your data protection questions answered

Your free guide to data protection and marketing compliance

Are data protection and GDPR the same thing?

Strictly speaking, the GDPR is the Regulation (the law) which, together with the UK Data Protection Act 2018, form the legal basis upon which data protection compliance sits. Data protection is a broader concept referring to the measures and practices you undertake to safeguard personal data from unauthorised access, misuse, or exposure. It encompasses a variety of strategies, regulations, and technologies aimed at ensuring the privacy and security of individuals' data across different contexts and industries.
On the other hand, the GDPR is a specific legal framework first established by the European Union (EU) to regulate data protection within its member states. The UK was a member of the EU when the GDPR became law in 2018 and so was subject to its requirements. The GDPR sets stringent guidelines and requirements for organisations for handling people's personal data. It includes provisions on data subject rights, data breach notifications, and penalties for non-compliance, among other aspects.

In essence, while data protection is the overarching goal, the GDPR is one of the tools designed to achieve this goal. It represents a comprehensive approach to data protection, aiming to give individuals greater control over their personal data. Therefore, while the terms are interconnected, they are not synonymous; GDPR is a regulatory mechanism within the broader sphere of data protection.

Do I have to register with the UK ICO?

As a small business, you are generally required to register with the Information Commissioner's Office (ICO) in the UK if you process personal data. The ICO is the UK's independent authority set up to uphold information rights and protect personal data.

Most businesses and organisations that handle personal data must pay a data protection fee to the ICO and be listed on the ICO’s register of fee payers. There are a few exceptions, such as businesses that only process personal data for core business purposes like payroll and staff administration. However, these exemptions are limited, and many small businesses do not qualify.

Failure to register can result in fines and penalties, so it's crucial to determine your specific obligations. You can use the ICO’s self-assessment tool on their website to check if you need to register.

How much is the data protection fee?

Your fee depends in part on your business size and turnover, and ranges from £40 to £2,900 annually.

do charities need a dPO?

Not all charities in the UK are required to appoint a Data Protection Officer (DPO) in fact that that job title is likely to disappear when the Data Protection and Digital Information Bill becomes law (anticipated to complete its parliamentary journey in July 2024).  However it is advisable to have a data protection lead who is suitably experienced in both data protection and PECR. Data plays a fundamental role in most charities, and having someone responsible for data protection can help monitor compliance. For UK-based charities operating in the EU, retaining a DPO may be necessary to comply with EU GDPR. Your data protection lead doesn't have to be in-house or a lawyer, in fact it may be more cost effective in the long run for smaller charities to outsource the role. Have you looked at my outsourced DPO service?

data protection principles

How many data protection principles are there

I always say that there are 6 + 1 principles because the underpinning (or overarching) principle is one of Accountability. This means that you don't just say that you are compliant, but that you can evidence it as well.