What we do

GDPR & PRIVACY

Managing a business means managing personal data.

If you run a business, there's a 99% chance you're handling personal data. Businesses must comply with the data privacy standards in their own region, as well as other countries if they trade internationally. Regulations vary between countries, even between states in the same country. However, most data protection laws share some key principles:
  • Keep records of what personal data you are processing and why 
  • Be transparent and fair with people when you use their data 
  • Have policies in clear and widely understandable language
  • Keep personal data accurate and up to date
  • Safeguard personal data against accidental loss or disclosure 
Plain English Law can advise on the GDPR, the UK’s Data Protection Act 2018, and the web of federal and provincial privacy laws in Canada. We can help you with:
  • Plain English privacy notices and terms of business
  • Responding to requests for access to personal data you hold (data subject access requests or DSAR)
  • Email marketing processes
  • Website cookie policies and consent

?

FAQ's

Got a question about data privacy?
Take a look at our F
AQs.

The original GDPR — or the General Data Protection Regulation — is a piece of European legislation that came into force in 2018. The UK was still an EU member at that time. 

The aim of the GDPR was to standardise privacy rules across the EU and replace a patchwork of laws with a single streamlined standard.

With Brexit, the UK adopted a somewhat modified version of the original GDPR under the Data Protection Act 2018. As a result, you may now see privacy professionals referring to the UK GDPR and the EU GDPR as separate laws.

Fortunately, for most businesses the UK GDPR is effectively the same as the EU GDPR. The rules haven’t changed (yet). And if the UK GDPR diverges from the EU version in the future,  you’ll still need to comply with the EU GDPR when processing personal data about EU customers.

Underpinning the GDPR is the belief that privacy is a fundamental right. As digital technologies extend further into our lives, so too do the threats to our personal privacy.

For governments worldwide, there’s a balance to be struck. Some voters  are happy for businesses to use their personal data to sell more and create jobs. Others demand robust privacy protection. 

The GDPR tries to strike that balance by letting businesses to use personal data, but only if they stick to a series of privacy and security principles. Some view the GDPR as too restrictive and anti-business. Others argue there are too many loopholes, enforcement is lax, and personal data is still routinely misused without serious consequences. 

Wherever you sit in the debate, the GDPR is still the law. Whether you are a Controller or Processor of personal data, you need to understand what your legal obligations are and comply with them.

These three concepts are interrelated. There’s no universal agreement on what each term means (and trying to define them is a great way to start an argument with a data privacy/security/protection experts!)

Here’s our take:

Data security refers to protecting data against malicious threats, unauthorised access, and accidental loss or damage. Typical data security measures include firewalls, two-factor authentication, encryption, physical access controls, backups, and disaster recovery plans. Organisational measures, such as internal policies and staff training, are also included.

Data privacy refers to the proper collection, use, and sharing of personal data. Central to the concept of privacy is the individual’s right to know what data an organisation holds about them, what they are doing with it, and what their lawful basis is for using the data. Privacy also means the rights people have to control how their data is used, if at all.

Data protection, in the sense of the GDPR at least, is the combination of data privacy and data security. Some people use data protection and privacy interchangeably. That’s probably because privacy is meaningless without adequate security – the reverse, however, is not true. (you can have good security without privacy)

Whatever definitions you use, if you use personal data you must comply with both privacy and security principles.

The official GDPR definition is ‘any information relating to an identified or identifiable natural person’.

What does that actually mean?

A ‘natural person’ just means a living human being. They are ‘identified or identifiable’ if it’s possible to work out who the information is about, and ‘any information’ is as broad as it sounds.

‘Relating to’ means information that describes a person accurately. Importantly, it also includes information about a person that is not accurate.

In practice, working out whether the information relates to ‘an identified or identifiable natural person’ is usually straightforward. Often the individual is named explicitly, or there are enough pieces of information available that when they are combined can be used to identify the person.

Examples of personal data include:

  • Contact details — name, phone number, email address
  • Personal details — age, gender, martial status
  • Employment details — occupation, employer name, salary band

 

However, a document with someone’s name on it is not necessary personal data about that person. Think about all the emails you receive at work. They all have your name, but most of them probably aren’t *about* you. An email about a customer order, for example, is rarely going to be data about you. But since it includes your name and email address, it will probably come up in any search of the email system for data about you.

