Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Already have an account? Log in

UK - Data Protection Overview

Back

UK - Data Protection Overview

January 2024

1. Governing Texts

In the UK, the key pieces of legislation governing data protection are the UK General Data Protection Regulation (Regulation (EU) (2016/679) ('UK GDPR') and the Data Protection Act 2018 ('the Act').

The current version of the legislative framework (as amended, following the withdrawal of the UK from the European Union on January 31, 2020) has been applied in the UK since January 1, 2021.

In respect of electronic communications (in particular marketing activities), the Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR') sit alongside the UK GDPR and the Act, providing a further set of specialized rules.

The Retained EU Law (Revocation and Reform) Act 2023 ('REULA') entered into force and became law on January 1, 2024. The aim of the REULA is to 'sunset' specified EU laws that were retained as part of UK law after Brexit. The UK GDPR and PECR are not on the list of legislation due to be revoked, and accordingly, the UK data protection framework will retain all of its main constituent elements.

However, the REULA will have an impact on how data protection law is interpreted and applied by the courts. It abolishes the principle of the supremacy of EU law, which means that any retained EU laws (such as the UK GDPR) have to be interpreted in a way that is compatible with domestic law, subject to a limited carveout to this for data subject rights. REULA also abolishes the general principles of EU law (e.g., proportionality) and provides for mechanisms for courts to depart from any retained EU case law.

A proposed new law the Data Protection and Digital Information Bill, which would amend the UK GDPR and the Act, was withdrawn in September 2022 after a change of UK Government ('the Government'). It was reintroduced in an amended format to the UK Parliament ('the Parliament') in March 2023 (as the Data Protection and Digital Information Bill (No. 2) ('Bill No.2')) and continues its passage through the UK legislature at the date of this note.

This note sets out the UK law position as of December 31, 2023.

1.1. Key acts, regulations, directives, bills

The UK GDPR

The key piece of legislation in the UK is the UK GDPR. The UK GDPR sets out core definitions and fundamental data protection principles relating to data processing, the lawful grounds for processing data, as well as certain accountability duties and obligations that apply to both organizations and individuals who are processing personal data caught by the scope of the UK GDPR. The UK GDPR also contains certain rights for natural persons who are data subjects, including the right to obtain a legal remedy, such as compensation.

The UK GDPR is effectively the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as amended and incorporated into domestic law by the European Union (Withdrawal) Act 2018, as further amended by the European Union (Withdrawal Agreement) Act 2020 ('the Withdrawal Act') and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.)(EU Exit) Regulations 2020 ('the Amendments').

The UK GDPR has applied in the UK since January 1, 2021. A Keeling Schedule which sets out the variations between the EU GDPR and the UK GDPR is accessible here ('the Keeling Schedule').

At the time of writing, the GDPR and the UK GDPR are broadly similar and have parallel regimes, which have not yet diverged significantly. However, the Department for Digital, Culture, Media & Sport ('DCMS') announced, on September 10, 2021, that the Government had launched a public consultation on proposed reforms to the data protection framework in the UK. This has resulted in Bill No. 2, which continues its passage (in a revised form) through the Parliament. If passed, this will lead to future divergence and variance between the two regimes.

The REULA will not 'sunset' the UK GDPR. However, it will have an impact on how the courts interpret and apply the law. This may lead to future divergence and variance between the two regimes.

The Act

The Act complements and supplements the regime set out in the UK GDPR. In particular, it contains further specific restrictions and derogations of the primary data protection regime (for example, as permitted by Article 23 of the UK GDPR).

The original version of the Act came into force on 25 May 2018. It was amended following Brexit and the current version of the Act has applied in the UK since 1 January 2021. The Keeling Schedule sets out amendments to the Act following 1 January 2021.

The REULA will not directly affect the Act, but its provisions are supplementary to the UK GDPR and cannot 'standalone' as a framework for processing personal data (except for law enforcement and intelligence services processing). The REULA will affect the way in which courts apply and interpret the UK GDPR, which may have a knock-on effect on the Act (e.g., the viability of any future legal challenge to sections of the Act made under the framework for derogations under Article 23 UK GDPR as being contrary to that framework, or general principles of EU law).

The Act will be further amended by Bill No. 2, when Bill No. 2 is finalized, receives Royal Assent, and enters into force. The exact timescale for this is unclear, but it is likely to be during the course of the year 2024.

The key sections of the Act which are of relevance to most organizations processing personal data are:

Part 1: contains further definitions, including of 'public authority' and 'processing' which are necessary for the performance of a task carried out in the public interest or in the exercise of the controller's official authority;
Part 6: contains the enforcement powers of the Information Commissioner's Office ('ICO') and specific criminal offences in UK law relating to personal data;
Schedule 1: contains further specific grounds for processing 'special category data' and 'criminal convictions and offences data';
Schedules 2 and 3: contain specific exemptions from the GDPR, including exemptions applicable to data subject rights requests which are particularly relevant to requests made for access to personal data (data subject access requests ('DSARs')).

The Act also contains provisions relating to processing that falls outside of the material scope of the UK GDPR (as set out in Article 2 of the UK GDPR). This includes:

the processing of personal data by a competent authority for any of the law enforcement purposes (see Part 3 of the Act); and
the processing of personal data by the intelligence services, as defined (see Part 4 of the Act).

Finally, the Act contains provisions relating to the ICO, including its general functions and statutory codes of practice that the ICO is expected to publish, and provisions relating to the data protection fee to be paid by certain controllers (see Part 5 of the Act).

1.2. Guidelines

The ICO has published a number of guidelines and templates for organizations, in particular the Guide to Data Protection and the Guide to the UK GDPR.

The ICO is also required under the Act to produce four statutory Codes of Practice concerning age-appropriate design, data sharing, direct marketing, and journalism. The Age Appropriate Design Code of Practice and the Data Sharing Code of Practice have been published. Whilst a formal statutory code has not been published, in December 2022 the ICO published Guidance on Direct Marketing. In addition, the ICO is in the process of developing and consulting on a Journalism Code of Practice, a draft of which has been formally submitted to the statutory process as of July 2023.

1.3. Case law

The UK GDPR and Act are relatively new pieces of legislation and, as such, there has been limited reported litigation under either piece of legislation providing further content to the legal framework.

The most significant caselaw in terms of impact on the data protection framework is R (Open Rights Group and the3million) v Secretary of State for the Home Department [2021] EWCA 800. The Court of Appeal’s judgment had the effect of striking down the Immigration Exemption in Schedule 2 of the Act. This led to the amendment of the exemption itself by the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 and the introduction of ‘immigration exemption policy documents’, effective as of January 31, 2022. The UK Government published an Immigration Exemption Policy Document on February 4, 2022. Following this, a second legal challenge was launched. A judgment was handed down by the Court of Appeal on December 11, 2023, in R (The 3million and Open Rights Group) v Secretary of State for the Home Department and Ors. [2023] EWCA Civ 1474 which has the effect of striking down the Immigration Exemption (as amended) for a second time through a finding that it is incompatible with Article 23 of the UK GDPR. The Government has been granted three months to make changes as required by the court, and further legislative amendments are therefore expected to be forthcoming.

