In the wake of TikTok being fined £12.7m by the Information Commissioner’s Office (“ICO”), we look at some of the key data protection issues in the UK. We consider what you should be doing in your business as we approach the fifth anniversary of the General Data Protection Regulation 2016/679 (“GDPR”).

What is data protection?

In the UK, data protection is governed by the Data Protection Act 2018, which implements the GDPR. The GDPR came effect on 25 May 2018 and strengthened the rights of data subjects in the EU (of which the UK was still part). It also increased enforcement of breaches of data protection principles. The GDPR was a pivotal moment in the commitment of the EU to data privacy.

The Data Protection Act 2018 sets out the rules for collecting and processing personal data. The definition of personal data is now much wider than the previous definition of personal data. It now includes any data which can identify a living person, such as name, address, date of birth, IP address, picture, social media handles, bank details, medical records etc.

What are the key principles of data protection in the UK?

Data protection is taken very seriously in the UK. The Data Protection Act 2018 requires that all personal data be processed fairly, lawfully, transparently and for a specific purpose. There must also be a legitimate basis upon which you have the right to collect and process the data. It includes consent and other reasons, such as fulfilling a contractual obligation. It also requires that an individual be informed about how their data is being used and their right to access, correct and remove their data.

The ICO, the independent regulator for enforcing data protection in the UK, suggests organisations should adopt a privacy-by-design model. It means any business idea, concept, and product should be designed with the right to privacy in mind. For example, any software should be designed with key technological safeguards to ensure that personal data is not vulnerable to being stolen.

Some recent fines that the ICO has imposed besides the TikTok fine in April 2023 include British Airways in 2019 – £20m; Marriott International in 2019 – £18.4m; Facebook in 2018 – £500,000.

What does it mean for my business?

It is imperative that your business demonstrates that it is compliant with the Data Protection Act 2018. There are several things you should have in place, such as:

  • Comprehensive data protection policies that work for your business.
  • A privacy policy clearly displayed on a website or to third parties who send you personal data where this is not via a website. It must specify what personal data you will be collecting, how it will be collected, what you will be using it for and on what basis you have the right to collect and process this information.
  • Proper privacy provisions for dealing with staff personal data and the storage and retention of personal data.

As we approach the fifth anniversary of GDPR, we are auditing clients to check compliance and to ensure that documents remain up-to-date and relevant to their business. We believe the ICO would be less tolerant of total non-compliance than it may have been in the immediate aftermath of GDPR. In the rush of many organisations to get documents in place in anticipation of GDPR in 2018, many of those documents have either not been properly updated, simply do not work, or have never worked for the organisation.

The power of the ICO and its expectations, now five years post-GDPR, should serve as a wake-up call to businesses to reprioritise data protection. It is time to review existing policies, retrain new staff and check that all new products and changes remain compliant.