GDPR

What does the UK GDPR mean?

The UK General Data Protection Regulation (UK GDPR) is a significant piece of legislation in the United Kingdom, serving as the domestic equivalent to the European Union's General Data Protection Regulation (GDPR). Enacted on January 1, 2021, after the UK's withdrawal from the European Union (Brexit), the UK GDPR integrates core definitions, fundamental data protection principles, and individual rights. It closely mirrors the GDPR, which was applicable when the UK was part of the EU.

The European Union's General Data Protection Regulation (GDPR) is a comprehensive data protection framework that was implemented on May 25, 2018, across all EU member states. The GDPR is designed to harmonise data protection laws across the EU, providing individuals with greater control over their personal data. It establishes key principles and rules for the processing of personal data by organisations, regardless of where they are based.

In summary, both the UK GDPR and the EU GDPR share the same foundational principles and objectives, with the UK GDPR specifically tailored to the post-Brexit context. The UK GDPR ensures data protection standards within the UK, while the EU GDPR applies to member states of the European Union. Compliance with these regulations is crucial for organisations to safeguard individuals' privacy and uphold their rights related to personal data. The Information Commissioner's Office (ICO) serves as the independent regulator for data protection and privacy in the UK, overseeing and enforcing compliance with the UK GDPR.

Accountability and Responsibility

These two terms should resonate within an organisation's boardroom with the introduction of the new regulation. An organisation should be asking itself questions such as: What categories of personal data do we possess? Where is it located? How easily accessible is it? Are we ensuring adequate protection of this data? Are we safeguarding the rights and interests of the individuals concerned? Do we possess the required consent? Most crucially, are we in compliance?

The discourse surrounding data protection should escalate to the board level owing to the substantial responsibility imposed on organisations to adhere to the UK GDPR and the consequential penalties for non-compliance. In contrast to the Data Protection Act of 1998, which was enacted in 1998 and primarily targeted companies within the EU, the UK GDPR extends its jurisdiction globally. If an organisation processes or handles data capable of identifying an EU citizen, compliance becomes obligatory, irrespective of its physical location. The UK GDPR also subjects data processors, including data suppliers, to scrutiny concerning accountability, although it primarily focuses on data controllers—entities responsible for collecting and determining the use of data.

Consent

During the DPA era, many businesses relied on 'implied' consent. This passive approach was exploited over the subsequent decade until it was revised during the negotiations for the GDPR. A pre-selected box indicating subscription or permission for third parties to use their data was frequently employed. If the consumer did not actively deselect the box, implied consent was assumed. However, the GDPR stipulates that a "clear affirmative action" is necessary for consent to be valid. This requires the individual to actively select an initially unselected box to provide consent. To ensure clarity and compliance with safety standards, this action should be followed by an email, such as "click here to confirm subscription." This establishes the double opt-in process, serving as a clear indication that individuals willingly want their data used by the company under UK GDPR and ICO guidelines.

Right to be Forgotten

Under the GDPR, individuals have the right to request the deletion of their personal data. If a business no longer has a legitimate need to retain the personal data of the subject, they must comply with the request and delete the information. However, it's important to note that there are circumstances where a business may have a lawful basis for keeping the data, such as fulfilling legal obligations or for the establishment, exercise, or defence of legal claims.

Data Protection Officers (DPO’s)

The requirement to appoint a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR) is crucial for organisations in the United Kingdom, as outlined by the Information Commissioner's Office (ICO) guidelines. The GDPR mandates the appointment of a DPO for entities processing substantial amounts of personal data regularly or engaging in large-scale processing of 'special categories' of data, such as information related to race, religion, and health. It is essential for companies operating in the UK to align with the ICO's guidance to ensure compliance with the GDPR and the specific data protection regulations applicable in the country.

Breaches & Penalties

The penalties for data breaches have significantly increased from the maximum fine of £500,000 permitted under the Data Protection Act (DPA). The General Data Protection Regulation (GDPR) establishes a comprehensive framework for the collection, processing, and management of data, and strict adherence is essential to avoid violations.

Organisations that fail to comply with the GDPR may face heavy fines, amounting to up to 2% of their annual global turnover. In cases of serious data breaches, businesses could be subject to fines of up to €20 million or 4% of their annual turnover – whichever is higher.

What constitutes a breach?

A data breach, as per the ICO's definition, involves a breach of security leading to the destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. Breaches can vary in severity, necessitating an understanding of how the breach occurred, what data was accessed, and its potential impact on the rights of the individuals involved.