There have been a number of (more minor) procedural hearings in the context of data breach claims under the new law, which are instructive to practitioners in this field:

Soriano v Forensic News LLC & Ors. [2021] on the territorial scope of the UK GDPR and service out of the jurisdiction;
Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 on the allocation of claims to the High Court or County Court;
Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 on meeting the de minimis threshold of damage needed to pursue a claim;
SMO (a child) v TikTok Inc & Ors [2022] EWHC 489 (QB) on permission to serve the claim form out of the jurisdiction; extend the time period for service and serve by alternative means; and
Driver v Crown Prosecution Service [2022] EWHC 2500 (KB) on the quantum of damages for a data breach at the 'lowest end of the spectrum' (£250).

In addition, although decided on the basis of the old law which is no longer in effect, the following significant recent cases are still potentially of relevance to organizations dealing with data protection claims and related privacy issues under the new legislative framework:

WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12;
Warren v DSG Retail Ltd [2021] EWHC 2168;
Lloyd v Google LLC [2021] UKSC 50; and
Underwood v (1) Bounty UK Limited (2) Hampshire Hospitals NHS Foundation Trust [2022] EWHC 888 (QB).

2. Scope of Application

2.1. Personal scope

The UK GDPR and the Act apply to the processing of personal data by controllers or processors.

Personal data means information that relates to an identified or identifiable living individual, as defined by Article 4(1) of the UK GDPR and Section 3 of the Act, respectively.

The data protection framework does not apply to information relating to deceased individuals, nor does it cover the processing of information that concerns legal persons (such as companies). These matters fall outside of the scope of the UK GDPR and the Act.

2.2. Territorial scope

The UK GDPR and the Act apply both to the processing of personal data taking place within the territory of the UK and extraterritorially, in certain circumstances, to processing taking place outside of the UK.

The provisions relating to territorial scope are Article 3 of the UK GDPR and Section 207 of the Act.

The data protection legislation applies to the processing of personal data by a controller or a processor in one of the following contexts:

in the context of the activities of an 'establishment' in the UK (regardless of whether or not the actual processing occurs in the UK), whereby the question of whether or not a controller or processor has an 'establishment' can be a complicated one and may include, for example, where there is an office, branch, or subsidiary in the UK;
in the context of the processing of personal data of individuals who are (physically present) in the UK by a controller or processor that is not established in the UK, where the processing activities are related to either:
- the offering of goods and services to those individuals (regardless of whether a payment is charged for these services or not), which could include targeting a retail or social media website to individuals in the UK through the use of local currency or language; or
- the monitoring of their behavior, so far as the behavior takes place in the UK, which could include building profiles of individuals through the use of cookies, in order to better target advertising to them; and
in the context of the processing of personal data by a controller which is not established in the UK, where domestic law applies by virtue of public international law.

2.3. Material scope

The UK GDPR and the Act apply to the automated or structured processing of personal data (including 'special category data' and 'criminal convictions and offenses data', as further covered by Articles 9 and 10 of the UK GDPR, respectively). This includes:

the processing of personal data wholly or partly by automated means, which is not further defined, but is likely to include any processing by computers or other technologies; and
the processing of personal data other than by automated means that forms part of a filing system or is intended to form part of a filing system, which is likely to include e.g., organized paper files, or contact lists, and address books.

For public authorities that are subject to the Freedom of Information Act 2000 only, this will also include manual unstructured processing of personal data.

The provisions relating to material scope are contained in Article 2 of the UK GDPR.

The UK GDPR does not apply to the processing of personal data by an individual in the course of a purely personal or household activity (Article 2(2) of the UK GDPR).

As the UK GDPR and the Act apply to the personal data of a living individual who can be identified, directly or indirectly, they do not apply to information that has been anonymized. However, whilst the UK GDPR includes a definition of 'pseudonymization', it should be noted that it does not contain a specific definition of 'anonymization'.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The ICO is the data protection regulator in the UK and is entrusted with responsibilities and functions pursuant to Article 51 of the UK GDPR and Section 115 of the Act, as well as the more detailed functions and duties described below.

3.2. Main powers, duties and responsibilities

The tasks and powers of the ICO are set out in Articles 57 and 58 of the UK GDPR, respectively.

The ICO's main duties are to monitor and enforce the UK GDPR, including handling complaints from data subjects and conducting investigations. It is also entrusted with the responsibility for providing controllers and processors with advice where required (e.g., under Article 36 when consultation with the ICO is required in relation to a Data Protection Impact Assessment ('DPIA')) and for promulgating certain guidance and documents, such as codes of conduct and Standard Contractual Clauses ('SCCs').

The ICO's investigative powers are wide-reaching and include the power to conduct an audit on a controller or processor, to search premises, to issue warnings, reprimands, and fines, to impose limitations and bans on processing, to suspend international data flows, and to require certain communications to be made to data subjects.

The ICO also has advisory and authorization powers and can approve (for example) safeguards for international data transfers, such as Binding Corporate Rules ('BCRs').

The Act supplements the tasks and powers which are set out in the UK GDPR, as follows:

Part 5 of the Act contains further specific provisions that supplement the ICO's duties and powers, including safeguards imposed on the exercise of the ICO's powers; and
Part 6 of the Act sets out the enforcement powers of the ICO in detail, including powers to impose information notices, assessment notices, enforcement and penalty notices, as well as powers of entry and inspection, and the specific criminal offenses which the ICO has the power to prosecute in the UK.

The ICO is required to carry out their tasks and exercise their powers with complete independence (Article 52 of the UK GDPR).

4. Key Definitions

Personal data: 'Personal data' means any information relating to an identified or identifiable living natural person (Article 4(1) of the UK GDPR and Sections 3(2) and 3(3) of the Act).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Sensitive data: The UK GDPR and the Act contain two 'categories' of 'sensitive data', which are subject to additional safeguards (Articles 9 and 10 of the UK GDPR and Sections 10 and 11 of the Act).

The first category is 'special category data', which means the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

The second category is 'criminal convictions and offenses data'. This includes personal data relating to both:

the alleged commission of offenses by the individual; and
proceedings for an offense committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Data controller: 'Data controller' means the natural or legal person, public authority, agency, or other body which (alone or jointly with others) decides on the purposes and means of processing of personal data (Article 4(7) of the UK GDPR).

Data processor: 'Data processor' means the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (i.e. on their instructions and usually pursuant to a written contract) (Article 4(8) of the UK GDPR).

Data subject: 'Data subject' means the identified or identifiable natural person, whose personal data is being processed and to whom personal data relates (Article 4(1) of the UK GDPR and Section 3(5) of the Act).

Biometric data: 'Biometric data' means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the UK GDPR).

Health data: 'Health data' or 'data concerning health' (the term used in the UK GDPR) means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status (Article 4(15) of the UK GDPR).

Pseudonymization: 'Pseudonymization' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (Article 4(5) of the UK GDPR).

5. Legal Bases

5.1. Consent

Consent can be relied upon where it has been given by the data subject for the processing of their personal data for one or more specific purposes (Article 6(1)(a) of the UK GDPR).

For consent to be valid, it will need to meet the specific requirements for consent under Articles 4(11), 7, and 8 (with respect of information society services offered to children) of the UK GDPR.

'Consent' means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of personal data relating to them (Article 4(11) of the UK GDPR). The data subject has the right to withdraw their consent at any time (Article 7(3) of the UK GDPR).

It can be relied upon both in respect of 'personal data' in Article 6(1)(a) of the UK GDPR and in respect of 'special category data' in Article 9(2)(a); however, the standard of consent expected for 'special category data' is higher 'explicit consent'.

