Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK - Data Protection Overview
Back

UK - Data Protection Overview

March 2022

1. Governing Texts

In the UK, the key pieces of legislation governing data protection are the UK General Data Protection Regulation (Regulation (EU) (2016/679) ('UK GDPR') and the Data Protection Act 2018 ('the Act').

The current version of the legislative framework (as amended, following the withdrawal of the UK from the European Union on 31 January 2020) has applied in the UK since 1 January 2021.

In respect of electronic communications (in particular marketing activities), the Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR') sit alongside the UK GDPR and the Act, providing a further set of specialised rules.

1.1. Key acts, regulations, directives, bills

The UK GDPR

The key piece of legislation in the UK is the UK GDPR. The UK GDPR sets out core definitions and fundamental data protection principles relating to data processing, the lawful grounds for processing data, as well as certain accountability duties and obligations which apply to both organisations and individuals which are processing personal data caught by the scope of the UK GDPR. The UK GDPR also contains certain rights for natural persons who are data subjects, including the right to obtain a legal remedy, such as compensation.

The UK GDPR is effectively the General Data Protection  Regulation (Regulation (EU) 2016/679) ('GDPR'), as amended and incorporated into domestic law by the European Union (Withdrawal) Act 2018, as further amended by the European Union (Withdrawal Agreement) Act 2020 ('the Withdrawal Act') and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020 ('the Amendments').

The UK GDPR has applied in the UK since 1 January 2021. A Keeling Schedule which sets out the variations between the EU GDPR and the UK GDPR is accessible here ('the Keeling Schedule').

At the time of writing, the GDPR and the UK GDPR are broadly similar and have parallel regimes, which have not yet diverged significantly. However, the Department for Digital, Culture, Media & Sport ('DCMS') announced, on 10 September 2021, that UK Government  ('the Government') had launched a public consultation on proposed reforms to the data protection framework in the UK. This may lead to future divergence and variance between the two regimes.

The Act

The Act complements and supplements the regime set out in the UK GDPR. In particular, it contains further specific restrictions and derogations of the primary data protection regime (for example, as permitted by Article 23 of the UK GDPR).

The original version of the Act came into force on 25 May 2018. It was amended following Brexit and the current version of the Act has applied in the UK since 1 January 2021. The Keeling Schedule sets out amendments to the Act following 1 January 2021. 

The key sections of the Act which are of relevance to most organisations processing personal data are:

  • Part 1: contains further definitions, including of 'public authority' and 'processing' which is necessary for the performance of a task carried out in the public interest or in the exercise of the controller's official authority;
  • Part 6: contains the enforcement powers of the Information Commissioner's Office ('ICO') and specific criminal offences in UK law relating to personal data;
  • Schedule 1: contains further specific grounds for processing 'special category data' and 'criminal convictions and offences data';
  • Schedules 2 and 3: contain specific exemptions from the GDPR, including exemptions applicable to data subject rights requests which are particularly relevant to requests made for access to personal data (data subject access requests ('DSARs')).

The Act also contains provisions relating to processing which falls outside of the material scope of the UK GDPR (as set out in Article 2 of the UK GDPR). This includes:

  • the processing of personal data by a competent authority for any of the law enforcement purposes (see Part 3 of the Act); and
  • the processing of personal data by the intelligence services, as defined (see Part 4 of the Act).

Finally, the Act contains provisions relating to the ICO, including its general functions and statutory codes of practice that the ICO is expected to publish, and provisions relating to the data protection fee to be paid by certain controllers (see Part 5 of the Act).

1.2. Guidelines

The ICO has published a number of guidelines and templates for organisations, in particular the Guide to Data Protection and the Guide to the UK GDPR.

The ICO is also required under the Act to produce four statutory Codes of Practice concerning age appropriate design, data sharing, direct marketing, and journalism. At the time of writing, the Age Appropriate Design Code of Practice and the Data Sharing Code of Practice have been published. The Direct Marketing and Journalism Codes of Practice are still in the process of being produced.

1.3. Case law

The UK GDPR and Act are relatively new pieces of legislation and, as such, there has been limited reported litigation under either piece of legislation providing further content to the legal framework.

The most significant case in terms of impact on the data protection framework is R (Open Rights Group and the3million) v Secretary of State for the Home Department [2021] EWCA 800. The Court of Appeal's judgment had the effect of striking down the Immigration Exemption in Schedule 2 of the Act. This led to the amendment of the exemption itself by the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 and the introduction of 'immigration exemption policy documents', effective as of 31 January 2022. The UK Government published an Immigration Exemption Policy Document on 4 February 2022.

