Personal Data Protection FAQs

Who needs personal data protection?

Every organisation, whether a sole trader, a charity, or a limited company, needs some level of personal data protection support. This can take the form of company policies and documents, such as a Privacy Notice or email disclaimer, or it could be registering to pay the correct annual data protection fee with the Information Commissioners Office (ICO).

Any organisation that controls and processes personal data – that’s data which could be used to work out who you are, or where you live – has a responsibility to protect that personal data from misuse or harm. That’s the simple part.

It becomes more complex because every organisation runs slightly differently. To protect everyone properly, personal data protection support must be tailored to each individual organisation. We identify this during the organisation review and GAP analysis stage.

What does UK GDPR mean?

The UK General Data Protection Regulation (UK GDPR) is the set of regulations, underpinned by UK legislation – the Data Protection Act (2018) – and administered by the UK lead authority on data protection the Information Commissioners Office (ICO). These regulations outline your data protection responsibilities as an organisation – the do’s and do not’s. The regulations also outline the rights to ‘data subjects’ (a ‘data subject’ is a living person) and inform organisations of what they must do to uphold those rights.

What is the Data Protection Act (2018)?

The Data Protection Act (2018), often called the DPA, is the UK law that legislates how your personal information is controlled and processed by UK based organisations.

It enforces the UK General Data Protection Regulations (UK GDPR).

What could happen if I don’t comply with the UK GDPR? Can I be fined?

Yes. If your organisation is responsible for a ‘data breach’ you may be liable for fines, legal restrictions such as operating sanctions or even bans.

What’s more, personal data breaches can seriously damage your brand reputation. You want to get in the papers for the right reasons, not the wrong ones.

Do I need a Privacy Notice?

Yes. If you process any personal information, for example to make customer bookings, or to take payments or if you need to hold information about health, medical or education history.

A Privacy Notice is most often seen on websites, as it faces outwards telling prospects, clients, and other stakeholders how you will look after their personal data. However, it is not a website document, it is a company document. You should include it with tenders for new business, presentations to potential clients and in staff handbooks.

Who are the ICO and why do I need to register with them?

The Information Commissioners Office (ICO) is the independent lead authority and regulator. It regulates personal data protection making sure every organisation is operating fairly, openly, and transparently. Every organisation, from a limited company, a charity or trust, to a sole trader must register with the ICO and pay the annual data protection fee.

What is a Data Protection Officer (DPO) and do we need one?

Data protection officers are fully independent, experts in data protection legislation, adequately resourced and undertake continual professional development training. They help you to monitor internal compliance, inform and advise on your data protection obligations and act as a contact point for data subjects and the regulator, the Information Commissioner’s Office (ICO).

They have a very specialist skill set and a wide range of job responsibilities.