Lawrence Stephens

We are a *knowledge business

UK GDPR – Where Are We Now?

February 2021

Remember back in 2018 when all anyone talked about was the looming enactment date of the GDPR, and the 25 May deadline was etched in your brain for months? Now, this seems like a distant memory and the troubles of 2018 pale in comparison to Brexit, a global COVID-19 pandemic and lockdown 3.0.

However, the Information Commissioner’s Office (ICO), the body responsible for all things data protection in the UK, are as active as ever and have issued new guidance in their Data Sharing: Code of Practice, reminding us that GDPR compliance is here to stay in the form of UK GDPR.

So what is the latest on UK GDPR, and what should businesses be doing to keep up with the rules?

Getting Over the GDPR “Bridge”

The UK GDPR is essentially a snapshot of the EU GDPR, which was in place up until the UK officially left the EU on 1 January 2021. For now, nothing has changed in the UK with respect to GDPR. The UK government has applied for an “adequacy decision” with the EU and in the interim – the “bridge” – nothing will change and personal data transfers to and from the EU can continue within the rules.

The ICO Flexing its Muscles

In December 2019, the ICO fined a London-based pharmacy £275,000 for failing to ensure the security of special category data.

Doorstep Dispensaree Ltd (DDL), which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. DDL was considered to have failed to implement appropriate organisational measures to ensure the appropriate security of the personal data it processes and that it had processed personal data in an unsecure manner. It was considered to have likely held onto personal data for longer than was necessary and failed to collect required information.

In November 2020, the ICO fined Ticketmaster UK Limited (Ticketmaster) £1.25 million for failing to keep its customers’ payment details secure. It was found that the company had insufficient cyber-security to prevent a cyber-attack on its online chat-bot which had been installed on its payment page.

Ticketmaster had failed to assess the exposure of risk concerning the chat-bot; identify and implement appropriate security measures to negate the risks; and identify the source of suggested fraudulent activity in a timely manner.

The ICO’s New Data Sharing: Code of Practice

In December 2020, the ICO issued a new Data Sharing: Code of Practice, a practical guide for organisations about how to share personal data in a way that is compliant with UK data protection law.

What Should Businesses Do to Keep Up with UK GDPR?

To the uninitiated, it can seem like the list of GDPR requirements is never-ending, however when you have the framework in place, it is much easier to navigate. There are some actions that should be top of your list to ensure that your business accomplishes UK GDPR compliance with ease:

  1. Appointing an individual in your business to be responsible for data protection compliance.
  2. Ensuring that employees are aware of the data protection policies and procedures that you have in place.
  3. A Data Protection Impact Assessment (DPIA) should be conducted. This is a process to analyse, identify and minimise the data protection risks that your business faces. It is important to record DPIAs and revisit them regularly.
  4. Once a DPIA has been carried out, it will be easier to identify which operational and technical measures should be implemented.

We have worked with clients to help them consider the results of DPIAs and to produce tailored data protection policies that suit their needs. If you have any questions regarding GDPR and your business, please do not hesitate to contact our Corporate & Commercial Team.