We’re now familiar with the GDPR (General Data Protection Regulation), but since the UK’s exit from the EU we now have our very own, UK-specific legislation…called (unsurprisingly) the UK GDPR.
In this digital age, more and more of us are sharing personal information online. Since the arrival of Covid-19 we’re now literally “living” online, with few alternative options. Whether ordering groceries and meals to prevent transmission/exposure; registering with platforms to enable video-calling; or subscribing to retail businesses to purchase clothing, gifts and other items; many of us have far more personal data floating in the ether than we did just a year ago – and this is only expected to increase in years to come.
As both customers and suppliers, we should have some grasp of the UK GDPR principles and the enhanced rights afforded, compared to earlier legislation:
1. Lawfulness, Fairness & Transparency
- Personal data should only be requested for a legitimate reason (a ‘lawful basis’), together with a clear explanation as to what will be done with the information obtained.
2. Storage Limitation
- The information collected should only be held/stored for a finite period of time, documented within an organisation-specific Retention Policy.
- The data should be correct at the time it is collected, and efforts made to maintain its accuracy for the duration of the processing activity.
4. Integrity & Confidentiality
- Adequate technological systems should be in place to ensure the security of the data from unauthorised access. Only individuals/business departments with a specific need should be allowed full access to the data.
5. Purpose Limitation
- The information should be used strictly for the purpose(s) described when initially collected. If there is a need to use the same data for a different activity, consent must be requested beforehand (unless another lawful basis can be applied).
6. Data Minimisation
- Only data explicitly necessary for the purpose of the processing activity should be obtained, any data deemed excessive will be considered a breach of the Regulation.
- Each organisation must take full responsibility over the processing, collecting and/or storage of individuals’ personal data. Liability for breaches to data protection legislation cannot be “passed” to other parties. Evidence of compliance through the implementation of internal privacy policies and procedures is the only safeguard against penalties issued by the ICO.
As innovation advances and technology moves toward providing “easier” lifestyles for us all, organisations must continue to evolve in order to navigate the ever-changing regulatory landscape. We, as individuals, also have a responsibility to understand who has our personal data and exactly what they’re doing with it.