URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.
The United Kingdom introduced its first law protecting electronically processed personal data, the Data Protection Act 1984, 40 years ago – one of the first countries in Europe to do so. The intervening years have witnessed an exponential growth in computer-held and shared personally identifiable information, to the extent that processing personal data is today one of the world’s biggest businesses, worth over $1 trillion per year to the global economy according to some estimates. Protecting the vast amounts of personal information processed by all kinds of organisations – public bodies as well as private sector businesses – has also grown proportionately in importance over this time. By data protection we do not just mean preserving the security or confidentiality of personal data (although that is an important part of it), but also upholding the principles and requirements of data protection legislation and maintaining the set of rights which all data subjects are afforded by it.
The UK General Data Protection Regulation (GDPR), together with the Data Protection Act 2018 (DPA 2018), is the United Kingdom’s main data protection law. The UK GDPR is the UK’s own post-Brexit version of the EU GDPR and was created by the DPA 2018. It governs the processing of personal data of people who are in the UK, either by organisations with an establishment here, or where the processing activities relate to offering goods and services to data subjects in the UK, or monitoring of their behaviour within the UK.
The DPA 2018 was introduced to apply the EU GDPR (which dates from 2016 but came into effect in 2018) in the UK, including derogations (national variations) to the EU GDPR which the Regulation allowed domestic lawmakers in individual Member States to make. It has Parts regulating law enforcement and intelligence services, for example, which were not covered in the EU GDPR. The UK GDPR is the EU GDPR adjusted for Brexit – e.g., changing terms such as ‘Member State law’ to ‘domestic law’ and ‘supervisory authority’ to ‘the Commissioner’, and references to the European Commission to ‘the Secretary of State’ - but essentially it is identical to the EU GDPR at the moment (i.e., unless it is amended by the UK Parliament). The EU GDPR continues to regulate British organisations’ processing of the data of people who are in the EU.
The UK GDPR contains 6 principles which every person or organisation processing the personal data of people who are in the UK must comply with.
To lawfully gather data subjects’ information, your organisation would need to justify the processing under one lawful basis of the 6 lawful grounds for processing data which are set out in the GDPR.
All processing you perform should be for a specific and explicit purpose, and data shouldn’t be further processed for a purpose incompatible with the original one.
You should only collect the minimum amount of data necessary for the purposes of the processing.
It is your responsibility to ensure that the information they hold on an individual is accurate and up to date where applicable.
Store personal data for as long as is necessary to achieve the purposes for which it is being processed.
Information must be processed securely, using appropriate technical and organisational measures.
The Regulation also sets out 6 lawful bases, or legal grounds, for processing of personal data. All processing must have at least one of these lawful bases.
The individual has given clear consent for you to process their personal data for a specific purpose.
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
The processing is necessary for you to comply with the law (not including contractual obligations).
The processing is necessary to protect someone’s life.
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
If your organisation processes sensitive personal data such as health information or details of an individual’s race, religion or sexual orientation – known as ‘special category personal data’ in the UK GDPR – then it must also meet an additional condition from a list of 10 specified in Article 9 of the Regulation.
The data subject has given their explicit consent to the processing.
Processing is necessary for carrying out obligations or exercising rights of the controller or data subject in the field of employment and social security and social protection law.
Processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is incapable of giving consent.
Processing is carried out by a foundation, association or other not-for profit body with a political, philosophical, religious or trade union aim.
Processing relates to data which are manifestly made public by the data subject.
Processing is necessary for the establishment, exercise or defence of legal claims.
Processing is necessary for reasons of substantial public interest.
Processing is necessary for the purposes of preventive or occupational medicine.
Processing is necessary for reasons of public interest in the area of public health.
Processing is necessary for archiving purposes.
The UK GDPR also grants to all data subjects (living individuals) 8 data subject rights, including: the right of subject access; the right to erasure (sometimes called the ‘right to be forgotten’); the right to rectification of incorrect or inaccurate data; the right object to certain types of processing; the right to data portability; and right not to be subject to automated decision-making.
The main reasons to comply with the UK GDPR are:
With a 19-year track record of assisting organisations to comply with data protection legislation, we at URM are the ideal experts and partners to help you achieve and maintain compliance. Leveraging our fully flexible and tailored approach, our highly qualified and experienced data protection and GDPR consultants will help ensure your organisation is fully compliant with the relevant regulations and legislation, regardless of where you currently are in your compliance journey.
Contact our data protection experts today to find out more.
There is currently no single approved certification scheme for the whole of the UK GDPR. There are 5 existing certifications approved by the UK regulator available for certain sectors and activities, namely: legal services and training and qualifications services providers; secure re-use and disposal of IT assets; age assurance; and children’s online privacy. There is, however, an approved certification or ‘seal’ under the EU GDPR called Europrivacy, which may be of interest to UK organsiations that process the data of people who are in the EU, and are therefore covered by the EU GDPR.
