Taking data compliance from burden to opportunity
Complying with UK data protection law doesn’t have to be a barrier, use this resource to help navigate the landscape with confidence.
As a business leader, whilst you don’t need to be a regulation expert, a robust knowledge of the UK’s data protection principles can help your business overcome concerns and potential pitfalls around establishing new data processes. By understanding the compliance landscape, you can turn a potential barrier into an opportunity, create tailored approaches that actually reduce your compliance burden and better support your business’ operations.
The 2018 Data Protection Act and UK General Data Protection Regulation (UK GDPR) form the foundation of UK data law. But businesses tell us that the size and complexity of these laws can be a barrier to taking on new approaches to collecting and using data. The perceived risk of making a mistake has made some businesses averse to using new data strategies to achieve their goals. But, compliance does not have to be a barrier to maximising the data opportunity.
Use this resource for an overview of the UK’s data protection legislation. The compliance roadmap below will also equip your business to begin navigating the data protection landscape with confidence.
The principles underpinning data protection
UK Data Protection legislation is built on seven principles that should lie at the heart of your approach to processing personal data.
As put by the ICO: these principles are set out right at the start of the Data Protection legislation and inform everything that follows. They are not hard and fast rules but inform the spirit of the general data protection regime. Ensuring your business is complying with the spirit of these principles must be a fundamental building block of your data protection practice.
Find out more about these principles directly from the ICO.
Compliance
Use this project compliance roadmap to help guide your business through its compliance obligations.
Data Sharing
Interaction between businesses is a necessity. In many cases, this includes sharing and receiving personal data. This can give businesses access to more information and potentially additional insights, however, as outlined above, the compliance requirements around data sharing can appear tricky and businesses sometimes don’t know where to start.
Regardless of whether you are planning to share or receive personal data, you must bear in mind the data protection principles. The first thing to do is establish whether you are a controller or a processor of the personal data you are sharing or acquiring. Ask yourself:
- Do you collect the data directly?
- Who decides how it will be used?
- Have you been engaged by a third party to process it on their behalf?
If you are a controller of the personal data, it is for you to decide whether it can be shared with third parties, and for what purposes. If you are a data processor, there should be terms in your contract with the third-party controller that speak to what you can and cannot do with the data. Make sure you check these.
What’s next for data protection?
The UK government is currently reforming data protection legislation in the UK, following consultation in 2021. Whilst we know what is being proposed in the Data Protection and Digital Information Bill, it is not yet confirmed, so businesses should not start making operational changes just yet. The Bill considers reforms on a wide variety of matters, including the rules on cookies, changes to the role of the Information Commissioner’s Office (ICO) and the approach to international transfers of personal data.
Conclusion
The world of data protection is fast-paced and ever evolving. At this stage, businesses generally do not need to take substantial actions to pro-actively prepare for the implementation of the Data Protection and Digital Information Bill as revisions may still be made. But it is a good idea to be aware of the areas of proposed changes, and the impact these changes may have on your business.
Additional resources
- ICO Guidance on the Principles of Data Protection
- Data Protection Legislation Compliance test for SMEs and sole traders
- ICO Data Sharing: A code of practice
- Government response to Data: A New Direction Consultation
- ICO Data Protection Impact Assessment Guidance
- ICO Data Protection Impact Assessment (DPIA) Template
- Data Protection and Digital Information Bill Second Reading
Find out how to make the most of your data
lock
This article is available on My CBI
person_outline
Not a CBI member?
Join today to access this article and more.