This term — also known as ‘Article 9 data’ — covers particularly sensitive personal data that could be misused to discriminate against or persecute an individual.

Under GDPR Article 9, special category personal data covers:

  • Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership
  • Genetic data
  • Biometric data — for example facial recognition, retina scans, fingerprints — when used to uniquely identify an individual
  • Data about an individual’s health, sex life, or sexual orientation

 

Article 9 data is subject to extra protections under the GDPR, so it can only be used under a relatively narrow set of conditions. If a company succeeds in demonstrating sufficient justification for processing special category personal data, it must to be done with the outmost vigour and care.

Processing special category data without justification can lead to significant penalties, not to mention an almost guaranteed PR disaster for the company.

In the GDPR, processing means performing ‘any operation or set of operations’ on the data. In plain language, ‘processing’ means ‘doing stuff’ with data.

Processing includes:

  • Collecting, storing, retrieving;
  • Analysing, organising, sharing;
  • Archiving, deleting, and destroying data.

 

Important: *storing* data = *processing* data. If your policy is to keep data just because it might come in useful one day, you still need to manage and protect that data under the GDPR. (for a better option, see next FAQ: “Data Minimisation”)

The concept of data minimisation is simple: don’t collect or store personal data that you don’t need. Some version of this approach is required by almost every international privacy law, including the GDPR (EU & UK) and PIPEDA (Canada).

Data minimisation is one of the most effective ways for companies to reduce their privacy risk. Why?

Because you can’t hurt anyone with personal data you don’t have. Hackers can’t steal it. Disgruntled employees can’t leak it. Corrupt governments can’t manipulate it.

I can hear you now: data minimisation is easier said than done. That’s because it’s never been easier or cheaper to collect and store shedloads of data. However, it’s worth mentioning that if your business doesn’t have a legitimate reason for collecting and storing personal data, you’re actually breaking the law.

Adopting a data minimisation-mindset means you’re using data smarter. You can achieve business goals by using data more efficiently and reduce your company’s privacy risk exposure at the same time.

Data subject

Every item of personal data is data about one or more living individuals. Those individuals are called ‘data subjects’.

An organisation can’t be a data subject because it’s not an individual. Therefore, there is no such thing as personal data about an organisation.

However, the organisation’s employees can be data subjects. You might have personal information about the employees of your customers and customers, past and present employees, unsuccessful job candidates, and employees of your vendors. The data could be as simple as name and contact details, or it could be more detailed and potentially intrusive.

Controller

Whenever personal data is processed, someone is acting as a controller — usually an organisation such as a company or public sector agency.

Controllers are the decision makers. They are the ones deciding why and how the data is being processed (in the GDPR, these are called the ‘purposes and means of the processing of personal data’). 

To decide who is a controller, ask which organisation decides what data to process, why it’ll be processed, who will do the processing, and where and how it will be done.

A controller can do their own processing, or contract out to another organisation.

Some processing activities have a single controller.  Some datasets have  more than one controller, but each controller is acting independently with the data, determining their own processing purposes and means.

Finally, some situations involve more than one controller acting together, as ‘joint controllers’. This is a potentially risky situation to be in, and it needs careful management. Joint controllers can become liable for each other’s GDPR violations.

Processor

A processor is essentially a service provider, processing personal data on behalf of a controller.

Processors do not decide the purposes and means of processing. If they start making those decisions, they automatically become controllers. If you are a processor according to a data processing agreement, and you start using the data for your own purposes, you become a controller. 

Acting as a controller will trigger a number of compliance requirements, including letting all the data subjects know who you are and what you intend doing with their data.

 

DOCUMENTS AND PROCESSES

YOUR DATA PROTECTION OFFICER

UK GDPR REPRESENTATIVE

DATA SUBJECT ACCESS REQUESTS

DATA BREACH RESPONSE

RUNNING YOUR BUSINESS

GAP ANALYSIS

DPIA: DATA PROTECTION IMPACT ANALYSIS

DATA SUBJECT ACCESS REQUESTS