URM’s GDPR consultants can assist you with conducting UK GDPR gap analyses, ROPAs, and DPIAs, and preparing privacy notices. Additionally, once these documents have been completed, our experts can support your organisation’s ongoing privacy compliance programme by keeping them up to date to reflect any changes to your processing as your business evolves. URM also offers a DSAR disclosure service to help your organisation respond to subject access requests. URM is fully equipped to accompany you on all stages of your organisation’s UK GDPR journey.
A gap analysis is an exercise carried out on site at your organisation, or remotely, to gather information direct from the process owners on your processing of personal data, to ascertain your organisation’s general level of compliance with the UK GDPR, and to identify any compliance shortfalls and prioritise these for remediation. A gap analysis typically takes between 3 and 5 days on site, depending on the extent and complexity of the organisation’s processing, with a further couple of days to produce a comprehensive report and remediation schedule. Instructing a gap analysis is often an organisation’s first step towards building its ROPA.
If you have already undertaken a gap analysis, or if your processing is more straightforward, you can move directly on to your ROPA. URM can assist in creating and afterwards, over time, developing this. The length of time needed to produce a ROPA again depends on the nature of the processing being engaged in, but can usually be completed within 7 days. URM consultants are also skilled in performing DPIAs. Most DPIAs can be drafted and finalised within one day.
Privacy notices are mandatory statements which help organisations to meet the fairness and transparency requirements of the UK GDPR’s first principle and are the main means for controllers to fulfil the data subjects’ right to be informed. Where a process is detailed on a ROPA, the privacy notice for that process can usually be drafted in half a day.
URM’s DP training courses can help you enhance your understanding of the UK’s data protection landscape and diversify your professional skillset. Attending our BCS Foundation Certificate in Data Protection (CDP) Training Course will enable you to gain a comprehensive understanding of data protection law in the UK and an industry-recognised DP qualification, fully preparing you to sit the BCS administered exam. Meanwhile, our 2 half-day courses on conducting DPIAs and data transfer impact assessments (DTIAs), and our 1-day Training Course on managing DSARs, will provide you with the knowledge and practical skills necessary to complete these key compliance activities when you return to your workplace.
URM’s data protection and GDPR consultants have extensive ‘real world’ experience as both practitioners and subject matter experts working at a senior level within business and in their data protection consulting roles advising organisations on best practice. With a 19-year track record assisting organisations to comply with legislation such as the Data Protection Act, the GDPR and local country-specific legislation, URM has earned a reputation for adopting a pragmatic and business appropriate approach.
A key differentiator between URM and other data protection service providers is our flexible service offerings. Our virtual DPO service can be customised to your precise requirements, in terms of the type of support you require and the frequency of site days (remote or on site) etc. Equally, with our remediation support, URM can assist you address any gaps identified and achieve full GDPR compliance. We can also help you maintain that compliance with GDPR auditing services.
URM prides itself on its knowledge transfer philosophy and training expertise which helps to ensure that you not only understand what the principles and requirements of the GDPR are but how to best meet them.
URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations looking to improve their information security, risk management, data protection etc. The webinars are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR. All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.
URM provides an update on all of the DP-related issues, impending legislation, ICO’s enforcement actions, and the impact of artificial intelligence (AI).
URM will be sharing its experiences and practical tips drawn from helping organisations successfully conduct DPIAs and DTIAs.
URM is holding a webinar designed to guide organisations on their journey to compliance with both the UK and EU GDPR.
No – hard copy information, such as paper files, containing personal data are included if the data is part of a structured, searchable dataset, which the Regulation calls a ‘filing system’.
If you are processing the data of people who are in the EU, either in relation to the activities of a physical base or person (‘establishment’) your organisation has in the EU, or your processing relates to offering goods and services to data subjects in the EU, or monitoring their behaviour in the EU, then you have to comply with the EU GDPR (as well as the UK GDPR in respect of any UK people’s data you are processing). The EU GDPR and UK GDPR are currently essentially the same.
No – all organisations around the world that process the personal data of people who are in the UK are affected by the UK GDPR, if the processing is in relation to offering goods and services to data subjects in the UK, or monitoring their behaviour in the UK.
Yes – in Chapter V. The rules are basically the same as those in the EU GDPR, except that it is the Secretary of State, not the European Commission, who decides if a third country data importer has adequate data protection laws (i.e., makes an ‘adequacy decision’); and the EU Standard Contractual Clauses (SCCs) method of legitimising such international transfers are replaced by a document issued by the ICO – the International Data Transfer Agreement or IDTA.
URM’s blog reviews ICO enforcement activities for the 1st half of 2024, highlighting trends & shifts in how it enforces against data protection breaches.
URM’s blog explores a recent ECJ ruling which dictates that oral job references are covered by the GDPR
URM’s blog explores the data protection considerations for data analytics tools, and how to reap their many benefits while still maintaining GDPR compliance.
URM’s blog explores the first formal European response to the DPDI Bill, and how the Bill may jeopardise the UK’s adequacy status when it reforms the UK GDPR.