22 April 2021
UK GDPR Top Tips
By Naomi Korn, Managing Director
In the UK, the General Data Protection Regulation (GDPR) sits side by side with the Data Protection Act 2018 as the UK GDPR. The intention of this EU derived legislation was to harmonise data protection rules across EU member states. It applies to data processing carried out by individuals and organisations operating within the EU, but also applies to organisations outside the EU that offer goods and services to EU citizens. The UK GDPR significantly enhances the rights of data subjects in the processing of their personal data and strengthens the current system. The Data Protection Act 2018 controls how personal data is used by organisations, businesses and the government. Here are some of my top tips for complying with UK GDPR:
1. Avoid scare mongering about UK GDPR. UK GDPR is about embedding long-term systematic “privacy by design” processes and policies within organisations. There is no ICT system that solves it!
2. You can bring together your external compliance obligations in one place. For example, your privacy notice should clearly state why you are collecting personal data etc. It can be published online with your copyright notice which explains what your position is on copyright, and states what users to your website can do with your content.
3. Being compliant with the data protection legislation and keeping personal data safe, dovetails into other requirements such as safe guarding and the new information Commissioner’s Office’s (ICO) Children’s Code. Click here for more details about this new code on the ICO website.
4. Data protection laws apply to print and digital forms of personal data. Know what you have, why and where it is stored. Decide if you should keep it or not, and if so, make sure you plan how you keep it safe.
5. If you can’t find a legal justification for processing personal data, delete or destroy. Otherwise, it’s your risk.
6. Compliance with data protection is about good data hygiene. A great opportunity to spring clean your personal data and delete the personal data you no longer need.
7. Make sure you understand your obligations as a Data Controller when others are processing your personal data on your behalf. Always ensure you use robust contractual agreements between you and your data processors.
8. Think holistically about how you can embed “Privacy by Design” into everything you do. Your existing policies like social media, ICT & HR can usefully be amended to cover your UK GDPR obligations.
9. Embed clear guidance about data protection into staff awareness & engagement. It’s everyone’s responsibility and important to maintain high levels of staff awareness particularly when more of us are working remotely and online.
10. Map out your next steps to be compliant with UK GDPR in an action plan comprised of short, medium and long term actions and who will take them forward. You won’t be able to do everything at once, but you can start your journey sensibly whilst committing to long-term organisational change.
© Naomi Korn Associates, 2021. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)
Disclaimer: The contents of this blog post are based on the assessment of Naomi Korn Associates Ltd at the time in which the resource was created (April 2021). The contents should not be considered legal advice. If such legal advice is required, the opinion of a suitably qualified legal professional should be sought.