Navigating GDPR: A comprehensive guide to ensuring compliance

In today's data-driven world where big data can be used to profile and analyse people, automated decisions are made regularly and AI is becoming more prevalent, businesses must prioritise the protection of personal data to avoid getting fined by the UK’s Information Commissioner (ICO).

The General Data Protection Regulation (GDPR) revolutionised data privacy in 2018 and this has been built on since.  The UK has its own version following Brexit (UK GDPR) and both put stringent obligations on organisations. Getting it wrong can lead to large fines.  Even small businesses can be fined tens or even hundreds of thousands.

To help you navigate this complex landscape, we have compiled a list of core UK GDPR documentation that businesses typically require. While each business is unique and may have specific requirements, the following documents will provide a solid foundation for basic GDPR compliance. 

• Record of Processing Activities (ROPA): The GDPR mandates that businesses demonstrate compliance through written documentation. The Record of Processing Activities (ROPA) serves as a record of the personal data collected, stored, and used by your organization. It outlines how the data is used, the lawful basis for its use, and with whom it is shared. While not necessary in all cases, having a ROPA is invaluable as it provides a comprehensive overview of your data processing activities. Moreover, it can help you understand where your issues or gaps are.
• Employee Documentation: Compliance with UK GDPR extends beyond customer-facing operations; it is equally important to ensure internal employee-facing compliance. The following employee documentation plays a crucial role in meeting UK GDPR requirement.

- Employee Privacy Notices: Transparency about how personal data is used is a key obligation under UK GDPR and privacy notices serve as a means to inform individuals about how their personal data is used. For employees, we recommend having two privacy notices: i. Recruitment Privacy Notice: Provided to candidates during the recruitment process. ii. Employee Privacy Notice: Applicable to employees once they start their employment.  As an aside, we are often asked whether these should go on the website.  The recruitment one should generally be on the website but the employee one is internal and should not.

- General Data Protection Policy: A standalone policy, accompanied by relevant procedures, is vital to address data protection issues internally. This overarching document covers essential aspects such as roles and responsibilities, data protection principles, employee obligations, data quality, monitoring, individual rights, data breach procedures, and more. It ensures accountability requirements under UK GDPR are met.  You should also consider having more detailed procedures which set out what steps your staff should take in the event of e.g. a data breach or the handling of a data subject access request.  As a minimum you should have a data breach procedure and a procedure for handling requests made by individuals. Many organisations have others.  These should dovetail with your information security and acceptable use policies.

• Customer Facing Documentation: Tailored customer privacy notices are essential to inform individuals about the collection, use, and lawful basis for their personal data in relation to the services/products offered. Whilst all organisations should have a customer/supplier privacy notice, they are crucial in consumer facing organisations. Depending on your business, a single privacy notice may cover multiple products/services.  A privacy notice needs to cover all the mandatory requirements of UK GDPR and yet still be clear, concise and easy to read – not an easy task.
• Website Documentation: To comply with GDPR, your website should have an updated cookie policy and website privacy notice. These documents should provide detailed information about how you collect and use personal data through cookies and your website e.g. website forms.  The EU is tightening up its cookie compliance rules including when you need to get consent to drop cookies.  Whilst the UK is taking a different approach in its upcoming data protection reforms it is likely that your website will have to meet the stricter EU requirements – not many websites are purely UK focused.  In addition, you should have a compliant cookie banner or cookie preference centre.  Cookie compliance is not only important from the point of view of meeting your regulatory requirements but is also important to avoid getting claims from individuals relating to dropping cookies without their consent – something that is becoming more prevalent.
• Data Sharing Agreements: If your organisation shares data internally within the group or with external parties, such as IT support of cloud hosting providers, appropriate data sharing agreements are necessary. These agreements should address mandatory rules in UK GDPR about appointing processors and (if relevant) data export.  Data export is a minefield and needs careful navigation.

Achieving UK GDPR compliance is an ongoing journey that requires meticulous attention to detail and keeping up with developments, not least as the guidance regularly changes. By implementing the recommended documentation, you can establish a solid foundation for GDPR compliance, protecting both your business and the personal data entrusted to you. Remember, every business is unique, and additional documentation may be required based on specific circumstances.

How we can help

If you would like further information and would like to speak to our team to discuss your unique needs and ensure comprehensive compliance, please get in touch.