Guide for UK GDPR Compliance

UK GPDR stands for General Data Protection Regulation in the United Kingdom, and came into effect on January 1st 2021, after leaving the EU.

GDPR is a personal data protection law that is designed to ensure the privacy of everyone’s personal data. It sets out specific legal obligations and protection policies that UK businesses must follow regarding how data is collected, stored and processed.

In today’s current digital climate, where seemingly everyone’s data is out there, the need for GDPR has never been more important.

GDPR Fines

With personal data never being more important than it is now, the UK has set out strict penalties for breaching GDPR, which include:

• A maximum fine of £17.5 million (or 4% of annual global turnover depending on which is higher), for breaching data protection principles such as unauthorised access or inappropriate security measures.
• A maximum fine of £8.7 million (or 2% of annual global turnover depending on which is higher), for breaching obligations such as failing to report data breaches or consent for data processing.

These principles previously existed under EU GDPR; CNET.com revealed within the first few days of the privacy laws, Google, Facebook, Instagram, and WhatsApp all received privacy complaints that had the potential to amount to an astonishing $9.3 billion in fines. These global tech giants were seen to have a “take it or leave it” stance with consumers, demanding that their terms of service be accepted so they use the service.

Protection Measures to Comply With GDPR

GDPR and Online Safety

To comply with GDPR, your website must protect user identities. This includes basic identity information such as name, age and bank details, as well as technical information including IP addresses.

The first way to do this is by using HTTPS and securing your website with an SSL certificate, as this will provide a secure connection between the user and the website, encrypting all information that is submitted on data-capture forms. 

If you are collecting data, you must also have a privacy policy with the following information:

• The types of personal data you collect and process
• The purposes of how you use the personal data
• How long you will retain the personal data
• Identity of who the personal data is being shared with
• User rights in relation to their personal data
• The methods you use to protect the personal data
• How individuals can request access and change their personal data

Other ways to ensure the safety of individual data include regularly updating the website’s software, encouraging the use of strong passwords and performing regular security audits.

GDPR and Data Capture

One of the biggest online protection risks that users face every day is how their data is captured. To ensure data capture is done correctly, you must make web forms clear, remove the automatic opt-in sign up’s, and have demonstrable consent.

• Clear and easily accessible forms – Any web registration form used to collect personal data must include specific and unambiguous details about what the individual is being asked to consent to.
• Do NOT implement a passive opt-in on web registration forms. An opt-in that’s already checked by default or an opt-out that’s unchecked by default are methods that are NOT compliant with GDPR.
• Consent must be demonstrable – Ensure you can show that consent is demonstrable i.e. capture when and where the individual consented and what they consented to.

GDPR and Data Storage

Where you store your data is incredibly important for GDPR compliance, and whilst USA-based servers may claim to be GDPR compliant, many are not. Data must be stored in UK-based or countries, territories and sectors covered by UK adequacy regulations.

Leaving the EU has no effect on where the UK can store data, as GDPR was enacted before Brexit. 

UK data can be stored in the following countries:

• Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom

UK data cannot be stored in the following countries:

• Albania, Belarus, Bosnia and Herzegovina, Croatia, Kosovo, Moldova, Montenegro, North Macedonia, Russia, Serbia, Turkey, Ukraine

PECR and Email Marketing

Direct marketing is governed by Privacy and Electronic Communications Regulations (PECR) and is enforced by the Information Commissioners Office (ICO). The PECR covers many electronic communication activities including the use of cookies and unsolicited marketing emails, calls and messages.

To abide by PECR, marketing communications should be sent to people with a legitimate interest. Emails sent should at least be soft opt-in, with an easy way to unsubscribe from future messages. 

• Soft opt-in – Promotional emails sent to contacts must have been at least softly opted in. Soft opt-in is when the email recipient has purchased or expressed an interest in the product or services your business offers. 
• Make unsubscribing easy for the user – Include a link in every email that allows recipients to unsubscribe with one click. Your ESP should have an automated unsubscribe method and all reputable ESPs will not allow email to be sent if it does not include an unsubscribe link.

Failure to comply with the ICO can result in fines of up to £500,000 issued against the organisation and directors.

Given the importance of data protection and security during these times when personal data breaches and hackers can strike at any moment, you must comply with the rules of operation set out by GDPR and PECR when it comes to e-marketing, otherwise, you run the risk of landing in deep financial trouble.

How does data consent work?

A key aspect of GDPR is that individuals must have a legitimate interest in order for you to communicate electronically with them.

When you gain consent, it must be “collected for specified, explicit and legitimate purposes”. Consent must be demonstrable (i.e. you have proof of how and when it was provided), and the individual must be able to withdraw their consent at any time.

However, GDPR uses “legitimate interest” which provides flexibility in sending communications.

Appropriate marketing methods in line with legitimate interests include:

• Post, Phone calls which have no TPS/CTPS registration, emails or text which have soft opt-in, and emails or texts sent to business contacts.

Inappropriate marketing methods where there is no legitimate interest include:

• Phone calls to TPS/CTPS registered numbers, phone calls to people who have objected to your calls, automated/robotic phone calls, and emails or text without soft opt in.

Benefits of Data Cleansing for GDPR

Data cleansing helps to ensure that all customer data in an organisation is accurate, complete and up to date. By removing outdated and incorrect information, you significantly reduce the risk of personal data breaches, and data misuse and ensure compliance with GDPR. 

At Hopewiser, our data cleansing software includes address cleansing, data suppression, data enrichment and deduplication, making data accuracy as easy as possible. 

Try our free trial today and reduce the risk of customer data breaches.

GDPR Frequently Asked Questions

Is explicit consent required in email marketing?

GDPR requires explicit consent from the user. This is an affirmative action taken by an individual and refers to their agreement for the processing of their personal data. Consent must be given freely and based on an informed knowledge of how their information will be used. 

Explicit consent is required for medical records and other sensitive data; this does not impact marketing emails which instead require a legitimate interest from the user.

What is the role of the ICO in enforcing the GDPR in the UK?

The ICO is the independent regulator responsible for enforcing the GDPR in the UK and can conduct investigations, issue fines, and take legal action against any organisation that breaches the regulation.