The GDPR has now been in force for over four years. Since then, large, medium and small businesses have been getting to grips with its various requirements, including having appropriate procedures in place, data security arrangements, compliant privacy policies and compliant contracts.
Also, since that time, we’ve had Brexit, and UK businesses now find themselves subject to a UK-law version of the GDPR.
In respect of your business, you may have asked yourself, or you have been asked, the question (or something to the effect of):
- Does the GDPR apply to my business?
- Does my business process personal data?
- What exactly is data processing?
- What is a lawful basis for processing?
In this article, we will explore these questions by visiting the fundamentals of this area of data protection law. For this purpose, we will do so by breaking down each aspect of the question: ‘what is data processing under the GDPR?’
What is the GDPR?
On 25th May 2018, the EU General Data Protection Regulation 2016/679 (GDPR) came into effect and became law across all Member States of the European Union.
The GDPR protects individuals' privacy rights and places obligations on organisations in those Member States. The UK was still a Member State of the EU at the time.
Does the GDPR still apply in the UK?
Yes, it does.
Following the Brexit referendum in 2016, the UK officially left the EU on 31st January 2020. However, the UK has retained a UK version of the GDPR (which we will refer to as the UK GDPR) substantially the same as the GDPR.
Therefore, the GDPR (albeit a UK version) continues to protect the privacy rights of individuals and applies to businesses in the UK. We will look at the UK GDPR specifically, but the same principles apply equally when applying the GDPR.
At the heart of the GDPR and UK GDPR is protecting personal data.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (i.e. a living human being). The UK GDPR refers to such persons as “data subjects”.
Examples of such information relating to a person include:
- Their name
- Email address
- Place of residence
- Date of birth
- Telephone number
- Place of work
- Salary or bank details
Further examples can include:
- Opinions about a person
- Disciplinary records
- Email conversations (mainly where people are being discussed).
- Location (based on where a person’s device is)
- Website cookies (and similar types of web or app trackers)
- IP addresses
The definition of ‘personal data is purposely extensive, intending to capture a wide range of information which could somehow build a profile, story, or understanding about a person. This means something that reveals their physical or physiological attributes, genetic makeup, mentality, economic situation, culture, expressions, views or behaviour.
Only data that is truly anonymous or data that has had an individual's identity permanently removed (and rendered incapable of identifying an individual) is not considered personal data. The GDPR is not concerned with anonymised data.
What is data processing?
Data processing or “Processing” is also broadly defined. It is essentially any operation performed on personal data. The list of examples is long and includes;
- Making available
- Deleting (or erasing)
Does the UK GDPR apply to my business?
It is very likely, yes.
Any UK business processing personal data is caught by the UK GDPR and is required to comply with its requirements. As long as your business has customers, staff, or contacts, it will likely be processing data under the GDPR. This means practically all organisations in the UK are subject to the UK GDPR and require a legal basis for processing personal data.
In practice, you will most likely be processing personal data in many of your routine activities:
- Sending an email or chat message to a colleague or client is data processing
- Attaching files
- Handling spreadsheets
- Using software
The above also means that you are data processing under the UK GDPR.
Organisations, of course, differ significantly in terms of what processing activities they carry out, their size and the amount and types (varying sensitivity) of personal data they process.
Therefore, the UK GDPR will apply differently to different organisations, and the risk will vary from business to business.
What might happen if a business fails to comply with the UK GDPR?
The UK GDPR is enforced by the Information Commissioner’s Office (or the ICO).
The ICO has many powers, including investigating and issuing enforcement notices for non-compliance. In severe cases, the ICO can also issue significant fines.
What should my business do?
Now you understand the basics of GDPR and data processing; you now need to make sure your business is compliant. Here are some useful first steps you can take:
- Have a solid understanding of what kind of personal data you are processing
- Determine whether you have a legal basis for processing data under GDPR
- Consider carrying out training
- Consider having internal written policies relating to data protection
- Register with the ICO and pay a fee unless your business is exempt
If you’re using a third party to process customer data (examples include data hosting and marketing/IT/HR services), then you will need a Data Processing Agreement. You can download LawBite’s free Data Processing Agreement template, which our expert GDPR lawyers have drafted.
Get legal assistance from LawBite
Our expert data protection lawyers have helped thousands of SMEs with GDPR compliance. We have also created GDPR-specific service packages that support you at different stages of your GDPR journey. To find out how we can support your business, book a free 15 minute consultation or call us on 020 3808 8314.