Following the UK’s exit from the European Union, the UK Government has transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into UK national law (thereby creating the “UK GDPR”). In so doing, the UK has made a number of technical changes to the GDPR in order to account for its status as a national law of the United Kingdom (e.g., changing references to “Member State” to “the United Kingdom”). These changes were made under the Data Protection, Privacy, and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019. All material obligations on controller and processors remain the same under the UK GDPR as under the ‘EU GDPR’.
The Data Protection Act 2018 (“DPA”) remains in place as a national data protection law and supplements the UK GDPR regime. It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example, substantial public interest bases for the processing of special category data and context-specific exemptions from parts of the GDPR such as data subject rights).
The UK operates a fee-paying scheme for controllers under the Data Protection (Charges and Information) Regulations 2018, known as the ‘Data Protection Fee’. All controllers have to pay the data protection fee to the ICO annually unless they are exempt from doing so.
Under the UK GDPR, each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate to the protection of personal data” (Article 38(1)), and the DPO must directly report to the highest management level, must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article 38(3)).
Controllers are responsible for compliance with a set of core principles that apply to all processing of personal data. Under these principles, personal data must be (Article 5):
- Processed lawfully, fairly, and in a transparent manner (the “lawfulness, fairness, and transparency principle”);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
- adequate, relevant, and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
- accurate and where necessary, kept up to date (the “accuracy principle”);
- kept in a form that permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
- processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).
“Personal data” is defined as “any information relating to an identified or identifiable natural person” (Article 4). A low bar is set for “identifiable” – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26), the information is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location data, or other factors which may identify that natural person.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data replicating those in the EU GDPR. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period, thereby a further two months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict the processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed to save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognized by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend the processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing that override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.
The right not to be subject to automated decision-making, including profiling (Article 22)
Automated decision-making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly affects him or her” is only permitted where:
necessary for entering into or performing a contract;
authorized by UK law; or
the data subject has given their explicit (i.e., opt-in) consent.
Transfers of personal data by a controller or a processor to third countries outside of the United Kingdom are only permitted where the conditions laid down in the UK GDPR are met (Article 44).
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available (Article 46). The list of appropriate safeguards includes, amongst others, binding corporate rules and standard contractual clauses with additional safeguards to guarantee an essentially equivalent level of protection to data subjects and their personal data1.
Transfers from the EU to the UK
The UK is now a third country for the purposes of Chapter V of the EU GDPR. The trade agreement entered into between the EU and the United Kingdom resolves this by making it lawful to transfer personal data from the EU to the United Kingdom for a period of up to six months from 1 January 2021. This ‘bridging’ period is designed to allow the EU time needed to adopt a formal adequacy decision which will allow the continuing flow of personal data to the United Kingdom at least for an interim period (this is subject to the United Kingdom holding back from adopting any of its own adequacy decisions, or approving any new SCCs, that go beyond those already approved by the EU, without prior EU approval). The EU-UK Joint Declaration, published alongside the trade agreement, includes a clear commitment from the EU to secure a favorable adequacy decision for the United Kingdom within the near term.
The UK GDPR contains a general requirement for a personal data breach to be notified by the controller to the ICO, and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4).
The controller must notify a breach to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach (Article 33(2)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits of the record by the ICO.
The UK GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address that includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the UK GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Each direct marketing communication must not disguise or conceal the identity of the sender and include the ‘unsubscribe’ feature referred to above.
The restrictions on marketing by email / SMS only apply in relation to individuals and not where marketing to corporate subscribers.
The use and storage of cookies and similar technologies require:
- clear and comprehensive information, and
- consent of the website user.
Consent is not required for cookies that are:
- used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or
- strictly necessary for the provision of a service requested by the user.
The UK GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or GBP 17.5 million (whichever is higher).
The ICO is not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate, and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions. To date, the ICO has issued several fines under GDPR, ranging from GBP 275,000 to GBP 20 million.
The ICO’s contact details are:
Water Lane, Wilmslow
Cheshire SK9 5AF