01246 233108
[email protected]
Running a business in the Hospitality Sector? Click here

Data Security – Data Protection Regulatory Framework

The General Data Protection Regulation (EU 2016/679) came into force on 25 May 2018 adding new elements and significant enhancements to the existing data protection regime.

The Data Protection Act (DPA) 2018, which came into force on 23 May 2018, implemented the GDPR, whilst also adding provision for UK law to extend the GDPR to areas such as the security services and government bodies, which were not covered under the GDPR alone.

Post-Brexit (following the end of the Brexit transition period from 1 January 2021 onwards), the UK GDPR is the retained version of the EU Regulation by virtue of section 3 of the European Union (Withdrawal) Action 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendment Etc) (EU Exit) Regulations 2020.

The UK GDPR protects the rights of UK citizens with regard to their data, the EU GDPR protects the rights of EU citizens. For organisations that handle data on both UK and EU citizens both GDPRs apply.

The principles and requirements of the EU GDPR continue to apply in the UK with its post-Brexit version and here we look at the major areas of scope and some definitions.

Controllers and processors

The GDPR applies to both controllers and processors of data. Controllers say how and why personal data is processed. The processor acts on the controller’s behalf to process the data. Your organisation may be a data processor, or a data controller, or both.

There are specific legal obligations on both controllers and processors:

  • controllers must specifically ensure that contracts with processors comply with the GDPR; and
  • controllers and processors have separate, but explicit, requirements to maintain records of personal data and processing activities
  • processors are also legally responsible and liable for any security breaches.

Please see our related factsheet ‘Data Security - General Data Protection Regulation - Ensuring Compliance’ for more detailed information on the documentation requirements.

Data protection principles

Personal data shall be:

  • processed lawfully, fairly and transparently
  • collected for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary for the purpose
  • accurate and kept up to date. Inaccurate data should be erased or corrected
  • kept in an identifiable format for no longer than is necessary
  • processed securely and protected from unauthorised or unlawful processing, accidental loss, or destruction or damage.

GDPR rights for individuals

The right to be informed

Individuals have the right to know how their personal data is going to be processed. The GDPR promotes transparency over processing by way of a privacy notice encompassing (amongst other things) details of the controller, the source of the data, recipients of the data, data transfers made outside the EU, and the retention period of the data.

The right of access (subject access request)

Individuals have the right to obtain confirmation that their data is being processed, access to their personal data, and other information, such as that provided in a privacy notice.

The maximum amount of time allowed to deal with a subject access request is 30 days and the right to charge a subject access fee has been removed, unless the request is unfounded, excessive or repetitive.

The right to rectification

Individuals have the right to have inaccurate or incomplete personal data rectified. This must also include personal data which is shared or given to third parties.

The right to erasure

Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Again, this must also include personal data that is shared or given to third parties.

It is important to note that there are extra requirements when the request relates to a child.

There are some exceptions to the right to erasure, such as where data is held to comply with a legal obligation.

The right to restrict processing

Individuals have the right to restrict the processing of personal data. In these circumstances the personal data can be stored, but not processed.

The right to data portability

Individuals have the right to obtain and reuse their personal data across different services. It allows them to move, copy or transfer personal data. Personal data must be provided in a structured machine-readable format (such as .csv).

The right to object

Individuals have the right to object to the processing of personal data. Processing must stop immediately unless there are ‘compelling’ legitimate grounds for the processing, or if processing is for the establishment, exercise or defence of legal claims.

Rights in relation to automated decision making and profiling

Individuals have the right to ensure that safeguards are in place to protect against the risk of damaging decisions being taken without human intervention. This also extends to the safeguarding of personal data used for profiling purposes.

Accountability and governance

The principle of accountability requires that appropriate governance measures are in place to document compliance. Organisations therefore need to:

  • implement measures that meet the principles of data protection
  • document policies and procedures in relation to the storage and processing of personal data
  • implement technical and organisational measures to ensure and demonstrate compliance.
  • appoint a data protection officer where necessary.

Please see our related factsheet ‘Data Security - Ensuring Data Protection Compliance’ for more detailed information.

Lawfulness of processing

It is important to understand and document the lawful basis of your processing. There are six:

  1. Consent
  2. Contractual obligation
  3. Legal obligation
  4. Vital interests
  5. Public interest
  6. Legitimate interests.

On the issue of consent, it must be specific, unambiguous and freely given. Positive consent cannot be assumed from inaction, such as failing to click an online ‘unsubscribe’ box, or from the use of pre-ticked boxes. Businesses need to make sure that they capture the date, time, method and the actual wording used to gain consent, so it is important to ensure that your business has the means to record and document such information.

ICO consent guidance

Legitimate interest will grant you the ability to process the individuals’ data but only within the bounds that they would expect. If you are to rely on legitimate interests, you will take on the responsibility for ensuring that:

  • there is a basis to use legitimate interest
  • the processing of data is limited to that interest and can be demonstrated
  • the individual's rights have been considered in a balancing process
  • the individual is informed of the legitimate interests in your privacy policies.

ICO legitimate interests guidance

Notification of breaches

A personal data breach is the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data.

