UK GDPR Crib Sheet
What is the UK GDPR?
- The UK General Data Protection Regulation (UK GDPR) governs how organizations collect, store, and use personal data in the UK.
- It mirrors the EU GDPR but applies specifically to the UK since Brexit.
- It's designed to protect people's privacy and gives them more control over their personal data.
Definitions
- Personal Data: Anything that identifies a person (name, email, address, IP address, etc.).
- Data Subject: The person whose data is being processed.
- Data Controller: The organization that decides why and how personal data is processed.
- Data Processor: A third party that processes personal data on behalf of the controller.
Core Principles
Lawfulness, Fairness, and Transparency:
- Only collect data if you have a legal reason (e.g., consent, contract).
- Be upfront and clear with people about how their data is used.
Purpose Limitation:
- Only use data for the reason you collected it and nothing else (unless you get further consent).
Data Minimization:
- Only collect the data you need, nothing more.
Accuracy:
- Keep personal data accurate and up-to-date. Fix any mistakes quickly.
Storage Limitation:
- Don’t keep data longer than you need it. Delete or anonymise it when done.
Integrity and Confidentiality (Security):
- Keep data secure. Use encryption, strong passwords, and limit access to only those who need it.
Accountability:
- Be able to show you’re following the rules (keep records, conduct audits, etc.).
Key Rights of Data Subjects
- Right to Access: People can ask for copies of their data.
- Right to Rectification: They can ask you to fix incorrect data.
- Right to Erasure ("Right to be Forgotten"): People can request you delete their data, especially if it's no longer needed.
- Right to Restrict Processing: Individuals can ask you to stop using their data without deleting it.
- Right to Data Portability: They can ask for their data in a portable format (e.g., CSV file) to use elsewhere.
- Right to Object: They can object to their data being used for certain things (like marketing).
- Rights regarding automated decision-making: If decisions are made about someone using only automated processes, they can contest or request human intervention.
Legal Bases for Processing Data
You need at least one of these to collect/process data:
- Consent: The person gave clear permission.
- Contract: The data is needed to fulfil a contract.
- Legal Obligation: You’re required by law to process the data.
- Vital Interests: It’s necessary to protect someone’s life.
- Public Task: You’re doing something for the public good.
- Legitimate Interests: You have a legitimate reason to process the data (must balance your needs against people's rights).
Data Breach Protocol
- If personal data is exposed or compromised, report it to the ICO (Information Commissioner's Office) within 72 hours.
- Inform affected individuals if there’s a high risk to their privacy.
Fines
- Minor breaches can cost up to £8.7 million or 2% of global turnover (whichever is higher).
- Serious breaches can go up to £17.5 million or 4% of global turnover (whichever is higher).
Practical Tips
- Get consent properly: Make sure people know exactly what they’re signing up for, don’t bundle consent, and make it easy for them to withdraw.
- Data audits: Regularly check what data you have, why you have it, and if you really need it.
- Train your team: Everyone handling personal data should know these rules.
- Document everything: Keep records of how and why you're processing data.