FAQs

The building blocks of Compliance e: stonearch@protonmail.com t: 01706 559 022

StoneArch Compliance

GDPR Expertise You Can Rely On.

Frequently Asked questions

Why do I need to be aware of the data protection legislation?

Most businesses and organisations use personal data in some respects. Do you have staff members? Do you have clients or customers? Do you have a website that uses cookies or has an enquiry form? If you answer yes to any of these questions, then you are processing personal data. It is important that you understand you basic responsibilities to ensure these data are protected. StoneArch can help you to establish what is required, and quickly, efficiently and affordably make you compliant.

We’re a very small organisation with only a handful of staff/ sole trader. Does the GDPR apply?

Yes. You are still processing the personal data of your staff members or customers simply by holding their contact or payment details. You will still need to consider how you can make your processing fair and transparent, how long you keep their details for and how you will keep them secure. If you have a website which has an enquiry form or uses analytical cookies (most sites use these), then you must also consider what privacy information you need to provide. The legislation applies to all records held, paper or electronic.

What is personal data?

This seems like an easy question, but it can be difficult to put your finger on a precise definition of what personal data actually is. Personal data is information that can be used to directly or indirectly (when used with other information) identify a living individual. The UK GDPR calls for additional protection for more sensitive categories of personal data such as health and disability data, ethnicity and sexual orientation. This is called ‘special category’ personal data.

Does Brexit affect how we process personal data?

It is true that the UK is no longer subject to the GDPR, but UK organisations still need to ensure compliance. We now have the UK version of the GDPR… The UK GDPR. This is extremely similar to the EU GDPR, so the likelihood is that if you are compliant in one, you are compliant with the other.

The UK is currently in a grace period, where the European Commission has clarified that personal data can continue to flow from the EU to the UK as it has previously when The UK was subject to the EU GDPR. The grace period is only for 4 months, after which point it may be extended by another 2 months. The hope is, that prior to the end of this period, the European Commission will have had an opportunity to review the UK GDPR and rule that it is robust enough to protect people’s personal information. If they do this, the UK will be granted an ‘adequacy decision’, which will mean personal data can continue to flow between the UK and the EU has it did prior to Brexit. If not ruled to be adequate, businesses who want to continue to receive personal data from EU countries will need to put additional measures in place. Running a holiday sale or weekly special? Definitely promote it here to get customers excited about getting a sweet deal.

Where should I store personal data?

Put bluntly, somewhere secure. You should also have appropriate access restrictions in place. You should ensure personal data are backed up, and accessible only to those who have a requirement to view it. It is the responsibility of organisations or businesses to ensure this basic level of protection is provided. This is a requirement under the UK GDPR. If you are storing data outside of the UK (for example using a cloud storage solution with servers based overseas), there are additional considerations you need to make. StoneArch can review your storage, and make these requirements understandable and your business compliant.

Do I always need to get consent from people to do anything with their data?

No. You will need to get consent only if you rely on consent or explicit consent as a lawful basis under the UK GDPR.

Consider that there are two checklists in the UK GDPR. If you are processing personal data for a particular purpose, you need to tick off one of the conditions (lawful basis) from the first checklist (called Article 6). If you are processing more sensitive ‘special category’ personal data (such as health or disability data, ethnicity or sexual orientation), you will also need to tick off a condition from the second checklist (Article 9). Only one of the conditions in each check-list relates to ‘consent’.

However, even if you are not relying on consent where an alternative lawful basis is more appropriate, you still need to ensure you meet requirements under the legislation. In particular this includes providing adequate privacy information about how you intend to process personal data, and upholding the rights of the individual.

Anyone who processes personal data should explain which lawful basis they are relying on, and make this information available to their staff, clients, customers or suppliers.

What do I need to tell people about how I use their personal data?

Whenever you process personal data, you must make available information to the data subjects that explains how you use their information, amongst other things. This is called a privacy notice, and is a requirement under principle 1 of the UK GDPR.

A privacy notice must always include:

The name and details of your organisation
The purposes of processing
The lawful basis of your processing (see ‘do I always need to get consent from people to do anything with their data?)
What personal data you process
How long you will hold the personal data for
How data subjects can exercise their rights under the legislation (such as the right of access)
The right to lodge a complaint with the ICO

You may also be required to provide information in addition to the above.

StoneArch can conduct a review of your notices, and ensure they meet all requirements under the legislation.