Data Protection FAQ

Do you have questions about Data Privacy and GDPR?

Below you will find the answers to the most common questions we get asked about data privacy in the UK and beyond. If you still cannot find the answers you are looking for in our Data Protection FAQ, please contact us.

We have broken this Data Protection FAQ down into six sections, each focusing on a specific area of data protection, data privacy, and the UK GDPR:

CSRB

We are a team of certified and independent data protection officers and practitioners, with certifications in the EU and UK GDPR, amongst other UK and worldwide privacy legislation. We have office locations in Bristol and Manchester, with UK wide coverage.

We provide outsourced Data Protection Officer (DPO) support, owner-managed business data-privacy support, we carry out data protection audits and gap analysis, draft and write privacy contracts and documentation, and deliver online and in-person data privacy and UK GDPR training. Please visit our service pages to find out more.

We deliver all of our support services remotely via Microsoft Teams or Zoom. This is backed up by our email and phone support. We can also come and see you in person, for an additional contribution, to offset any carbon emissions.

No! We pride ourselves on being accessible to all, whether you are a start-up business, or a multinational corporate. We have a wide range of monthly retainer options, as well as ad hoc or project-based service delivery options. Our longest contract length is twelve months, as we believe our month eleven review should give both parties the opportunity to decide the next steps, without the fear of being tied down for three or five years.

We are very easy to deal with and ensure all our support is tailored to your organisation and market sector. There is no one-size-fits-all in the world of data protection and organisation-specific support is something we will not compromise on! Additionally, we ensure all our support is relevant, commercially focused, UK GDPR compliant, and is easy to implement and understand.

Photo representing FAQs
UK GDPR

UK GDPR & UK Legislation

The main pieces of UK data protection law are:

  • The Data Protection Act 2018 (DPA 2018): This supplements the UK GDPR and provides additional rules on specific areas.
  • The UK General Data Protection Regulation (UK GDPR): This sets out the key principles and rules for handling personal data.
  • The Privacy and Electronic Communications Regulations 2003 (PECR): These govern the use of electronic communications, like emails and cookies.

Together, these laws provide a framework for protecting personal data in the UK, ensuring individuals have control over their data and organisations handle it responsibly.

The UK data protection regulations apply to a wide range of private and public organisations processing personal data. They apply to the processing of personal data relating to an identified or identifiable living individual. They do not apply to information relating to deceased individuals. The regulations apply to virtually any entity processing personal data in the UK, safeguarding individuals’ privacy rights.

The Information Commissioner’s Office (ICO) is the UK’s independent authority for upholding information rights. They enforce data protection laws, ensure public bodies are transparent, and regulate electronic communications. They investigate breaches, handle complaints, and promote good practice in information rights. The ICO acts as a watchdog, safeguarding individuals’ privacy and ensuring organisations handle data responsibly.

The data protection fee funds the ICO’s work to uphold information rights and enforce data protection laws. This includes providing guidance, investigating breaches, and promoting good practice. Most organisations processing personal data must pay this annual fee, except for some exemptions like some charities. The fee amount varies depending on size and turnover. Failure to pay can result in fines. The fee is a legal requirement under the Data Protection Act 2018, and it is essential to ensure compliance to avoid penalties.

Data protection compliance is a journey, not a destination. Most of it is common sense if you follow some key principles. Ensure lawful, fair, and transparent processing. Collect only necessary data, keep it accurate, and do not store it for longer than needed. Protect data with security, respect individual rights, and be accountable.

Data Controller Responsibilities

A data controller is the individual, organisation, or entity that makes decisions about why and how personal data is used. They determine how data is collected, stored, and shared, and are accountable for ensuring compliance with the UK GDPR. In contrast, a data processor acts only on the controller’s instructions. Understanding this distinction is important because controllers have more extensive responsibilities under the UK GDPR.

The main responsibility of a data controller is to ensure that any personal data they collect and process complies with relevant data protection laws. This includes determining the purpose of data processing, ensuring lawfulness and transparency, implementing adequate security measures, and respecting individuals’ rights regarding their data. The data controller is accountable for how personal data is handled and must ensure responsible data processing practices.

Data controllers should support individuals’ privacy rights by upholding data protection regulations. Here are some examples:

In certain situations, the controller is required to appoint a DPO to oversee data protection compliance and advise the controller on its obligations. A DPO is an independent role ensuring an organisation’s compliance with data protection regulations. They can be an internal appointee, or it can be an outsourced role. The main responsibilities include monitoring compliance, providing guidance, acting as a contact point, and co-operating with authorities. They are crucial for safeguarding personal data and maintaining trust with individuals.

A DPIA is a process to identify and minimise data protection risks. It analyses how personal data will be processed and evaluates potential impacts on individuals, leading to measures that mitigate those risks. DPIAs are often mandatory for high-risk processing activities, helping organisations comply with data protection regulations. They typically include a description of the processing, risk assessments, and a mitigation plan.

Concept of teamwork and partnership
REQUEST on an open laptop

Subject Access Requests (SARs)

A SAR allows individuals to see and obtain a copy of their personal data held by an organisation. It is a crucial right under data protection laws like the UK GDPR. SARs help individuals ensure transparency, accuracy, and accountability in how their data is used.