Consent can also be relied upon in relation to 'criminal convictions and offenses data' (Schedule 1, Part 3, Paragraph 29 of the Act).

5.2. Contract with the data subject

This basis is set out in Article 6(1)(b) of the UK GDPR and can be relied upon where it is necessary for the performance of the contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.

If the data includes 'special category data' or 'criminal convictions and offenses data', then a further legal basis will be required in addition to this under Article 9 UK GDPR for 'special category data' only and/or Schedule 1 of the Act.

5.3. Legal obligations

This basis is set out in Article 6(1)(c) of the UK GDPR and can be relied upon where processing is necessary for compliance with a legal obligation to which the controller is subject.

5.4. Interests of the data subject

This basis is set out in Article 6(1)(d) of the UK GDPR and can be relied upon where processing is necessary in order to protect the vital interests of the data subject, or of another natural person. It is largely envisaged that this will be a residual category of situations related to emergencies.

If the data includes 'special category data', or 'criminal convictions and offenses data' then a similar basis is set out in Article 9(2)(c) of the UK GDPR and Schedule 1, Part 3, Paragraph 30 of the Act, respectively, where the data subject is physically or legally incapable of giving consent.

5.5. Public interest

This basis is set out in Article 6(1)(e) of the UK GDPR and can be relied upon where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Under Section 8 of the Act, there is a (non-exhaustive) list of possible functions that would count as being within the scope of the 'public interest' legal basis for processing data, including activities necessary for the administration of justice, or an activity that supports or promotes democratic engagement.

If the data includes 'special category data' or 'criminal convictions and offenses data', then a further legal basis will be required in addition to this under Article 9 of the UK GDPR for 'special category data' only and/or Schedule 1 of the Act.

5.6. Legitimate interests of the data controller

This basis is set out in Article 6(1)(f) of the UK GDPR and can be relied upon where the processing is necessary for the purposes of the legitimate interests pursued by the controller, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially where the data subject is a child.

This legal basis does not apply to processing carried out by public authorities in the performance of their tasks (in which case the legal basis under Article 6(1)(e) would be more appropriate to rely upon).

5.7. Legal bases in other instances

The above forms the core legal bases that will apply to most personal data processed by a controller.

However, the Act does contain further legal bases that can be relied upon to process more sensitive data, i.e., 'special category data' and 'criminal convictions and offenses data'.

The further legal bases are set out in Schedule 1 of the Act and include, for example, in Schedule 1, Part 1, Paragraph 1 a specific legal basis for the processing of 'special category data in the employment context where obligations or rights are imposed by law on the controller or the data subject in connection with employment, social security, or social protection law.

In order to rely upon some legal bases in the Act, an appropriate policy document (as defined in Schedule 1, Part 4) will be required by the controller.

The Act also contains a number of exemptions that apply, including to the requirement to have a 'legal basis' for processing. For example, Schedule 2, Part 5, Paragraph 26 sets out exemptions for the 'special purposes', which include the purposes of journalism. Therefore, in certain circumstances, the requirement for a legal basis will not apply.

Finally, where the controller is engaged in direct marketing, in addition, it will be necessary for a controller to check that the requirements for sending electronic communications to an individual set down by PECR are met (such as prior consent, where applicable).

6. Principles

There are seven data protection principles that govern all data processing, and which are set out in Article 5 of the UK GDPR. Personal data must be:

Lawfulness, fairness, and transparency principle: Processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5(1)(a));
Purpose limitation principle: Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (save for certain archiving purposes, as defined) (Article 5(1)(b));
Data minimization principle: adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed) (Article 5(1)(c));
Accuracy principle: Accurate and, where necessary, kept up to date, whereby every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay (Article 5(1)(d));
Storage limitation principle: Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (save for archiving purposes, as defined) (Article 5(1)(e)); and
Integrity and confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (Article 5(1)(f)).

Finally, the controller is responsible for and must be able to demonstrate compliance with these principles (e.g., by way of policies and records). This final principle is called the 'accountability' principle (Article 5(2) of the UK GDPR).

7. Controller and Processor Obligations

7.1. Data processing notification

The relevant legislation is the Data Protection (Charges and Information) Regulations 2018 ('the Regulations'), which came into effect on May 25, 2018, and replaced the notification scheme under the previous law. In accordance with Section 137 of the Act and Section 2(2) of the Regulations, data controllers must pay the ICO a data protection charge within the first 21 days of each charge period, unless they are exempt.

Within the first 21 days of each charge period, a data controller must provide the ICO with the following information (Section 2(3) of the Regulations):

the name and address of the data controller. In accordance with Section 2(5) of the Regulations, the address of a registered company is that of its registered office, and the address of a person carrying on a business is that of the person's principal place of business in the UK;
whether the number of members of staff of the data controller is:
- less than or equal to ten;
- greater than ten but less than or equal to 250; or
- greater than 250;
whether the turnover for the data controller's financial year is:
- less than or equal to £632,000;
- greater than £632,000 but less than or equal to £36 million; or
- greater than £36 million; and
whether the data controller is a public authority.

There are three tiers of charges which determine the amount payable by a data controller (Section 3 of the Regulations and Section 3 of the Guide to the data protection fee). The level of fee is dependent on the type of organization, size, and turnover (e.g., charities pay the lowest 'tier' of fee, regardless of size and turnover). Certain organizations, such as organizations that only process personal data for not-for-profit purposes or maintain a public register, are exempt from paying a fee. Failure to pay the correct fee where this is due from a controller is punishable by a fine of up to £4,350 (150% of the top tier fee)

Tier 1: micro-organizations

The charge for Tier 1 organizations is £40 (Section 3(1) of the Regulations). A data controller is in Tier 1 if (Section 3(2) of the Regulations):

it has a turnover of maximum £632,000 for the financial year;
the number of members of staff is less than or equal to ten;
it is a charity; or
it is a small occupational pension scheme.

Tier 2: small and medium organizations

The charge for Tier 2 organizations is £60 (Section 3(1) of the Regulations). A data controller is in Tier 2 if (Section 3(2) of the Regulations):

it has a turnover of a maximum of £36 million for the financial year; and
the number of members of staff is less than or equal to 250.

Tier 3: large organizations

If data controllers do not fall under Tier 1 or Tier 2, a Tier 3 charge of £2,900 is to be paid (Section 3(1) of the Regulations).

The turnover and number of members of staff are determined on the first day of the charge period to which the charge relates (Section 3(4) of the Regulations). Furthermore, 'members of staff' is a broad definition that includes all the employees, workers, office holders, partners, and part-time staff members (Section 4 of the Guide).

The ICO publishes a Data Protection Public Register of fee payers, which can be consulted on their website. The information which is published to the register includes the name and address of the controller, registration number, tier of fee paid, date paid and expiry/renewal data, any other trading names, contact details for the DPO (if applicable), and their name, if they have consented for this to be published.

