A Guide to Data Protection in the EU and UK

Does our business need to comply?

Regardless of where you are based and where you process personal data, if you process personal data of European or UK citizens, you are likely to be subject to European and UK data protection laws, including the  EU’s General Data Protection Regulation (GDPR) and the UK’s General Data Protection Regulation (UK GDPR). You may also be under a contractual obligation to comply with EU and UK data protection laws in your agreements with other companies and vendors.  This means that even non-EU businesses must comply with EU and UK data protection law.

The Six Key Principles of EU and UK Data Protection Laws

EU and UK data protection laws require that you abide by six key principles. The principles require that personal data is:

1. processed lawfully, fairly and in a transparent manner;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. adequate, relevant and limited to what is necessary in relation to the purpose(s) for which it is processed;
4. accurate and up to date;
5. not kept in an identifiable form for longer than is necessary for the purpose(s) for which it is processed; and
6. kept secure using appropriate technical and organisational measures.

In addition, personal data must be processed in line with individuals’ rights and not transferred to countries outside the European Economic Area (EEA) and UK without adequate protection.

Guidelines

The following guidelines provide some further guidance on, and good practice tips to help you comply with these principles. 

Purpose

Try to avoid collecting personal data. For example, don’t ask customers to login or register and provide their personal details before it is absolutely necessary, unless it is for a specific purpose. Only collect data that is relevant and proportionate to the purpose for which it is being collected.

Information

Inform people clearly on your website and/or in your terms and conditions who you are and how you will use their personal data. Have a comprehensive Privacy Policy which provides this information and information about security, data retention and your contact details.

Access

Limit access to personal data to only those staff members required to have access for work-related purposes

Storage

If possible, store all personal data in the EEA or UK; if transferring data outside the EEA or UK, make sure that the data are adequately protected.

Security

You have a legal obligation to keep personal information secure. Take all necessary technical and organisational security measures to prevent unauthorised access, loss, alteration, erasure or misuse of personal data (in both manual and electronic form). Have appropriate processes in place to manage electronic and manual records containing personal data.

Review

Continually review and audit the accuracy and necessity of the data you collect. If you no longer need the data, ensure that it is disposed of securely. Encourage individuals whose data you collect to check and confirm the information you hold about them is correct.

Retention

Don’t keep data for longer than is necessary for the purpose for which it was collected.

Training

Train staff in ensuring data is held securely, and ensure staff are able to recognise requests from individuals to exercise their rights in respect of their personal data.

Third parties

Ensure you have written contracts in place with subcontractors requiring them to adopt adequate security measures and guarantee fair processing of the personal data with which you provide them.

Children

Do not disclose or transfer data collected from individuals under the age of 18 (or 13 in some countries) to third parties without the explicit and verifiable consent of the child’s parent or guardian.

Cookies

If your site uses cookies to collect information about users, provide a cookie notice about the types of cookies used and the ability to opt-out from the use of cookies.