Organisations typically have one month to respond to a subject access request. This can be extended to three months for complex or multiple requests, or if the organisation needs more information from you. If an extension is needed, they must inform you within the initial month and explain why.

SARs and FOIs allow access to information, but with key differences. SARs focus on an individual’s own personal data; FOIs cover any recorded information held by a public authority. Only the individual (or their representative) can make a SAR, while anyone can make an FOI request. SARs are based on data protection laws; FOIs are based on the Freedom of Information Act. SARs have a one-month response time, FOIs have a 20-working-day timeframe. Overlap can occur when an FOI request involves personal data, requiring consideration of both laws.

If an organisation fails to respond to a subject access request within one month, individuals can:

  1. Follow up and then make a formal complaint through the organisation’s internal complaints procedure. 
  2. Lodge a complaint with the ICO, which can investigate and act, including warnings, enforcement notices, or fines. 
  3. Take the organisation to court to enforce their right of access, potentially leading to an order to comply and compensation. 

Organisations must respond to SARs promptly and comprehensively. Failure can lead to regulatory action, fines, and court orders.

When responding to a SAR, organisations need to provide the following:

  1. The personal data requested.
  2. The source of the personal data.
  3. The purpose for processing the personal data.
  4. The recipients of the personal data.
  5. The retention period for the personal data.
  6. The individual’s rights under data protection law.

Ensure the information is accurate, complete, and up to date. If an organisation cannot provide certain information, this needs to be clearly communicated to the individual.

Data Breaches and Security Incidents

The first thing an organisation should do if they suspect a personal data breach has occurred is to contain the breach. This involves taking immediate steps to stop the breach from spreading further and causing more damage. This is why a personal data breach policy and incident response procedure is a vital requirement for all organisations.es taking immediate steps to stop the breach from spreading further and causing more damage. This is why a personal data breach policy and incident response procedure is a vital requirement for all organisations.

The key reporting requirements are:

  • Notify the ICO: Within 72 hours of becoming aware of a breach unless it is unlikely to risk individuals’ rights and freedoms.
  • Notify affected individuals: Without undue delay if the breach poses a high risk to their rights and freedoms. 
  • Keep records: Maintain a record of all breaches. 

By implementing a combination of technical (strong passwords, data encryption) and organisational (training, robust policies) measures, organisations in the UK can significantly reduce the risk of a personal data breach, whilst protecting the personal data with which they are entrusted. Data protection is an ongoing process, and organisations need to remain vigilant and adaptable to address the ever-evolving threats and risks.

A security incident is any event that compromises the confidentiality, integrity, or availability of an information system or its data. A personal data breach is a specific type of security incident where sensitive data is accessed, compromised, withheld or stolen by an unauthorised party. All personal data breaches are security incidents, but not all security incidents are personal data breaches. A security incident might not involve data compromise, but a personal data breach always does.

  • Insider Threats (Human Error): Malicious or unintentional personal data breaches by employees.
  • Weak or Stolen Credentials: Easily guessable or reused passwords exploited by hackers.
  • Phishing/Social Engineering: Tricking individuals into revealing information or clicking malicious links.
  • Unpatched Vulnerabilities: Software weaknesses exploited for unauthorised access.
  • Malware/Ransomware: Malicious software used to infiltrate systems, steal, or encrypt data.
Photo representing FAQs
Photo representing FAQs

Contracts and Privacy Documentation

A privacy policy ensures transparency and compliance by informing users of data handling practices. By outlining procedures and protecting against personal data breaches it minimises risk for the organisation. It empowers users to make informed decisions and exercise their data rights. A good privacy policy builds trust through clear communication, promotes accountability for responsible data handling and facilitates compliance with privacy laws.

Besides a privacy policy, organisations require documents like Terms of Service/Use, Data Processing Agreements (DPA), Cookie Notices, Retention and Deletion Policies, Acceptable Use Policies (AUP), Employee Handbooks, Incident Response Plans, Business Continuity Plans, Email Disclaimers, and Accessibility Statements. The specific needs vary depending on the market sector and organisation size and type.

Data protection policies should be reviewed at least annually or whenever there are significant changes to the business, its processes, or the relevant legislation. By proactively reviewing and updating their data protection policies, organisations can demonstrate their commitment to data protection and minimise the risk of non-compliance.

A Cookie Notice is a document that informs users about the use of cookies and similar tracking technologies on a website. It explains the types of cookies used, their purpose, duration, and how users can manage them. This transparency empowers users to make informed decisions about their privacy and allows websites to comply with privacy regulations.

Although the terms “privacy notice” and “data protection policy” are sometimes used interchangeably, they have distinct focuses:

Privacy Notice: This is a public-facing document that informs individuals (data subjects) about how an organisation collects, uses, stores, and shares their personal data. It outlines their rights under data protection laws (like the UK GDPR) and how they can exercise those rights. It is a transparency tool that builds trust with users. 

Data Protection Policy: This is primarily an internal document that guides an organisation’s staff on how to manage personal data in compliance with data protection laws. It details procedures for data collection, storage, access, sharing, and destruction. It may also include information about staff training, data breach reporting, and data subject rights requests.