Exemptions

In particular, the processing of personal data is exempt, among other cases, when the processing is (Section 2 of the Schedule of the Regulations):

of personal data that is not being processed wholly or partly by automated means or recorded with the intention that it should be processed wholly or partly by automated means;
undertaken by a data controller for the purposes of their personal, family, or household affairs, including:
- the processing of personal data for recreational purposes; and
- the capturing of images, in a public space, containing personal data;
for the purpose of the maintenance of a public register;
for the purposes of matters of administration in relation to the members of staff and volunteers of, or persons working under any contract for services provided to, the data controller;
for the purposes of advertising, marketing, and public relations in respect of the data controller's business, activity, goods, or services;
made by or obtained from a credit reference agency, in relation to any activity carried on by the data controller, for the purposes of:
- making financial or financial management forecasts;
- keeping accounts, or records of purchases, sales, or other transactions; or
- deciding whether to accept any person as a customer or supplier;
carried out by a body or association which is not established or conducted for profit and which carries out the processing for the purposes of establishing or maintaining membership or support for the body or association, or providing or administering activities for individuals who are either a member of the body or association or who have regular contact with it.

The processing of personal data is also exempt when the disclosure of the personal data is (Section 3 of the Schedule of the Regulations):

required by or under any enactment, by any rule of law, or by the order of a court;
made for the purposes of:
- the prevention or detection of crime;
- the apprehension or prosecution of offenders; and
- the assessment or collection of any tax or duty or of any imposition of a similar nature; and not otherwise being able to make the disclosure would be likely to prejudice any of the matters mentioned above; and
necessary:
- for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), and
- for the purposes of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising, or defending legal rights.

How to

Data protection fees can be paid via a dedicated portal on the ICO's website.

Penalties

The ICO may issue a monetary penalty to data controllers who have either (Section 155 of the Act and Section 9 of the Guide to the data protection fee):

not paid a fee; or
not paid the correct fee.

The maximum penalty is a £4,350 fine (Section 9 of the Guide to the data protection fee).

7.2. Data transfers

There are no data localization requirements in the UK, that is, the data does not need to be physically kept in the UK.

However, there are stringent requirements for international data transfers of personal data.

Under Article 44 of the UK GDPR, it is required that any international data transfer of personal data to a third country or international organization should only take place under certain conditions and/or with certain safeguards in place.

These are further set out in Articles 45 to 49 of the UK GDPR and include the following:

Adequacy

A transfer may take place where it is based on adequacy regulations published by the UK Secretary of State for the Home Department under Section 17A of the Act (Article 45 of the UK GDPR).

At present, the following countries have been deemed 'adequate' in order for transfers to take place from the UK without the requirement for further safeguards:

the European Economic Area ('EEA') countries (i.e. the EU Member States and European Free Trade Association ('EFTA') states);
EU or EEA institutions, bodies, offices, or agencies;
Gibraltar;
countries, territories, and sectors covered by the European Commission's ('the Commission') full adequacy decisions (in force as of 31 December 2020) (Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay);
countries subject to the Commission's partial findings of adequacy (in force as of 31 December 2020) concerning Japan (private sector organizations only) and Canada (covering data that is subject to Canada's Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA')); and
countries specifically covered by the UK's adequacy regulations, currently only including the Republic of Korea (South Korea) and the US (for transfers of personal data to a person in the US on the Data Privacy Framework list made under the revised EU-US arrangements).

Finally, it should also be noted that the Commission has adopted an adequacy decision (Commission Implementing Decision of June 28, 2021, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ('the Adequacy Decision') on the adequate protection of personal data by the UK) in favor of the UK, which will allow international data transfers of personal data from the EEA to the UK, based on the current data protection framework.

Safeguards

A transfer may take place where it is subject to appropriate safeguards (Article 46 of the UK GDPR).

In the absence of adequacy regulations, a controller or processor wishing to transfer personal data to a third country or international organization can only do so if appropriate safeguards are in place, and on the condition that both enforceable data subject rights and legal remedies for data subjects are available.

The appropriate safeguards can be one of the following:

a legally binding and enforceable instrument between public authorities or bodies;
BCRs in accordance with Article 47 of the UK GDPR;
standard data protection clauses specified in regulations made by the Secretary of State under Section 17C of the Act;
standard data protection clauses specified in a document issued (and not withdrawn) by the ICO under Section 119A of the Act;
an approved code of conduct pursuant to Article 40 of the UK GDPR (together with binding and enforceable commitments to apply the appropriate safeguards); or
an approved certification mechanism pursuant to Article 42 of the UK GDPR (together with binding and enforceable commitments to apply the appropriate safeguards).

The ICO has issued a new International Data Transfer Agreement ('IDTA') and a new International Data Transfer Addendum to the European Commission SCCs ('Addendum'). These came into force on March 21, 2022. The ICO has also issued Guidance on transfer risk assessments ('TRAs').

The ICO also has the power to authorize particular contractual clauses between parties, or administrative arrangements between public authorities.

Derogations

A transfer may take place in limited circumstances and only on specified conditions (Article 49 of the UK GDPR).

In the absence of adequacy regulations and safeguards, as above, a controller or processor wishing to transfer personal data to a third country or international organization can only do so on the following specified conditions:

consent condition: the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards (Article 49(1)(a));
contract with the data subject condition: the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request (Article 49(1)(b));
contract in the interests of the data subject condition: the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (Article 49(1)(c));
public interest condition: the transfer is necessary for important reasons of public interest (Article 49(1)(d));
legal claims condition: the transfer is necessary for the establishment, exercise, or defense of legal claims (Article 49(1)(e));
vital interests condition: the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent (Article 49(1)(f)); or
public register condition: the transfer is made from a register which according to domestic law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in domestic law for consultation are fulfilled in the particular case (Article 49(1)(g)).

Finally, there is a further derogation where none of the above apply, if the transfer is not repetitive, if it concerns only a limited number of data subjects, if it is necessary for the purposes of compelling legitimate interests pursued by the controller (which are not overridden by the interests or rights and freedoms of the data subject), and if the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller also needs to inform the ICO and the data subject of the transfer and provide specified information (compelling legitimate interests condition) (Article 49(1)).

7.3. Data processing records

There are separate mandatory requirements for controllers and for processors, set out under Article 30 of the UK GDPR to maintain data processing records in writing (including in electronic form).

Controllers

Controllers are required to include the following mandatory information:

the name and contact details of the controller and, where applicable, the joint controller, the controller's representative, and the DPO;
the purposes of the processing;
a description of the categories of data subjects and of the categories of personal data;
the categories of recipients to whom the personal data has been, or will be, disclosed including recipients in third countries or international organizations; and
where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.

Controllers are also required to consider including the following (optional) information:

where possible, the envisaged time limits for the erasure of the different categories of data; and
where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

Processors

Processors are required to include the following mandatory information relating to processing activities carried out on behalf of a controller:

the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the DPO;
the categories of processing carried out on behalf of each controller; and
where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization, and, in the case of transfers referred to in Article 49(1)(2), the documentation of suitable safeguards.

Processors are also required to consider including where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

Small organizations (employing less than 250 persons) are exempt from the requirement to maintain mandatory data processing records unless the processing is likely to result in a risk to data subjects, the processing is not occasional, or the processing involves 'special category data' or 'criminal convictions and offenses data.'

7.4. Data protection impact assessment

There is a mandatory requirement for controllers to carry out a DPIA in certain circumstances pursuant to Article 35 of the UK GDPR:

in any case where the processing is likely to result in a high risk to the rights and freedoms of individuals (Article 35(1));
where the controller is using personal data to carry out a systematic and extensive evaluation of personal aspects of individuals based on automated processing (including profiling) and which produces legal effects for (or similarly significantly affects) the individuals (Article 35(3)(a));
where the controller is processing 'special category data' or 'criminal convictions and offenses data' on a large scale (Article 35(3)(b)); or
where the controller is carrying out systematic monitoring of a publicly accessible area on a large scale (Article 35(3)(c)).

