Since the UK GDPR came into force in 2018, which was an overhaul in data protection, many employers and organisations were proactively and swiftly ensuring compliance with these new laws. This would likely have entailed an audit to consider what personal data the organisation holds, where this personal data is stored and transferred and ensuring the organisation had robust measures and procedures when dealing with personal data, amongst training on accountability and other processes implemented. Since this change, we have seen various changes in this area since the UK left the EU in regard to ‘adequacy’ decisions. More recently, the Data (Use and Access) Act 2025 has recently come into force to provide more clarity and refinement on data protection law and we have witnessed an escalation in how AI is becoming embedded into organisations’ practices and procedures. With these latest developments in data protection in mind, we touch upon some tricky issues you may encounter when processing personal data and to encourage proactive, rather than reactive, actions, and we provide details of training packages which could assist your organisation.
Where do you start?
The UK GDPR’s accountability principle requires that a data controller must be able to demonstrate how it complies, on an ongoing basis, with the UK GDPR’s data protection principles, namely:
- Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation – personal data must be collected only for specific, explicit and legitimate purposes.
- Data minimisation – personal data must be adequate, relevant and not excessive.
- Accuracy – personal data must be accurate and, where necessary, kept up-to-date.
- Storage limitation – personal data must not be kept longer than necessary.
- Integrity and confidentiality – personal data must be processed in a manner that ensures its appropriate security.
These core principles must be kept in mind when undertaking processes involving personal data.
Understandably, some organisations will hold a lot of personal data in which such a task can be daunting to undertake. It is important, though, to understand what personal data is being stored, shared and the security measures in place to protect the data, to ensure compliance with data protection legislation.
With the high levels of fines and reputational damage at stake (particularly with the recent increase of PECR-related fines), it is important for organisations to assess it data protection programme and current levels of compliance to help identify key areas of vulnerability to be addressed in relation to compliance with the UK GDPR, DPA 2018, PECR and an organisation’s own data protection policies and procedures.
The UK GDPR also stipulates that every controller and processor must keep written records of its processing activities, often referred to as the “the record of processing”. Such records should include details of the types of personal data, who has access to such data, the lawful basis/bases relied on for processing the data and where it is shared. By keeping and updating such records will assist with data mapping exercises and audits.
Managing international data transfers
It can be tricky to understand if countries have appropriate safeguards in place to protect personal data. However, the general rule is that transfers of personal data outside the UK are only permitted with no further safeguards where the destination jurisdiction is deemed to offer an adequate level of protection for the data. Where the Data (Use and Access) Act 2025 has recently become law (after a lengthy consideration period in the Houses of Parliament), which has triggered an extension review of the UK’s adequacy for the European Commission to the end of this year, this demonstrates how adequacy decisions can change over time where it is important for organisations to keep abreast of such changes, particularly in relation to countries which they export personal data to or import personal data from.
Monitoring and responding to data breaches
The UK GDPR confirms that data controllers and data processors are under an obligation to comply with the data protection principles, and this includes ensuring that data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage…”. This means that organisations have a responsibility to prevent personal data being accidentally or deliberately compromised.
We have previously reported on a vast number of cases where organisations have been fined and/or faced severe reputational repercussions as a result of breaching UK data protection laws or enabling personal data to be compromised. Cyber security threats and breaches have also targeted vulnerabilities in organisations’ systems. It can therefore be tricky to manage such breaches, particularly in larger organisations with disparate workforces and increased remote working practices.
What proactive measures could be put in place?
The UK legislation stipulates that appropriate technical and organisational measures to safeguard the data should be implemented. It is best practice to implement such safeguards prior to the processing as well as at the time of processing itself to ensure that these are effective and in order to understand which safeguards to implement, you should firstly complete a risk assessment.
Various surveys have determined that humans are the weakest links in cybersecurity. This means that you cannot just rely upon the technical or system security measures when protecting personal data. As a proactive measure, it is best practice to implement data protection policies, particularly in relation to dealing with data breaches, ensure that staff are trained on these policies and are familiar with the processes when a data breach occurs to ensure a swift and effective response. In addition to this, having business continuity arrangements that deal with how personal data will be protected and recovering personal data are paramount to a quick response to dealing with an attack. Finally, undertaking periodic checks to ensure that your security measures remain appropriate and up-to-date will reduce the risk of being subject to a cybersecurity attack or data breach.
Not refreshed your data protection practices since the GDPR came into force?
Our data protection team would be happy to provide refresher training and how best to prepare for any upcoming changes in UK data protection for the cost of £750+VAT.
Your training needs met
Our team would also be happy to provide some bespoke training to include aspects relevant to your business. We would obtain some details from you beforehand to ensure that staff are clear on what they need to do to be compliant with your business’ procedures and UK Data Protection legislation.
We can deliver training on any of the following or combination of topics (list not exhaustive):
- How to respond to a DSAR
- How to respond to a data breach
- Data retention periods
- Updates required in light of new Data (Use and Access) Act 2025
- Practical steps to take to remain compliant with UK Data Protection legislation
The cost of such training will be dependent on the business’ requirements, length of training and topics covered.
If you any advice in relation to ensuring data compliance, please do not hesitate to contact a member of our data protection team.
