Is UK GDPR relevant to my business?
UK GDPR is a relatively new area of law that is directly applicable to any business that processes personal data of individuals based in UK. Personal data includes such data categories as names, email addresses, IP addresses and any other information that directly or indirectly identifies a living individual.
What are penalties for non-compliance with UK GDPR?
It can be hard to navigate this complex and documents-heavy area without expert help and advice, and consequences of non-compliance can vary from suspending trading for the time of investigation to as much as £17.5 million or 4% of annual worldwide turnover, whichever is higher, for serious breaches.
Data processor vs data controller
Your business may be a data processor if it has access to or merely processes personal data on another party’s behalf – such as your customers’ employees, clients or other similar data. It may be a data controller at the same time in relation to the personal data it collects and keeps on its employees, contractors, customers, users and other categories where your business is able to make decisions as a data controller about such personal data.
UK GDPR compliance documents
Compliance with UK GDPR requires a business needs to have in place tailored internal policies as well as documents available to data subjects, typically via the business’ website and app.
Internal documents often include such policies as Data Protection Policy, Data Retention Policy, IT Security Policy, Data Subjects Access Request Policy (or general Data Subjects Rights Policy), Data Incident or Data Breach Policy and some others depending on a particular business and categories of personal data and its processing. In some situations businesses require Data Protection Impact Assessments to be carried out and followed.
Employee-related UK GDPR documents often include privacy notices, contractual language and consent forms where relevant.
External facing documents often include privacy notice for website, cookie policy and consent language where relevant.
Where there is sharing of personal data, data sharing agreements need to be in place.
It is a legal requirement to have data processing language (Art.28) or data processing agreements in place with any data processor.
Where personal data is accessed from outside of UK or is sent to outside of UK, whether involving employees, contractors, stored on servers or otherwise, the necessary assessments and measures (often contractual) are necessary.
How can Dumonts help?
We can provide UK GDPR audits to identify gaps in compliance, draft documents tailored to your business, help you respond to data subject access requests (DSARs) and provide advice, as well as training.