A DPIA is required in the case of (Article 35(3) of the UK GDPR):

a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
processing on a large scale of special categories of data referred to in Article 9(1) of the UK GDPR, or of personal data relating to criminal convictions and offenses referred to in Article 10 of the UK GDPR; or
a systematic monitoring of a publicly accessible area on a large scale.

The UK Blacklist provides the following criteria for types of processing operations requiring a DPIA:

innovative technologies, where a DPIA is required for any intended processing operation involving innovative use of technologies (or applying new technological and/or organizational solutions) when combined with any other criterion from the Guidelines, for example when obtaining the Passport to compliance required before installing and operating surveillance camera systems in line with the Surveillance Camera Code of Practice;
denial of service;
large-scale profiling;
biometric data, where a DPIA is required for any intended processing operation involving biometric data for the purpose of uniquely identifying an individual when combined with any other criterion from the Guidelines;
genetic data, where a DPIA is required for any intended processing operation involving genetic data when combined with any other criterion from the Article 29 Working Party's ('WP29's') Guidelines on Data Protection Impact Assessment ('DPIA') ('the Guidelines');
data matching;
invisible processing, where a DPIA is required for any intended processing operation involving where the controller is relying on Article 14(5)(b) of the UK GDPR when combined with any other criterion from the Guidelines;
tracking, where a DPIA is required for any intended processing operation involving geolocation data when combined with any other criterion from the Guidelines;
targeting of children/other vulnerable individuals for marketing, profiling for auto decision-making or the offer of online services; and
risk of physical harm.

In addition, the DPIA Guidance provides further guidance on when a DPIA is required, which includes the following:

innovative technology: processing involving the use of innovative technologies, or the novel application of existing technologies (including artificial intelligence ('AI'));
denial of service: decisions about an individual's access to a product, service, opportunity, or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data;
large-scale profiling: any profiling of individuals on a large scale;
biometrics: any processing of biometric data;
genetic data: any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject;
data matching: combining, comparing, or matching personal data obtained from multiple sources;
invisible processing: processing of personal data that has not been obtained directly from the data subject in circumstances where the controller considers that compliance with Article 14 of the UK GDPR would prove impossible or involve disproportionate effort;
tracking: processing which involves tracking an individual's geolocation or behavior, including, but not limited to, the online environment;
targeting of children or other vulnerable individuals: the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling, or other automated decision-making, or if you intend to offer online services directly to children; and
risk of physical harm: where the processing is of such a nature that a personal data breach could jeopardize the health or safety of individuals.

Exceptions

A DPIA is not required:

where the processing is not likely to result in a high risk to the rights and freedoms of natural persons (Article 35(1) of the UK GDPR);
when the nature, scope, context, and purposes of the processing are very similar to the processing for which a DPIA has been carried out. In such cases, results of DPIAs for similar processing can be used (Articles 35(1) of the UK GDPR);
when the processing operations have been checked by a supervisory authority before May 2018 in specific conditions that have not changed (Page 13 of the Guidelines);
where processing pursuant to Articles 6(1)(c) or (e) of the UK GDPR has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question and where a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, Articles 35(1) to (7) of the UK GDPR will not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities (Articles 35(10) of the UK GDPR); or
where the processing is included in a Whitelist issued by the supervisory authority (Articles 35(5) of the UK GDPR).

The ICO also has the power to publish a whitelist of processing operations that are exempted from conducting a DPIA. No whitelist has been published to date by the ICO.

Furthermore, the DPIA has to contain certain elements as set out in Articles 35(7) to (9), but a single assessment may cover a set of similar processing operations presenting similar risks (e.g. a whole CCTV system for an organization). Within the DPIA Guidance, the ICO has published a template DPIA, which specifies how to carry out a DPIA.

The controller should seek the advice of a DPO and may need to consult with the ICO in circumstances where the 'residual risk' of the processing, after taking mitigating measures, is still assessed to be 'high risk' (Article 36 of the UK GDPR).

How to Conduct a DPIA

The DPIA Guidance includes DPIA checklists. In addition, the ICO has published a template for DPIAs. Furthermore, the SCC has published a Template for privacy impact assessments for surveillance cameras.

Prior consultation

The data controller who submits a DPIA to the ICO in accordance with Article 36 of the GDPR will be notified of the acceptance of the DPIA for consultation within ten days from the date the DPIA has been sent (the DPIA Guidance).

The DPIA Guidance provides further guidance and examples regarding the obligation to consult the supervisory authority.

7.5. Data protection officer appointment

The data controller is required to designate a DPO, unless the controller is a court, or other judicial authority, acting in its judicial capacity (Section 69(1) of the Act). The Act does not make provisions for the processing activities of the controller which would require the designation of DPO.

In addition, there is a mandatory requirement for controllers and processors to appoint a DPO in certain circumstances pursuant to Article 37 of the UK GDPR:

where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
where the core activities of the controller or the processor consist of regular and systematic monitoring of data subjects on a large scale; or
where the core activities of the controller or the processor consist of processing on a large scale of 'special category data' or 'criminal convictions and offenses data'.

Moreover, the Adequacy Decision explains the UK's essential equivalency to the EU, as part of which it highlights that there is a similar requirement for a data controller or processor to designate a data protection officer under the UK GDPR, where its core activities consist of processing special categories of data on a large scale.

However, the Government has proposed the removal of the existing requirements to designate a data protection officer and instead, introduce a requirement to designate a suitable individual, or individuals, to be responsible for the privacy management program and for overseeing the organization's data protection compliance (paragraph 160 of the Data: a new direction).

Role

Section 71 of the Act provides information on the tasks of the DPO.

Furthermore, the primary duties of the DPO are to monitor compliance with the UK GDPR, to provide advice to the controller or processor, and to act as a liaison with the ICO. Details relating to the position of the DPO and their tasks are set out in Articles 38 and 39 of the UK GDPR, respectively.

Particularly, the DPO Guidance specifies where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight. It also states that it would be an advantage for the DPO to also have a good knowledge of the industry or sector where the company operates, as well as the company's data protection needs and processing activities.

The contact details of the DPO need to be published and also communicated to the ICO (Article 37(7) of the UK GDPR). In order to add a DPO, the controller or processor must use the following email address: [email protected]. In addition, the ICO's link to provide details is here.

7.6. Data breach notification

There is a mandatory requirement to notify personal data breaches, in certain circumstances, to both the ICO and to the data subjects affected by the breach. The relevant provisions are set out in Articles 33 (notification to the ICO) and 34 (notification to the data subject) of the UK GDPR.

The duties to notify a data breach are different for a controller and for a processor.

For a controller, it is necessary to notify the ICO without undue delay, and, where feasible, no later than 72 hours after becoming aware of the data breach. The breach must be notified to the ICO unless it is unlikely to result in a risk to the rights and freedoms of individuals. The elements set out in Article 33(3) of the UK GDPR should be included in the notification. The ICO has a template form to complete and information on data breach notification, accessible here.

The processors are required to notify their controller of the breach, without undue delay (Article 33(2) of the UK GDPR).

In the event that the personal data breach is likely to result in a high risk to the rights and freedoms of individual data subjects, the latter should be notified without undue delay (Article 34). There are a small number of exceptions that apply as set out in Article 34(3) (e.g., where notification would involve disproportionate effort; however, in that case, there should be public communication to inform individuals in an equally effective manner).

