A Guide to UK GDPR Compliance

Introduction

GPDR stands for General Data Protection Regulation, and came into effect on January 1st 2021, after leaving the EU. It is a personal data protection law designed to ensure the privacy of everyone’s personal data.

It sets out specific legal obligations and protection policies that UK businesses must follow regarding how data is collected, stored and processed. In today’s digital climate, where seemingly everyone’s data is out there, the need for GDPR has never been more important.

GDPR Fines

With personal data never being more important than it is now, the UK has penalties in place if you breach GDPR. These include:

• A maximum fine of £17.5 million (or 4% of annual global turnover depending on which is higher), for breaching data protection principles such as unauthorised access or inappropriate security measures.
• A maximum fine of £8.7 million (or 2% of annual global turnover depending on which is higher), for breaching obligations such as failing to report data breaches or consent for data processing.

These principles previously existed under EU GDPR. An article by CNET.com revealed within the first few days of the privacy laws, Google, Facebook, Instagram, and WhatsApp all received privacy complaints that had the potential to amount to an astonishing $9.3 billion in fines.

These global tech giants were seen to have a “take it or leave it” stance with consumers, demanding that their terms of service be accepted so they use the service.

Protection Measures To Comply With GDPR

GDPR And Online Safety

To comply with GDPR, your website must protect user identities, including basic identity information such as name, age and bank details, as well as technical information including IP address.

The first way to do this is by using HTTPS and securing your website with an SSL certificate, this provides a secure connection between the user and the website, encrypting information submitted on data-capture forms. 

If you are collecting data, you must also have a privacy policy with the following information:

• The type of personal data you collect and process
• The purpose for the use of personal data
• How long you retain the personal data
• Identity of who the data is being shared with
• User rights in relation to their personal data
• The methods you use to protect data
• How individuals can request access and change their data

Other ways to ensure the safety of individual data include regularly updating the website’s software, encouraging the use of strong passwords and performing regular security audits.

GDPR And Data Capture

One of the biggest online protection risks that users face every day is how their data is captured.

To ensure data capture is done correctly, you must make web forms clear, remove the automatic opt-in sign up’s, and have demonstrable consent.

• Clear and easily accessible forms. Any web registration form which collects personal data must include specific and unambiguous details about what the individual is consenting to.
• Do NOT implement a passive opt-in on web registration forms. An opt-in that’s already checked, or an opt-out that’s unchecked by default are methods that do not comply with GDPR.
• Consent must be demonstrable – Ensure you can show that consent is demonstrable i.e. capture when and where the individual consented and what they consented to.

GDPR And Data Storage

Where you store your data is important for compliance. While USA-based servers may claim to be GDPR compliant, many are not.

Data must be stored in UK-based or countries, territories and sectors covered by UK adequacy regulations. Leaving the EU has no effect on where the UK can store data, as GDPR was enacted before Brexit. 

UK data can be stored in the following countries:

• Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom

UK data cannot be stored in the following countries:

• Albania, Belarus, Bosnia and Herzegovina, Croatia, Kosovo, Moldova, Montenegro, North Macedonia, Russia, Serbia, Turkey, Ukraine

PECR and Email Marketing

Direct marketing is governed by the Privacy and Electronic Communications Regulations (PECR) and is enforced by the Information Commissioners Office (ICO). PECR covers electronic communication activities including the use of cookies and unsolicited marketing emails, calls and messages.

To abide by PECR, marketing communications should be sent to people with a legitimate interest. Emails sent should at least be soft opt-in, with an easy way to unsubscribe.

• Soft opt-in. Promotional emails sent must have been at least softly opted in. This is when the email recipient has purchased or expressed an interest in the product or services you offer.
• Make unsubscribing easy for the user. Include a link in every email that allows recipients to unsubscribe. Your ESP should have an automated unsubscribe method and all reputable ESPs will not allow email to be sent if it does not include an unsubscribe link.

Failure to comply with the ICO can result up to £500,000 fines issued against the organisation and directors.

Given the importance of data protection and security during these times when personal data breaches and hackers can strike at any moment, you must comply with the rules of operation set out by GDPR and PECR when it comes to e-marketing, otherwise, you run the risk of landing in deep financial trouble.

How Does Data Consent Work?

A key aspect of GDPR is that individuals must have a legitimate interest in order for you to communicate electronically with them.

When you gain consent, it must be “collected for specified, explicit and legitimate purposes”. Consent must be demonstrable (i.e. you have proof of how and when it was provided), and the individual must be able to withdraw their consent at any time.

However, GDPR uses “legitimate interest” which provides flexibility in sending communications.

Appropriate marketing methods in line with legitimate interests include:

• Phone calls which have no TPS/CTPS registration, emails or text which have soft opt-in, and emails or texts sent to business contacts.

Inappropriate marketing methods where there is no legitimate interest include:

• Phone calls to TPS/CTPS registered numbers, phone calls to people who have objected to your calls, automated/robotic phone calls, and emails or text without soft opt in.

Benefits of Data Cleansing for GDPR

Data Cleansing helps to ensure that all customer data in an organisation is accurate, complete and up to date. By removing outdated and incorrect information, you significantly reduce the risk of personal data breaches, and data misuse and ensure compliance with GDPR.

Our software includes address cleansing, data suppression, data enrichment and deduplication, making data accuracy as easy as possible.

FAQs

Is explicit consent required in email marketing?

GDPR requires explicit consent from the user. This is an affirmative action taken by an individual and refers to their agreement for the processing of their personal data. Consent must be given freely and based on an informed knowledge of how their information will be used.

Consent is required for medical records and other sensitive data. This does not impact marketing emails which instead require a legitimate interest from the user.

What is the role of the ICO in enforcing the GDPR in the UK?

The ICO is the independent regulator responsible for enforcing GDPR in the UK and can conduct investigations, issue fines, and take legal action against organisations that breach the regulation.

Want to find out more? Get in touch!