There have been a number of (more minor) procedural hearings in the context of data breach claims under the new law, which are instructive to practitioners in this field:

In addition, although decided on the basis of the old law which is no longer in effect, the following significant recent cases are still potentially of relevance to organisations dealing with data protection claims and related privacy issues under the new legislative framework:

2. Scope of Application

2.1. Personal scope

The UK GDPR and the Act apply to the processing of personal data by controllers or processors.

Personal data means information which relates to an identified or identifiable living individual, as defined by Article 4(1) of the UK GDPR and Section 3 of the Act, respectively.

The data protection framework does not apply to information relating to deceased individuals, nor does it cover the processing of information which concerns legal persons (such as companies). These matters fall outside of the scope of the UK GDPR and the Act.

2.2. Territorial scope

The UK GDPR and the Act apply both to processing of personal data taking place within the territory of the UK and extraterritorially, in certain circumstances, to processing taking place outside of the UK.

The provisions relating to territorial scope are Article 3 of the UK GDPR and Section 207 of the Act.

The data protection legislation applies to the processing of personal data by a controller or a processor in one of the following contexts:

  • in the context of the activities of an 'establishment' in the UK (regardless of whether or not the actual processing occurs in the UK), whereby the question of whether or not a controller or processor has an 'establishment' can be a complicated one and may include, for example, where there is an office, branch, or subsidiary in the UK;
  • in the context of the processing of personal data of individuals who are (physically present) in the UK by a controller or processor which is not established in the UK, where the processing activities are related to either:
    • the offering of goods and services to those individuals (regardless of whether a payment is charged for these services or not), which could include targeting a retail or social media website to individuals in the UK through the use of local currency or language; or
    • the monitoring of their behaviour, so far as the behaviour takes place in the UK, which could include building profiles of individuals through the use of cookies, in order to better target advertising to them; and
  • in the context of the processing of personal data by a controller which is not established in the UK, where domestic law applies by virtue of public international law.

2.3. Material scope

The UK GDPR and the Act apply to the automated or structured processing of personal data (including 'special category data' and 'criminal convictions and offences data', as further covered by Articles 9 and 10 of the UK GDPR, respectively). This includes:

  • the processing of personal data wholly or partly by automated means, which is not further defined, but is likely to include any processing by computers or other technologies; and
  • the processing of personal data other than by automated means which forms part of a filing system, or is intended to form part of a filing system, which is likely to include e.g. organised paper files, or contact lists and address books.

For public authorities which are subject to the Freedom of Information Act 2000 only, this will also include manual unstructured processing of personal data.

The provisions relating to material scope are contained in Article 2 of the UK GDPR.

The UK GDPR does not apply to the processing of personal data by an individual in the course of a purely personal or household activity (Article 2(2) of the UK GDPR).

As the UK GDPR and the Act apply to the personal data of a living individual who can be identified, directly or indirectly, they do not apply to information which has been anonymised. However, whilst the UK GDPR includes a definition of 'pseudonymisation', it should be noted that it does not contain a specific definition of 'anonymisation'.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The ICO is the data protection regulator in the UK and is entrusted with responsibilities and functions pursuant to Article 51 of the UK GDPR and Section 115 of the Act, as well as the more detailed functions and duties described below.

3.2. Main powers, duties and responsibilities

The tasks and powers of the ICO are set out in Articles 57 and 58 of the UK GDPR, respectively.

The ICO's main duties are to monitor and enforce the UK GDPR, including handling complaints from data subjects and conducting investigations. It is also entrusted with the responsibility for providing controllers and processors with advice where required (e.g. under Article 36 when consultation with the ICO is required in relation to a Data Protection Impact Assessment ('DPIA')) and for promulgating certain guidance and documents, such as codes of conduct and Standard Contractual Clauses ('SCCs').

The ICO's investigative powers are wide-reaching and include the power to conduct an audit on a controller or processor, to search premises, to issue warnings, reprimands, and fines, to impose limitations and bans on processing, to suspend international data flows, and to require certain communications to be made to data subjects.

The ICO also has advisory and authorisation powers and can approve (for example) safeguards for international data transfers, such as Binding Corporate Rules ('BCRs').

The Act supplements the tasks and powers which are set out in the UK GDPR, as follows:

  • Part 5 of the Act contains further specific provisions which supplement the ICO's duties and powers, including safeguards imposed on the exercise of the ICO's powers; and
  • Part 6 of the Act sets out the enforcement powers of the ICO in detail, including powers to impose information notices, assessment notices, enforcement and penalty notices, as well as powers of entry and inspection, and the specific criminal offences which the ICO has power to prosecute in the UK.

The ICO is required to carry out their tasks and exercise their powers with complete independence (Article 52 of the UK GDPR).