7.7. Data retention

The 'storage limitation' principle in Article 5(1)(e) of the UK GDPR states that personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

The only exception to this is storage for certain archiving purposes only, including archiving in the public interest, scientific or historical research purposes, or statistical purposes, in which case the data may be held indefinitely, subject to required safeguards as set out in Article 89(1) of the UK GDPR and Section 19 of the Act.

In practice, this means that most organizations need to set retention periods for data and ensure good data hygiene practices, including regular deletion of data at the end of the retention period. Retention periods may be linked to specific statutory requirements (e.g., requirements to hold certain company and financial records) or limitation periods for certain types of claims (e.g., employment tribunal claims).

7.8. Children's data

Children are afforded additional protections by the UK GDPR. For example, where children are being offered an information society service ('ISS') (e.g., via an online social media site) and the ISS wishes to rely upon the child's consent in order to process data, the child will need to be 13, or over, in order to validly provide consent. Where data have been collected by an ISS on the basis of the child's consent, the individual can seek to have their data erased through exercising the right to erasure ('right to be forgotten') in Article 17(1)(f) of the UK GDPR. Data processing involving children will likely be classified as high-risk and require the completion of a DPIA.

The ICO's detailed Guidance on Children and the UK GDPR sets these additional protections out in more detail.

The ICO has also published the Age Appropriate Design: A Code of Practice for Online Services, which addresses issues relating to the processing of children's data and the design of an ISS, such as apps, games, websites, and connected toys.

7.9. Special categories of personal data

The UK GDPR prohibits the processing of 'special category data' as defined in Article 9(1) by default. In order to have lawful grounds to process 'special category data', it is necessary for the controller or processor to rely on the lawful grounds of processing set out in Article 9(2) of the UK GDPR.

These lawful grounds for processing 'special category data' are further supplemented by Schedule 1 of the Act, which sets out a range of more detailed grounds for processing 'special category data', such as 'preventing fraud' (Schedule 1, Part 2, Paragraph 14) or 'standards of behavior in sport' (Schedule 1, Part 2, Paragraph 28). In some cases, as specified in the Act, an appropriate policy document will be necessary for processing the 'special category data'. The requirements for an appropriate policy document are set out in Schedule 1, Part 4 of the Act.

The UK GDPR also prohibits the processing of 'criminal convictions and offenses data' unless authorized by domestic law and subject to safeguards, as defined in Article 10 of the UK GDPR. The conditions for processing 'criminal convictions and offenses data' are set out in Schedule 1, Part 3 of the Act. The safeguards for processing are set out in Schedule 1, Part 4 of the Act and include, where specified, the implementation of an appropriate policy document.

7.10. Controller and processor contracts

Article 28 of the UK GDPR requires a contract (or other binding legal act) to be in place between the controller and the processor, including certain mandatory clauses. This should be in writing, including in electronic form (Article 28(9)).

The contract should contain a description of specific aspects of the data processing, and clauses to address the following elements (Article 28(3)). The processor will:

process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by domestic law, in which case the processor shall inform the controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest (Article 28(3)(a));
ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b));
take all measures required pursuant to Article 32 (i.e. implementing appropriate technical and organizational security measures) (Article 28(3)(c));
respect the conditions for engaging a subprocess or set out in Articles 28(2) and (4) (Article 28(3)(d));
assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the UK GDPR (Article 28(3)(e));
assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36, taking into account the nature of processing and the information available to the processor (Article 28(3)(f));
at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless domestic law requires the storage of the personal data (Article 28(3)(g)); and
make available to the controller all information necessary to demonstrate compliance with the obligations (i.e., in Article 28) and allow for, and contribute to, audits, including inspections, conducted by the controller or another auditor mandated by the controller (Article 28(3)(h)).

8. Data Subject Rights

The data subject rights are set out in Chapter III of the UK GDPR and supplemented by exemptions set out in Schedules 2 to 4 of the Act.

Compliance with each of the data subject rights is subject to the further general requirements set out in Article 12 of the UK GDPR.

This includes the requirements for any communication to a data subject to meet the requirements of transparency (concise, transparent, intelligible, and easily accessible, using clear and plain language, especially for any information addressed specifically to a child).

In addition, the controller must respond without undue delay and in any event within one calendar month of receipt of the request (Article 12(3)). This period may be extended by two further months when requests are complex or numerous.

In the event that the request is manifestly unfounded or excessive, the controller is either entitled to charge a reasonable fee or refuse to act on the request (Article 12(5)).

8.1. Right to be informed

Data subjects have the right to be informed of the ways in which a controller will be processing their personal data.

Under the UK GDPR, controllers are required to provide certain privacy information in relation to data processing where personal data is collected directly from the data subject (under Article 13 of the UK GDPR) and where it is collected indirectly, for example via a third party (under Article 14 of the UK GDPR, subject to the exceptions in Article 14(5), such as where the data subject already has the information or the provision of information proves impossible or would involve a disproportionate effort).

This requirement is frequently met through the provision of a 'privacy notice' or 'privacy policy', e.g., when presented to the data subject or hosted on the controller's website. As with the response to the data subject in relation to other rights, the privacy notice or policy also needs to meet the requirements of transparency set out in Article 12 of the UK GDPR.

The UK GDPR is supplemented by Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g., where data is being processed in circumstances where it is subject to legal professional privilege).

8.2. Right to access

Data subjects have the right, under Article 15 of the UK GDPR, to obtain access to their personal data and certain information about it through DSARs.

DSARs include:

the right for a data subject to obtain from the controller confirmation as to whether or not personal data concerning them is being processed;
specified information set out in Articles 15(1) and (2) of the UK GDPR; and
access to a copy of the personal data (in a commonly used electronic form, unless otherwise requested).

The UK GDPR is supplemented by Schedules 2 to 4 of the Act, which set out numerous exemptions from compliance in certain circumstances (e.g., where data is being processed in circumstances where it is subject to legal professional privilege, or where it may prejudice negotiations or the conduct of business in cases where the data relates to management forecasting and planning).

The exercise of the right to access should not adversely affect the rights and freedoms of others, including third parties. Particular care should be taken when determining whether to disclose personal data relating to third parties to the data subject, and controllers should refer to the test in Schedule 2, Part 3, Paragraph 16 of the Act.

8.3. Right to rectification

Data subjects have the right, under Article 16 of the UK GDPR, to obtain rectification of inaccurate personal data concerning them, and have incomplete data completed by means of a supplementary statement.

The UK GDPR is supplemented by Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g., data processed for scientific or historical research purposes, or statistical purposes).

8.4. Right to erasure

Data subjects have the right, under Article 17 of the UK GDPR, to obtain erasure of their personal data in certain circumstances (also known as 'the right to be forgotten').

These circumstances in which the right can be exercised are limited, and include cases where:

the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed (Article 17(1)(a));
the data subject withdraws consent on which the processing is based according to Articles 6(1)(a) and 9(2)(a), and where there is no other legal ground for the processing (Article 17(1)(b));
the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) (Article 17(1)(c));
the personal data have been unlawfully processed (Article 17(1)(d));
the personal data have to be erased for compliance with a legal obligation in domestic law (Article 17(1)(e)); or
the personal data has been collected in relation to the offer of an ISS referred to in Article 8(1) (Article 17(1)(f)).

