If you are expanding your business to the UK, you will need to handle your customers' data securely and comply with relevant privacy laws. Even if you only work with a few clients, complying with privacy laws is critical. The General Data Protection Regulations (GDPR) will affect how you handle and store personal data from your customers. This article will provide several tips on handling personal data to become GDPR compliant when expanding to the UK.
Key Privacy Laws in the UK
The Data Protection Act 2018 governs data protection in the UK. This piece of legislation incorporates the General Data Protection Regulation (GDPR) as domestic law. If you expand your business into the UK, you must ensure your business is GDPR compliant.
The other key piece of legislation you must be mindful of is the Privacy and Electronic Communications Regulations (PECR). The PECR contains important rules on sending direct marketing materials and using cookies on your website.
How to Comply With the GDPR
If you are expanding your business to the UK, you should familiarise yourself with the GDPR because this will affect how you handle personal data. You may collect personal data:
- directly from your customers (such as their names and contact details);
- from your contractors; or
- from your customers about their own clients (such as if you are helping your customers to provide services like a SaaS platform).
If you collect any sensitive information, such as health information or information regarding someone's ethnicity or religion, you must take extra care.
To comply with the GDPR, consider the following steps.
1. Assess Whether You Are a Controller or Processor
The GDPR has different obligations depending on whether you are a data 'controller' or a 'processor.' Sometimes, you may also be considered a joint controller.
| Controllers | Processors |
| A controller determines what personal data to collect and how to process that personal data. Controllers may do so alone or jointly with another entity. For example, you would be considered a controller if you collect contact and payment details from a customer so that you can provide your goods or services to them. You are also a controller when you engage employees. | A processor processes personal data on behalf of another entity. You may be a controller or a processor, or both a controller and processor. Many SaaS businesses such as Mailchimp, Stripe, and Xero are considered processors when their customers instruct them to process the personal data of a third party. For example, a business might provide all of its employees' payment details to Xero. |
2. Understand Your Obligations as a Controller or Processor
Some obligations under the GDPR apply to all businesses, such as:
- implementing appropriate security measures to protect personal data;
- appointing a data protection officer in some circumstances; and
- retaining records of privacy-related activities.
Other obligations will depend on whether you are a controller or processor (and it is possible to be both). Key obligations you will have as a controller are:
- ensuring you can legally process each piece of personal data that you process;
- displaying a compliant privacy policy to your customers;
- familiarising yourself and training your staff on the rights of data subjects; and
- paying an annual data protection fee to the UK Information Commissioner's Office (ICO) unless an exemption applies to your business.
Processors also have obligations under the GDPR, including processing only personal data on the instructions of a controller. For example, if you are a CRM provider and your customers upload their clients' personal data into your system, you should only use their personal data to provide your CRM. Importantly, you should not take that personal data and use it for another business.
3. Put Privacy Documentation in Place
There are several privacy documents that you should put in place to be GDPR compliant. Some of these, such as a privacy policy, are mandatory, and others are a matter of best practice.
| Document | Explanation |
| Privacy Policy | This is an externally facing policy that lets people know how you handle personal data. |
| Privacy Register | Your business should keep records of privacy-related decisions it makes and its activities. |
| Data Processing Agreement | A data processing agreement is a legally binding contract between two parties. It states the rights and obligations of each party concerning the protection of personal data. Use this agreement whenever you appoint a data processor to process personal data. |
| Data Breach Response Plan | A data breach response plan is a guide that explains what a data breach is and outlines the actions a company will take if a data breach happens. |
| Data Retention Policy | This policy is a set of guidelines that outline how long you will keep certain types of information or data and the procedures for securely disposing of it when it's no longer needed. |
4. Update Your Marketing Practices
If you are moving your business to the UK, you may need to update your marketing practices so they are compliant with the GDPR and PECR. Importantly, ensure you have consent to send marketing materials (unless an exception applies) and seek consent to install any non-essential cookies on a user's device.
Key Takeaways
Your business must become GDPR compliant if you want to expand operations to the UK. Not only will you need to comply with the GDPR, but you will also need to ensure that your marketing practices are compliant with the PECR. As a first step, assess whether your business is a controller, processor or both, and understand your corresponding obligations under the GDPR. You should also compile required privacy documentation, including a privacy policy (which a solicitor can help you with), and review your marketing practices to ensure they are compliant.
