Application of UK GDPR

The UK GDPR applies to €˜personal data', meaning any information relating to an identifiable person who can be directly or indirectly identified from that information. This definition includes names, addresses, dates of birth, identification numbers and location data. Information about companies is not generally personal data (as the €˜identifiable person' has to be a living individual). For guidance on what constitutes personal data click here.

There is also a sub-set of personal data where stricter rules apply, called €˜special category data'. This is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, health data and data concerning a person's sex life or sexual orientation. Personal data relating to criminal convictions and offences are not included, but they do have their own special safeguards. If you are using any special category data or criminal data, it's even more important that you familiarise yourself with these rules.

The rules cover the €˜processing' of personal data, and €˜processing' is very widely defined to include storage, usage and transmission.

Organisations that process personal data are categorised into €˜data controllers' and €˜data processors'. The difference between the two is clearest when looking at the reason for processing the data. Data processors typically use the data belonging to data controllers and act at their request. The firm is therefore a data controller as are most of our suppliers (a few suppliers, such as our IT providers are data processors). For completeness, your company will also be a data controller in its own right if it holds personal information that it processes. You can find out more about the differences between data processors and data controllers here and you can use this online self-assessment tool to determine whether you need to register under UK GDPR. Registration costs £52 a year for entities (e.g. your service company) with a turnover of up to £632,000. For entities with a higher turnover, it costs £78. There is a discount of £5 if you pay by direct debit. Anecdotally, we understand that many of our consultants have formed the view that they do not need to register on account of the very limited data processing they undertake.

All data controllers and data processors must comply with the core principles of UK GDPR. These are that personal data must be:

  1. processed lawfully, fairly and in a transparent manner in relation to the individual;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Document Upload System