There are also a number of exemptions for the controller in Article 17(3) of the UK GDPR, for example, where the processing is necessary for compliance with a legal obligation, or where it is necessary for the establishment, exercise, or defense of legal claims. Further exceptions are set out in Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g., where data is being processed in circumstances where it is subject to legal professional privilege).

Where the controller has made data public and the data subject does exercise the right successfully, the controller will have to take reasonable steps to inform other controllers which are currently processing the data of the erasure request and that it extends to links and copies of the original personal data (see Articles 17(2) and 19).

8.5. Right to object/opt-out

Data subjects have the right, under Article 21 of the UK GDPR, to object to the processing of their personal data in certain circumstances.

The circumstances in which the right can be exercised are limited, and include cases where:

the legal basis for processing was Article 6(1)(e) ('public interest') or 6(1)(f) ('legitimate interests'), including profiling based on those provisions, in which case the controller needs to demonstrate compelling legitimate grounds to continue the processing which overrides the rights of the data subject, or that they are processing for the establishment, exercise, or defense of legal claims (Article 21(1));
the purposes for processing are direct marketing (regardless of the legal basis), including profiling, whereby the data subject has the right to object at any time and the data must no longer be processed (Articles 21(2) and (3)); or
personal data is processed for scientific or historical research purposes, or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to their particular situation, has the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest (Article 21(6)).

The UK GDPR is supplemented by Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g., where data is being processed for the 'special purposes', including for journalistic purposes).

8.6. Right to data portability

Data subjects have the right, under Article 20 of the UK GDPR, to receive their personal data in a structured, commonly used, and machine-readable format. They also have the right to transmit their personal data to another controller (and can request that the controller transmits it directly, where this is technically feasible).

The right can only be exercised in limited circumstances, including where the processing is based on consent or where it is necessary to perform a contract with the data subject. Also, the right only applies to data processing carried out by automated means.

8.7. Right not to be subject to automated decision-making

Data subjects have the right, under Article 22 of the UK GDPR, not to be subject to a decision based on automated processing (including profiling). This right only applies where the decision is based solely on automated processing (i.e., there is no meaningful human intervention), and where the decision produces legal effects or similarly significantly affects them.

The right does also not apply where the automated decision was:

necessary for entering into, or performance of, a contract with the data subject (Article 22(2)(a));
authorized under provisions of domestic law (and subject to suitable safeguards, as set out in Section 14 of the Act) (Article 22(2)(b)); or
based on the data subject's explicit consent (Article 22(2)(c)).

The controller is required to implement suitable safeguards for cases covered by Article 22(2)(a) and (c), including the right for the data subject to obtain human intervention, express their point of view, and appeal the decision.

There are additional safeguards in Article 22(4) where the automated decision-making is based on 'special category data.'

8.8. Other rights

Right to restriction of processing

Data subjects have the right, under Article 18 of the UK GDPR, to obtain the restriction of data processing in certain limited circumstances where:

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data (Article 18(1)(a));
the processing is unlawful, the data subject opposes the erasure of the personal data, and requests the restriction of use instead (Article 18(1)(b));
the controller no longer needs the personal data for the purposes of the processing, but is required by the data subject for the establishment, exercise, or defense of legal claims (Article 18(1)(c)); or
the data subject has objected to processing pursuant to Article 21(1), pending the verification of whether the legitimate grounds of the controller override those of the data subject (Article 18(1)(d)).

Where the data subject has exercised their rights successfully, the personal data must, with the exception of storage, only be processed in very limited circumstances, such as with the data subject's consent or for the establishment, exercise, or defense of legal claims (Article 18(2)).

9. Penalties

The ICO has a range of powers available to enable it to investigate breaches of the UK GDPR and Act and to impose penalties. These should be read alongside the ICO's functions in Part 5 of the Act.

It should be noted that there is a right to appeal against each of these notices to the First Tier Tribunal (Information Rights) (Section 162 of the Act).

These powers are set out in detail in Part 6 of the Act, as follows:

Information notices

The information notice requires a controller or processor to provide any information that the ICO reasonably requires, e.g., for the purposes of carrying out an investigation.

It is an offence to provide a false statement in response to an information notice, or to destroy, dispose of, conceal, block, or falsify information.

The ICO can seek an order from a court in the event of non-compliance with a requirement of an information notice.

Assessment notices

The assessment notice requires a controller or processor to permit the ICO to conduct an assessment (i.e., data protection audit) to determine whether or not they have complied with the UK GDPR and the Act.

It is an offense for a person to destroy, dispose of, conceal, block, or falsify information.

The power to issue an assessment notice is also accompanied by further wide-ranging powers, for example, the entry of premises and the inspection of documents and equipment.

Enforcement notices

An enforcement notice requires a controller or processor to take certain steps or to refrain from taking certain steps, as specified in the notice. It is only issued in circumstances where the ICO is satisfied that there has been a failure to comply with the UK GDPR or the Act. The powers under an enforcement notice are also wide-ranging and can include the imposition of a ban on processing under Section 150(3).

Powers of entry and inspection

The ICO can seek a specific warrant in order to enter the premises and conduct further investigations (including without notice). The procedure for obtaining a warrant is set out in Schedule 15 of the Act.

Penalty notices

A penalty notice is only issued in circumstances where the ICO is satisfied that there has been a failure to comply with the UK GDPR or the Act. When imposing the penalty, the ICO has to have regard to the list of factors set out in Article 83 of the UK GDPR (and also as set out in Section 155(3) of the Act).

The maximum amount of a penalty that may be imposed is specified in Article 83 of the UK GDPR or is defined as the 'standard maximum amount'.

The current maximum penalty in Article 83 depends on the provision of the UK GDPR that has been infringed. There are two tiers of potential penalties:

for a breach of certain compliance obligations of the controller and processor (e.g., Articles 25 to 39 of the UK GDPR), the maximum penalty is £8.7 million or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; and
for a breach of core privacy obligations (e.g., breach of the data protection principles under Article 5, non-compliance with data subject rights), the maximum penalty is £17.5 million or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Finally, alongside the civil penalty notice regime, it should also be noted that there a number of criminal offences set out in the Act, in particular Sections 170 to 173 which include criminal offences of unlawfully obtaining or disclosing personal data to another person without the consent of the controller (Section 170 of the Act) and knowingly or recklessly re-identifying personal data which has been de-identified (Section 171 of the Act). The ICO has the power to pursue prosecution for these offenses in the criminal courts.

9.1 Enforcement decisions

The ICO has taken five particularly significant enforcement decisions under the data protection legislation since the GDPR originally came into force in the UK on May 25, 2018, both in terms of the size of the penalty imposed and the detailed reasoning which was published by the ICO for imposing each fine.

These are as follows:

Penalty notice imposed on British Airways Plc ('BA') (October 2020)

A third-party hacker accessed the BA systems via the login credentials of an employee of a supplier on, or around, June 22, 2018 (although BA was not aware of the ongoing cyber incident until notified by a third party in September 2018).

Through managing to escalate their privileged access to systems, within days the hacker had managed to identify a system that processed payment card details and was logging these in plain text. The hacker was able to access unencrypted information in relation to 108,000 payment cards. Separately from this, the hacker was also able to access the files containing the code for BA's website. By compromising the website, the hacker was able to misdirect customer payment card data to a fake website. In doing so, the hacker was able to harvest payment card details relating to a further 429,612 data subjects.

