The Beginner’s Guide to The General Data Protection Regulation (GDPR)

1. What does GDPR stand for?

GDPR stands for General Data Protection Regulation

2. When did GDPR come into effect?

The Data Protection Act 2018 enacts the GDPR into UK domestic law and came into effect on 25th May 2018. On the 1st January 2021, upon leaving the European Union the ‘UK GDPR’ sits alongside the amended version of the DPA 2018. The UK government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the amendments.

3. What are the 7 principles of GDPR?

There are 7 core principles of the GDPR are:

• Fairness, Lawfulness and Transparency. You much be fair, honest, and transparent with individuals whose data you are processing.
• Purpose Limitation. You much be clear about your purpose(s) for processing personal data.
• Data Minimisation. You should only process the information that you need to make a decision.
• Accurate and relevant. keep personal data accurate and up to date.
• Storage Limitation. You should only keep the individual’s data for as long as is necessary.
• Integrity & Confidentiality. You must keep personal data safe and secure.
• Accountability. Underpin the above principles. You must be responsible and adhere to the rules of GDPR.

(Under the original Data Protection Act (DPA) 1998, there were 8 principles. 7 of these were like the current GDPR principles above. Originally, they were fairness and lawfulness, purposes, adequacy, accuracy, retention, rights, and security. The additional 8th principle referred to international transfers for which there is no GDPR equivalent.)

4. GDPR vs DPA – what’s the difference?

The General Data Protection Regulation (GDPR) is a 2016 EU regulation that was incorporated into the UK Data Protection Act 2018 to maintain a Europe-wide standard and introduce stronger legislation on the handling of personal data. While the UK remained part of the European Union, the DPA 2018 continued to reference the EU GDPR. However, as of 1st January 2021, the DPA 2018 now only relates to the UK GDPR.

NB. The EU GDPR still applies to your organisation if you process personal data on European residents.

5. Who does GDPR apply to?

The EU GDPR applies to:

• Any organisation (large or small) that has an office in the EU that processes personal as part of its business activities.
• Any organisation outside of the EU that offers goods/services to EU residents (paid or free).
• Any organisation that monitors behaviour of EU residents.

Example: if you are a UK organisation with no offices in the EU, yet you are offering goods/services to EU residents, then the EU GDPR applies to you.

The UK GDPR applies to

• Any organisation (large or small) that has an office in the UK that processes personal as part of its business activities.
• Any organisation outside of the UK that offers goods/services to UK residents (paid or free).
• Any organisation that monitors behaviour of UK residents.

Example: if you are a US-based organisation with no offices in the UK, yet you are monitoring behaviour of UK residents (i.e., Strava), then the UK GDPR applies to you.

6. Why is GDPR important?

It serves to protect people’s personal data and ensure that companies that process personal data do so correctly and legitimately.

7. What steps should I follow to become GDPR-compliant?

The first and most important step is to map all your data, followed by updating your GDPR policies and procedures, and then training everyone involved (usually the whole company). So:Step 1Review all your data and list all the different sources it comes from.Step 2From this data mapping, create a register of all your processing activities, and update your policies and procedures.Step 3Educate your team/staff on how to manage personal data, including how to report a breach and handle subject access requests (SAR).Step 4Build in regular review dates to ensure that your policies and procedures are still accurate and up to date.

8. What is classed as ‘personal data’?

Any information relating to an individual that directly or indirectly allows them to be identified or distinguished from other individuals.

9. How long can I keep personal data for?

Only for as long as you are actively and legitimately using it. As soon as you no longer need the data, you should destroy it. Exceptions are reasons that relate to archiving purposes in the public interest, scientific or historical research, or statistical purposes.

10. Can users opt out of GDPR?

No. Any business or organisation that processes personal data must comply.

11. How can users find out what information companies hold on them?

By submitting a subject access request (SAR) either verbally or in writing. If
you receive a SAR, you must respond asap and within one month of
receiving the request.

12. Does GDPR apply to small businesses, charities and clubs?

Yes, GDPR applies to *anyone processing personal data. So, if you’re a small business, charity or club and hold people’s names and contact details or other personal information on members, customers or donors, you must adhere to UK data protection law.

You’ll also likely need to pay a data protection fee (and can check this by going to https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/).

* The only exception is when you process someone’s data as part of your everyday personal or domestic activities (e.g. in a non-professional, non-commercial capacity such as personal correspondence or social networking).

13. What’s the difference between a data controller and a data processor?

A data controller refers to the person and/or organisation who decides for what purposes and how any personal data will be processed, whereas a data processor is any person and/or organisation who processes the data on behalf of the data controller.

Example: your organisation (data controller) decides it wants to start sending out a monthly newsletter to its existing customers to keep them up to date with “latest news”. To do so, it needs the name and email address of its customers. You decide to use MailChimp (data processor) as the platform for you to use to design and distribute your monthly newsletter to your customers.

Mailchimp (data processor) is processing the personal data of your customers on your behalf (data controller).

14. Do I have to have a cookie policy on my website?

If your website does not use any cookies, then you are not required to have a cookie policy. However, if you use Google Analytics or Facebook Pixels for example then you are required to have a cookie policy.

The cookie policy requirement is governed by the Privacy Electronic Communications Regulations (PECR) which sit alongside the Data Protection Act and the UK GDPR. PECR has adopted the GDPR’s definition of consent so your policy needs to state what cookies there are, what data they collect and how that data will then be used. You must also give visitors the option to accept or decline them before continuing.

15. Do I have to have a privacy policy on my website?

Yes – if you’re going to be processing visitors’ personal data. Visitors to your website have the ‘right to be informed’ (according to articles 13 and 14 of the GDPR) so your privacy policy should tell them what data of theirs you’ll be processing and why. Having a privacy policy also shows that you’re being transparent with your processing activities (and complying with one of the first principles of the GDPR). Even if you aren’t going to be processing visitors’ data, it’s still good practice to include one to demonstrate transparency.

16. How does GDPR affect things like Google Analytics?

Before you can drop a Google Analytics cookie onto a user’s device, you must first get their consent to do so – usually by a notification asking them if they want to accept cookies or not. In instances when a user doesn’t give consent, expect your website analytics to dip as you won’t be logging every page view or visit to your site. This also applies to other technologies such as Facebook Pixels.

17. How do I know if I’ve suffered a data breach?

Receiving lots of antivirus alert messages can often be an early indication. (To investigate further, it’s worth checking dedicated data breach websites such as Have I Been Pwned.) You might also start getting phone calls from your clients or social network saying that they’ve received an unusual email from you, or, in extreme cases, you may find that you’ve been locked out of your account(s) altogether.

18. I hate having to set my cookie preferences on every website. What can I do?

You can choose to delete existing cookies, allow or block all cookies, and set preferences for certain websites. If you’ve consented to cookies, you shouldn’t have to set your cookie preferences every time you visit the same website (as the website host should have recorded your decision and remember your preferences for future visits). However, if you’ve declined cookies, you may still be prompted to make a consent choice the next time you visit that site, if the website has not recorded your preferences.

Want a quick and easy way to get on top of the GDPR? Sign up to our helpful online courses.

The Introduction to Data Protection course provides essential training for new starters, anyone new to data protection or those needing a GDPR refresher. Just 60 minutes long, it gives you everything you need to understand the GDPR better. Click here for more details.

The GDPR for Business e-learning course is ideal for business owners new to the GDPR. Packed full of easy-to-follow tips and relevant examples, it will give you a solid and practical understanding of the GDPR and how best to use it in your business. Click here for more details.