Data Protection Law, UK GDPR, and Workplace Compliance

by | Aug 11, 2021 | Corporate Governance

We take a look at what the UK GDPR rules mean for organisations and the steps we need to take to ensure compliance with Data Protection Law.

We live in a world where businesses and organisations use and store vast amounts of information about individuals. This must be regulated to protect our privacy and prevent the misuse of our information, which is how the Data Protection Law and EU GDPR came about.

From 1 January 2021 the transition period ended, and the UK left the European Union. The EU General Data Protection Regulation has now been enshrined in UK law and is referred to as the UK GDPR.

Sitting alongside the UK GDPR is the Data Protection Act 2018 which supplements it. The UK GDPR and the Data Protection Act 2018 combined now provide the legal framework for data protection in the UK and should be read side by side.

UK organisations need to amend their GDPR documentation to align it with the requirements of the UK GDPR, which is why here at REALSENSE, we have been working with our partners at Geldards Law Firm to update our UK GDPR Online Training and Date Protection Law Refresher Training to ensure our customers are provided with up to date, accurate and easy to understand information so they can train their staff with confidence.

Providing staff training on Data Protection Law and UK GDPR regulations can help your organisation to demonstrate compliance.


About Data Protection Law

Data Protection Law protects our personal data. This is any information relating to and identifying an individual, including names, addresses, telephone numbers, date of birth, email addresses, user IDs, cookie addresses, career history and financial details.

In addition to this, we all also have personal data that is defined in law as ‘Sensitive/Special Category Personal Data’ – this includes race, ethnic origin, sex life or sexual orientation, genetic data, trade union membership, political opinion, health data, biometric data, religious information or philosophical beliefs.

If misused, this kind of data could cause significant harm or discrimination to individuals, and therefore it has a higher level of protection under Data Protection Law.

To be protected by Data Protection Law, personal data must be either held electronically or form part of a paper filing system where data is filed using specific criteria.


Key Provisions of UK GDPR

Under the UK GDPR, individuals have enhanced rights with regards to their data. These include:

  • The right to object
  • The right to erasure
  • Rights of access
  • The right to restriction
  • The right to data portability
  • Rights of rectification

UK GDPR also states that organisations have a duty to follow certain procedures and regulations with regards to processing data. An overview is given below:

  • Compliance – organisations must demonstrate compliance with provisions of UK GDPR and Data Protection principles.
  • Consent – individual consent must be freely given and informed. Methods of obtaining consent must be unambiguous, and it should be as easy to withdraw as it was to give.
  • Privacy notices – these must be provided at the time data was collected and be clear and unambiguous, containing certain specific information.
  • Individuals’ rights – as listed above, these are supported under UK GDPR and organisations must respond to a person’s requests to exercise their rights within one month.
  • Personal data breach notifications – in certain circumstances, individuals and the ICO must be notified when a breach occurs.
  • Fines – considerable fines can be given to organisations where non-compliance occurs.


Possible consequences of non-compliance

In the UK, Data Protection Law is regulated and enforced by the ICO (Information Commissioner’s Office). As the UK GDPR includes the principle of accountability, this means that organisations are responsible for demonstrating their compliance to UK GDPR to the ICO.

Fines for breaches of data protection law are significant under the UK GDPR. The maximum fine is £17.5 million or 4% of annual turnover worldwide, whichever is greater.


How can I ensure my staff help support the security of my organisation?

Organisations must ensure that they give their staff the skills and knowledge to prevent data breaches and maintain the safety and security of data. There is no substitute for in-house policies and procedures combined with comprehensive training.

Our UK GDPR Online Training will ensure your staff are fully informed in all aspects of UK GDPR, including law enforcement and how they can help support their employer by complying to legislation.

We also offer Data Protection Law Refresher Training which is an excellent choice for those individuals who have already had some training or have a good understanding of data protection legislation but would benefit from refresher training to reaffirm and enhance their understanding.

Our courses are comprehensive but easy to access, and more importantly, easy to understand. Training staff about rules and legislation can often be formulaic, and let’s face it, mundane. A number of our customers have told us they enjoy the interactive, engaging style of our online training courses compared to others that are ‘drier’ and that they better retain knowledge because of the easy to understand format.

As well as providing training, it is important to look at your workplace as a whole and implement strategies that the whole team should adopt when handling and processing data. Examples are given below.

Steps your staff can take to help your organisation keep personal data secure:

  • Ensure mobile devices are password protected and not left unattended
  • Keep their computer password secret
  • Follow your employer’s IT procedures – these should be documented in a policy handbook
  • Don’t store personal data on unencrypted USB device
  • Store papers that contain personal information securely
  • Don’t send personal data from your work email to your personal email account
  • Dispose of personal data that is no longer required confidentially
  • Double check email addresses are is correct when sending any personal data by email
  • Follow rules laid down by your employer regarding office security


For additional information, resources and courses on UK GDPR, Data Protection Law or any other training requirements, take a look at our course catalogue or give us a call on 01332 208500 or get in touch here and we would be happy to help.