The UK GDPR and Data Protection Act 2018 aim to make the UK’s Data and Privacy laws fit for the modern age.
Key UK data and privacy legislation
The UK GDPR, along with the Data Protection Act 2018 and Privacy and Electronic Communications Regulations, form the foundation of data protection in the UK.
territorial scope
The UK GDPR has extraterritorial reach. This means that it does apply to UK based organisations only, It also applies to non UK entities involved in processing data related to UK residents.
What is personal data?
The UK GDPR defines 'personal data' broadly as encompassing any information related to identifiable living individuals. It also confirms that specific categories of information (e.g., genetic and biometric data) constitute personal data. The GDPR also introduces the concepts of 'anonymous information' and 'pseudonymisation'. These allow data to be de-identified for certain purposes.
Controllers and Processors
The UK GDPR distinguishes between single or joint 'controllers' who determine data processing purposes and 'processors' who carry out processing activities on behalf of controllers. Controllers and processors have distinct obligations, including security measures, breach notifications, and international data transfer responsibilities.
UK GDPR Key Principles
The UK GDPR establishes core principles for processing personal data. These include lawful, fair, and transparent processing, data minimisation, accuracy, storage limitation, and security. The UK GDPR makes it clear that organisations must demonstrate compliance with these principles, emphasising accountability as a key obligation and concept.
Lawful Bases for Processing
Personal data can only be processed on specific lawful bases, including consent, contract performance, legal obligations, and legitimate interests. Consent under UK GDPR sets a high standard and requires clear, informed, and easily revocable consent.
Special Category Data
The GDPR imposes additional safeguards for 'special category data,' which includes sensitive information such as race, religion, and health data. Processing such data requires specific conditions, like explicit consent or necessity for legal claims.
Transparency and Data Subject Rights
Controllers must inform individuals about data collection, retention, disclosure, and international transfers. Data subjects have various rights, including:
Right of access: Data subjects can request their data from controllers.
Right to be forgotten: Individuals can request data deletion in specific cases.
Right to data portability: Data must be provided in a machine-readable format.
Right to object: Data subjects can object to processing under certain conditions.
Right to object to automated decision-making: The UK GDPR restricts automated decisions affecting individuals.
Data Breach Notification
The UK GDPR require controllers to report personal data breaches to the ICO and, in some cases, data subjects. Timely reporting is essential, and fines can result from failure to comply.
International Transfers
The UK GDPR limits international data transfers outside the UK. Adequacy decisions, standard contractual clauses, and binding corporate rules are mechanisms for lawful transfers. Transfers to jurisdictions without adequacy decisions require additional safeguards.
Accountability Measures
Organisations with over 250 employees must maintain records of data processing activities and adhere to the principle of 'data protection by design and default.' Data protection officers are also mandatory for specific entities.
Data Protection Impact Assessments
Controllers must conduct data protection impact assessments for high-risk processing activities, ensuring compliance with UK GDPR requirements. The ICO can suspend or ban data processing if risks are not mitigated.
Sanctions
The UK GDPR imposes substantial fines for non-compliance. Administrative fines can reach up to £17.5 million or 4% of a business's global annual turnover, depending on the infringement's severity. Other regulatory powers, including warnings and orders, may also be exercised.
Please contact Nathan Combes if you’d like more information about the issues raised in this update and/or or to find out more about data protection related policies, documents, advice and training that we provide.
Disclaimer: the information set out above does not constitute legal advice and it is provided for general information purposes only. No warranty, whether express or implied is given and neither the author or Harrington Law shall be liable for any technical, editorial, typographical or other errors or omissions within the information provided.