Not all breaches require reporting; some can be managed internally without notifying supervisory bodies. However, reporting becomes mandatory when a breach is likely to have a 'significant and detrimental effect on individuals.' For instance, a data breach that allows unauthorised access to customers' transactional data poses a risk of identity theft, requiring reporting as it threatens individuals' security.

Conversely, incidents such as accidental alterations to staff telephone numbers, which do not pose a significant risk, can be handled internally and may not warrant reporting.

How is InFynd B2B data is compliant with the GDPR?

InFynd is committed to adhering to best practices for data protection. We work closely with our data suppliers to ensure that data is collected in a compliant manner, and InFynd is dedicated to keeping all data up-to-date and accurate. Regarding marketing data, GDPR introduces changes to the legal bases for data processing. Among the six available legal bases, the two most relevant for marketing are 'Legitimate Interest' and 'Consent’.

Legitimate Interest – is a legal basis for processing personal data that a business can use for direct marketing. To comply with the GDPR and ICO guidelines, a business must have a legitimate interest in finding new customers, ensuring a careful balance between this interest and the rights of the data subject. It is essential to establish clear alignment between the product, service, or content being communicated and the individual’s role (e.g., job description), industry, or other targeting factors. To adhere to GDPR principles, this relies on high-quality data, and strong segmentation criteria are paramount. Marketing communications using legitimate interests must operate on an opt-out basis, allowing individuals to unsubscribe easily. Additionally, all processing of personal data must follow other data processing rules outlined in the GDPR. InFynd will process data under legitimate interest only if it aligns with the principles and guidelines set forth by the GDPR and ICO.

Consent – Under the UK General Data Protection Regulation (UK GDPR), a crucial element is ensuring that individuals whose data is being processed have explicitly provided their permission through affirmative action, commonly referred to as "opted-in" consent. The UK GDPR has abolished the reliance on implied consent or pre-ticked boxes, necessitating a shift towards obtaining "explicit or unambiguous" consent. This mandates individuals to actively tick an unticked box or engage in another clear affirmative action. In the realm of marketing, certain data processing activities, as outlined in the Privacy and Electronic Communications Regulation (PECR), require explicit consent. PECR extends data protection obligations to marketing activities using electronic means, and it remains applicable even with the implementation of the GDPR. In the context of B2B marketing, especially when reaching out to non-registered businesses like sole traders, obtaining consent becomes paramount. Upon careful consideration, we have determined that our third-party suppliers of email data face challenges in capturing consent to the extent demanded by the GDPR. Consequently, we have decided to cease offering email addresses to non-registered businesses at this time. It's important to note that the regulatory landscape is dynamic. The EU's ePrivacy Regulation is currently in development and is anticipated to replace PECR. As responsible data custodians, InFynd is committed to adapting to any new guidance criteria that may emerge. Rest assured, any data provided by us will adhere strictly to the compliance standards set forth by this evolving regulatory framework. This commitment ensures that our practices align with the highest standards of data protection, fostering trust and compliance within the evolving legal landscape.


Announcement to our customers

It's important to clarify that simply purchasing data from InFynd does not automatically ensure GDPR compliance. Compliance with the General Data Protection Regulation (GDPR), Data Protection Act (DPA), Privacy and Electronic Communications Regulation (PECR), and ICO guidelines requires diligent adherence to specific protocols. Compliance extends beyond GDPR to include guidelines from the Information Commissioner's Office (ICO) and the Privacy and Electronic Communications Regulation (PECR), especially for marketing using electronic means. All UK and EU businesses must process data in accordance with GDPR, encompassing provisions such as clear and accessible unsubscribe options on all communications.

Effective segmentation is crucial when delivering communications. Ensure that data subjects have a legitimate interest in the topic or content of any communication received, demonstrating compliance with GDPR principles. InFynd commits to screening against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) registers at the point of delivery. Customers are obligated to suppress any in-house suppression files before initiating marketing. After 28 days from delivery, it becomes the customer's responsibility to recheck the data against TPS and CTPS registers. InFynd offers this service separately, emphasising the ongoing nature of compliance verification. Refer to the Data Validation tool for additional assistance and information on maintaining data accuracy and compliance.


Contact us
To opt-out or for further information please email contact@infynd.com

Useful links –
Data Protection
DMA
Guide UK GDPR
Guide to EU GDPR
ICO Consultations