The UK Regulator the ICO has an online self-assessment tool which helps to determine the severity of the breach and whether or not it need be reported. Some breaches need to be notified to the relevant supervisory authority within 72 hours. It is vital to undertake the assessment as soon as the breach is discovered.

ICO personal data breach assessment guidance

Transfer of data

On 28 June 2021 the EU Commission adopted an adequacy decision for the UK which means that most data can continue to flow between the UK and the EU EEA without the need for additional safeguards. (The exception is data for the purposes of immigration control.)

When transferring data to a ‘third country’, then additional safeguards such as Standard Contractual Clauses or Binding Corporate rules may be applicable. The first link below is from the UK’s regulator – the ICO. The second is from the European Commission.

ICO data transfer agreement guidance

EU rules for transfers outside of the bloc

Sources and links

ICO home page for organisations

EU GDPR portal - http://www.eugdpr.org/

Menu

After completing her A-Levels in 2017, Rebecca started her career in accounting by joining the Page Ivy team. Since then she has completed levels 2 and 3 of the AAT qualification and is currently studying towards level 4.

In the office, Rebecca works with our clients to assist them in preparing their VAT returns, assists with Xero Cloud-based bookkeeping and Accounting and is also trained in all matters of payroll.

In her spare time, Rebecca likes to, spend time with her friends and family, train dogs and more recently, has started to learn Spanish.

Since school Charlie has always had an interest in accountancy and followed up on his career aspirations by joining Page Ivy in 2017.

After three years of studying, Charlie is nearing completion of his AAT level 4 qualification and is looking to start his ACCA training imminently.

Charlie deals with the preparation of Limited Company, Sole trader and Partnership accounts along with preparing VAT and MGD returns.

In his spare time, Charlie enjoys watching football and spending time with his partner, friends, and family.

Danielle joined the Page Ivy team back in 2013 as an AAT Trainee, now qualified she is responsible for managing our Payroll  Bureau.

Her role includes processing weekly, bi-weekly, and monthly payroll runs, corresponding with HMRC on behalf of our clients,  preparing and submitting CIS 300 returns, assisting clients with all areas of payroll, HR, and Administration.

In her spare time, Danielle enjoys climbing, spending time with family and friends, and going on long country walks with her partner and dog.

Declan is the newest member of the Page Ivy team, starting with us in 2020.

Declan is currently studying towards level 2 of his AAT Apprenticeship and in the office, is getting to grips with data entry and analysis.

In his spare time, Declan enjoys country walking with his family and dog, sports events and more recently, learning to play the piano!

Megan joined our team in 2014 and has been ensuring that the Page Ivy office runs smoothly ever since.

Her role includes managing the team and their diaries,  handling client queries, and assisting with Administration.

Megan is a Xero certified Payroll advisor, meaning that when Danielle is on leave, Megan is on hand to run our payroll department.

Megan has two children, Isabella and Felicity, who like to keep her busy! In her spare time, she likes to keep fit, spend time with her family and online shop!

Abby started her career in accounting in 2009, working for a small practice in Chesterfield, alongside studying for her AAT qualification.

After three short years, in 2012 the opportunity arose to become Director of Page Ivy Accountants and she hasn't looked back!

Building long-lasting client relationships are of utmost importance to Abby, she has a passion for providing a high level of customer service and ensuring that our clients feel valued.

Abby is responsible for overseeing the preparation of VAT returns and MGD return prepared by the Page Ivy team; along with providing personal tax advice to a wide range of clients.

 

In her spare time, Abby enjoys, traveling, reading, and going to the gym.

Edward joined the team as a school leaver in 2012.  From here he went on to study Business Administration, AAT, and finally progressed on to complete his  ACCA qualification 2019.

Edward is a knowledgable, pro-active Senior accountant, who prides himself on providing high quality, in-depth, technical advice in a manner that is easily understood by his clients.

He is responsible for the preparation of Sole trader, Partnerships, and Limited Company accounts. As well as monthly and quarterly management accounts and conducting business reviews.

In his spare time, Edward likes to spend time with his friends and family,  spending time in his local pub and watching Derby FC collect 3 points.

 

Gareth started his career in accountancy in 2002. Since then he has worked in both small and medium-sized accountancy practices, working with a variety of clients from small businesses to advising quoted companies on Corporate Tax compliance and specialist claims, such as for Research and Development allowances. He places high importance on technical expertise, believing this to be essential to ensure clients can be safe in the knowledge they are fully compliant with HMRC’s requirements while minimising their tax liabilities. This is reflected in him being a fully qualified member of the Chartered Institute of Taxation, and a fellow of the Institute of Chartered Accounts in England and Wales.

He joined Page Ivy in 2012, since then he has taken responsibility for overseeing the preparation of clients Sole Trader, Partnership and Limited company accounts, as well as clients personal Self Assessment Tax Returns.

Alongside Abby he hopes to continue to develop both the technical expertise within the firm, and see the business continue to grow from strength to strength.

Outside of work Gareth has served as deputy leader of the town council, enjoys eating out, and fishing.

Subscribe to our Newsletter

Please enter your information below to receive updates from our newsletter