infringe either UK, or conflict with US laws – for example, it is not appropriated by US authorities.

The ICO provides a detailed checklist here, for third country transfers.

You will need to ensure that:

• You still have access to the data (the user is able to access it when they make a request)
• The scope of the contractor’s use of the data is clearly defined, and access to logged
• The contractor adheres to the seven principles
• Access is stopped as soon as the contract has been discharged.
• The contractor has the same level of data protection that would otherwise be expected in the UK (complies with the relevant GDPR body)

Standard Data Protection Clauses (the ICO provides a template) should be used as the contractual basis for the transfer IN ADDITION to other contractual requirements (service agreement, data processing policy, privacy policy) and a prior audit of the contractor’s data adequacy.

It’s about covering yourself – doing enough prior due diligence, and logging such, to reasonably state that the contractor fulfilled the criteria that would expected by a domestic contractor.

Simple How to Checklist This guide is a very basic overview of the EU and UK GDPR requirements of anyone who handles personal data belonging to EU or UK citizens. You should consult a trained data legal expert. However, the key takeaways and points to implement are: Produce a data processing policy inline with the seven principles outlined above If you haven’t already, pay the ICO fee (amount will vary) Ensure any system that hosts personal data complies with GDPR regulations Audit your work flow and identify where data is transferred to a third party and ensure their supply chain is compliant with GDPR regulations Ensure all contracts reference your data processing policy and liability is protected on a back-to-back basis. If you’re importing EU personal data, ensure you have an EU based data representative and you are supervised by the supervisory body in that state. If you’re exporting UK personal data to a third country ensure that party complies with UK GDPR principles and is not at risk of breaking UK GDPR principles. We will be publishing wider posts on this topic area.