The ICO found that there were numerous failings to implement appropriate technical and organizational security measures as required by Articles 5(1)(f) and 32 of the UKL GDPR. These included limiting access to applications, data, and tools to those required for a user's role and protecting systems with multi-factor authentication, including those used by suppliers.

BA was fined £20 million, which was significantly reduced compared to the originally proposed penalty to take into account mitigating factors.

Penalty notice imposed on International, Inc. (October 30, 2020)

A third-party hacker had been infiltrating the systems of Starwood Hotels and Resorts Worldwide, Inc. since approximately 2014 and remained undetected until 2018. The company had, by then, been acquired by Marriott.

The hacker was able to access personal data in the form of a number of databases containing guest reservations. In total, the incident affected up to 339 million guest records, of which approximately 7 million were associated with the UK.

The ICO found that there were numerous failings to implement appropriate technical and organizational security measures as required by Articles 5(1)(f) and 32 of the UK GDPR. Despite the hacker having infiltrated the systems prior to the acquisition, the duty for Marriott to keep personal data secure was a continuing one, which meant that they were responsible for the poor security of the legacy systems obtained from Starwood during the acquisition (and the hacker lurking inside them).

Marriott was fined £18.4 million, which was significantly reduced compared to the originally proposed penalty to take into account mitigating factors, including the rapid initial response and notification of data subjects.

Penalty notice imposed on Ticketmaster UK Limited (November 13, 2020)

A third-party hacker managed to compromise a chatbot on Ticketmaster UK's website in February 2018. Numerous banks and credit card providers, as well as customers and security researchers, attempted to notify Ticketmaster of fraudulent activity and/or that there was malicious code on the website. The incident was not fully dealt with until the chat bot was disabled in June 2018.

The compromised personal data included names, payment card numbers, expiry dates, and CVV numbers. 9.4 million customers across Europe were affected, including 1.5 million in the UK. There were 997 complaints from data subjects, including complaints of financial loss.

The ICO found that there were numerous failings to implement appropriate technical and organizational security measures as required by Article 5(1)(f) and 32 of the UK GDPR. Ticketmaster was found to have failed to assess the risks arising out of the chatbot, implement suitable security measures, and respond to the incident in a timely manner.

Ticketmaster was fined £1.25 million and appealed against the decision to the First-Tier Tribunal (Information Rights). The matter has been stayed pending the outcome of the group action claim by Ticketmaster customers to be heard in the High Court (which appears to have been settled in February 2022).

Enforcement notice and Penalty imposed on Clearview AI Inc. (May 26, 2022)

Clearview provided an 'image-matching' service to its customers, which compared an image of interest with a database of stored images, metadata, and URLs. The database (potentially containing up to 20 billion images) was comprised of personal data that had been 'scraped' from the public-facing internet, including social media.

The ICO inferred from the fact that Clearview had actively marketed its products in the UK (particularly to law enforcement agencies) and that they had been trialed there, that the data of UK residents was present in the database. Clearview had taken no steps to exclude UK residents.

The ICO found that the processing came within the scope of the GDPR and UK GDPR on the basis that this was monitoring of data subjects in the UK (Article 3(2)(b)). There were numerous historic and continuing breaches of GDPR and UK GDPR, including Article 5(1)(a) (fairness, lawfulness, and transparency), Article 6 (lawful basis for processing), and Article 9 (lawful basis for processing special category data). In addition, Clearview had failed to comply with data subject rights and had also failed to conduct a DPIA.

Clearview was fined approximately £7.5 million. Clearview was also required to

delete the data of UK residents from the database;
refrain from processing any further data of UK residents;
refrain from offering services to UK-based customers; and
not do anything in the future that would come within one to three without carrying out a DPIA and providing it to the ICO first.

However, Clearview appealed against both the enforcement notice and fine to the First Tier Tribunal (Information Rights). Clearview alleged it was based in the US and did not have an 'establishment' for the purposes of the territorial scope of the UK GDPR. It further argued that it was providing services to non-UK/EU law enforcement and/or national security bodies which was an activity of foreign governments falling outside the material scope of GDPR. On October 17, 2023, Clearview succeeded in their appeal (Clearview AI Inc v The Information Commissioner [2023] UKFTT 819 (GRC)) against the notices on the basis that the processing was outside of the material scope of Article 2 GDPR and was not 'relevant processing' for the purposes of Article 3 of the UK GDPR. On November 17, 2023, the ICO announced that it had sought permission to further appeal the judgment.

Penalty notice imposed on TikTok Inc. and TikTok Limited (May 15, 2023)

TikTok provided social media services, and in the course of doing so, processed personal data of UK users (particularly children). The ICO estimates that up to 1.4 million children in the UK under 13 years of age were allowed to use the TikTok platform without adequate consent. The data was used to support the provision and functionality of TikTok's services and to monetize those services, including by providing targeted advertising and offering in-app purchases.

TikTok was found to have breached the UK GDPR in several respects, including:

TikTok provided its services to UK users under 13 years of age without consent given or authorized by the holder of parental responsibility and failed to make reasonable efforts to ensure that consent was given or authorized for underage child users (contrary to Article 8 of the UK GDPR);
TikTok failed to provide concise, transparent, intelligible, and easily accessible privacy information that complied with transparency requirements, particularly in the case of children, and further failed to provide mandatory privacy information which was required (contrary to Article 13 of the UK GDPR); and
in failing to comply with the above requirements, TikTok consequently failed to ensure that the personal data of its UK users was processed in a lawful, fair, and transparent manner (contrary to Article 5(1)(a) of the UK GDPR).

TikTok was fined £12.7 million for the breaches of data protection law. TikTok is appealing the fine to the First Tier Tribunal (Information Rights).

Privacy Law Concepts Privacy Law Reform

About the authors

Monika Sobiecki

Bindmans LLP

Monika is a barrister and partner at Bindmans LLP. She is a Data Protection and Cybersecurity specialist and heads up the practice, with a wealth of experience in all aspects of Data and Information law. Her clients have ranged from government bodies to global companies across a variety of sectors. She has handled a number of high-profile and international cyber incidents, and is currently instructed on matters relating to NSO Pegasus Spyware.

[email protected]

Continue reading on DataGuidance with:

Free Member

Free Trial

UK - Data Protection Overview

January 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

1.2. Guidelines

1.3. Case law

2. Scope of Application

2.1. Personal scope

2.2. Territorial scope

2.3. Material scope

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

3.2. Main powers, duties and responsibilities

4. Key Definitions

5. Legal Bases

5.1. Consent

5.2. Contract with the data subject

5.3. Legal obligations

5.4. Interests of the data subject

5.5. Public interest

5.6. Legitimate interests of the data controller

5.7. Legal bases in other instances

6. Principles

7. Controller and Processor Obligations

7.1. Data processing notification

7.2. Data transfers

7.3. Data processing records

7.4. Data protection impact assessment

7.5. Data protection officer appointment

7.6. Data breach notification

7.7. Data retention

7.8. Children's data

7.9. Special categories of personal data

7.10. Controller and processor contracts

8. Data Subject Rights

8.1. Right to be informed

8.2. Right to access

8.3. Right to rectification

8.4. Right to erasure

8.5. Right to object/opt-out

8.6. Right to data portability

8.7. Right not to be subject to automated decision-making

8.8. Other rights

9. Penalties

9.1 Enforcement decisions

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us