UK GDPR Crib Sheet

What is the UK GDPR?

  • The UK General Data Protection Regulation (UK GDPR) governs how organizations collect, store, and use personal data in the UK.
  • It mirrors the EU GDPR but applies specifically to the UK since Brexit.
  • It's designed to protect people's privacy and gives them more control over their personal data.

Definitions

  • Personal Data: Anything that identifies a person (name, email, address, IP address, etc.).
  • Data Subject: The person whose data is being processed.
  • Data Controller: The organization that decides why and how personal data is processed.
  • Data Processor: A third party that processes personal data on behalf of the controller.

Core Principles

  1. Lawfulness, Fairness, and Transparency:

    • Only collect data if you have a legal reason (e.g., consent, contract).
    • Be upfront and clear with people about how their data is used.
  2. Purpose Limitation:

    • Only use data for the reason you collected it and nothing else (unless you get further consent).
  3. Data Minimization:

    • Only collect the data you need, nothing more.
  4. Accuracy:

    • Keep personal data accurate and up-to-date. Fix any mistakes quickly.
  5. Storage Limitation:

    • Don’t keep data longer than you need it. Delete or anonymise it when done.
  6. Integrity and Confidentiality (Security):

    • Keep data secure. Use encryption, strong passwords, and limit access to only those who need it.
  7. Accountability:

    • Be able to show you’re following the rules (keep records, conduct audits, etc.).

Key Rights of Data Subjects

  1. Right to Access: People can ask for copies of their data.
  2. Right to Rectification: They can ask you to fix incorrect data.
  3. Right to Erasure ("Right to be Forgotten"): People can request you delete their data, especially if it's no longer needed.
  4. Right to Restrict Processing: Individuals can ask you to stop using their data without deleting it.
  5. Right to Data Portability: They can ask for their data in a portable format (e.g., CSV file) to use elsewhere.
  6. Right to Object: They can object to their data being used for certain things (like marketing).
  7. Rights regarding automated decision-making: If decisions are made about someone using only automated processes, they can contest or request human intervention.

Legal Bases for Processing Data

You need at least one of these to collect/process data:

  1. Consent: The person gave clear permission.
  2. Contract: The data is needed to fulfil a contract.
  3. Legal Obligation: You’re required by law to process the data.
  4. Vital Interests: It’s necessary to protect someone’s life.
  5. Public Task: You’re doing something for the public good.
  6. Legitimate Interests: You have a legitimate reason to process the data (must balance your needs against people's rights).

Data Breach Protocol

  • If personal data is exposed or compromised, report it to the ICO (Information Commissioner's Office) within 72 hours.
  • Inform affected individuals if there’s a high risk to their privacy.

Fines

  • Minor breaches can cost up to £8.7 million or 2% of global turnover (whichever is higher).
  • Serious breaches can go up to £17.5 million or 4% of global turnover (whichever is higher).

Practical Tips

  • Get consent properly: Make sure people know exactly what they’re signing up for, don’t bundle consent, and make it easy for them to withdraw.
  • Data audits: Regularly check what data you have, why you have it, and if you really need it.
  • Train your team: Everyone handling personal data should know these rules.
  • Document everything: Keep records of how and why you're processing data.