Do my business activities need to be UK GDPR and DPA compliant?

Where data and the processing of such data is to be undertaken by a businesses as part of its business activities, the relevant business will need to be aware of its obligations under the UK GDPR and the Data Protection Act 2018 (being its implementing statute).

Processing data includes, but is not limited to, the use, storage, alteration or destruction of personal data by an entity. This also includes both wholly or partially automated methods of data processing as well as manual processing.

Some examples of processing include the storage of IP addresses, databases with client details (such as email addresses, telephone numbers, physical addresses etc.) and adminsitration of staff/payroll processes.

Personal data under UK GDPR includes any data which relates to an identiifed or identifiable person; namely data which could be used to identify a person.

Due to the broad definition of processing, it is likely that most businesses will need to be aware of their data processing obligations and its requirements thereunder.

A data processor should also be aware of its obligations to have adequate systems in place for the processing of personal data and that the staff involved in data processing are adequately trained and aware of their responsibilities in relation to the safeguarding of data subjects personal data.

A data controller on the otherhand is an entity which determines the purposes for which and the manner in which personal data is to be processed. This means that a party which is a data controller will determine ‘why’ and ‘how’ data is to be processed.

Where a data controller is to outsource its processing (or a processor outsources to a sub-processor) then they should conduct thorough due diligence on the external processor/sub-processor particularly in relation to their security framework and procedures in place in case of a data breach, as typically overall responsibility rests with the data controller.