4. Key Definitions

Personal data: 'Personal data' means any information relating to an identified or identifiable living natural person (Article 4(1) of the UK GDPR and Sections 3(2) and 3(3) of the Act).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Sensitive data: The UK GDPR and the Act contain two 'categories' of 'sensitive data', which are subject to additional safeguards (Articles 9 and 10 of the UK GDPR and Sections 10 and 11 of the Act).

The first category is 'special category data', which means the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

The second category is 'criminal convictions and offences data'. This includes personal data relating to both:

  • the alleged commission of offences by the individual; and
  • proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Data controller: 'Data controller' means the natural or legal person, public authority, agency, or other body which (alone or jointly with others) decides on the purposes and means of processing of personal data (Article 4(7) of the UK GDPR).

Data processor: 'Data processor' means the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (i.e. on their instructions and usually pursuant to a written contract) (Article 4(8) of the UK GDPR).

Data subject: 'Data subject' means the identified or identifiable natural person, whose personal data is being processed and to whom personal data relates (Article 4(1) of the UK GDPR and Section 3(5) of the Act).

Biometric data: 'Biometric data' means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the UK GDPR).

Health data: 'Health data' or 'data concerning health' (the term used in the UK GDPR) means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status (Article 4(15) of the UK GDPR).

Pseudonymisation: 'Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (Article 4(5) of the UK GDPR). 

5. Legal Bases

5.1. Consent

Consent can be relied upon where it has been given by the data subject for the processing of their personal data for one or more specific purposes (Article 6(1)(a) of the UK GDPR).

For consent to be valid, it will need to meet the specific requirements for consent under Articles 4(11), 7, and 8 (in respect of information society services offered to children) of the UK GDPR.

'Consent' means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them (Article 4(11) of the UK GDPR). The data subject has the right to withdraw their consent at any time (Article 7(3) of the UK GDPR).

It can be relied upon both in respect of 'personal data' in Article 6(1)(a) of the UK GDPR and in respect of 'special category data' in Article 9(2)(a); however, the standard of consent expected for 'special category data' is higher 'explicit consent'.

Consent can also be relied upon in relation to 'criminal convictions and offences data' (Schedule 1, Part 3, Paragraph 29 of the Act).

5.2. Contract with the data subject

This basis is set out in Article 6(1)(b) of the UK GDPR and can be relied upon where it is necessary for the performance of the contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.

If the data includes 'special category data' or 'criminal convictions and offences data', then a further legal basis will be required in addition to this under Article 9 UK GDPR for 'special category data' only and/or Schedule 1 of the Act.

5.3. Legal obligations

This basis is set out in Article 6(1)(c) of the UK GDPR and can be relied upon where processing is necessary for compliance with a legal obligation to which the controller is subject.

If the data includes 'special category data' or 'criminal convictions and offences data', then a further legal basis will be required in addition to this under Article 9 UK GDPR for 'special category data' only and/or Schedule 1 of the Act.

5.4. Interests of the data subject

This basis is set out in Article 6(1)(d) of the UK GDPR and can be relied upon where processing is necessary in order to protect the vital interests of the data subject, or of another natural person. It is largely envisaged that this will be a residual category of situations related to emergencies.

If the data includes 'special category data', or 'criminal convictions and offences data' then a similar basis is set out in Article 9(2)(c) of the UK GDPR and Schedule 1, Part 3, Paragraph 30 of the Act, respectively, where the data subject is physically or legally incapable of giving consent.

5.5. Public interest

This basis is set out in Article 6(1)(e) of the UK GDPR and can be relied upon where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Under Section 8 of the Act, there is a (non-exhaustive) list of possible functions that would count as being within scope of the 'public interest' legal basis for processing data, including activities necessary for the administration of justice, or an activity that supports or promotes democratic engagement.

If the data includes 'special category data' or 'criminal convictions and offences data', then a further legal basis will be required in addition to this under Article 9 of the UK GDPR for 'special category data' only and/or Schedule 1 of the Act.

5.6. Legitimate interests of the data controller

This basis is set out in Article 6(1)(f) of the UK GDPR and can be relied upon where the processing is necessary for the purposes of the legitimate interests pursued by the controller, or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially where the data subject is a child.

This legal basis does not apply to processing carried out by public authorities in the performance of their tasks (in which case the legal basis under Article 6(1)(e) would be more appropriate to rely upon).

If the data includes 'special category data' or 'criminal convictions and offences data', then a further legal basis will be required in addition to this under Article 9 of the UK GDPR for 'special category data' only and/or Schedule 1 of the Act.

5.7. Legal bases in other instances

The above form the core legal bases that will apply to most personal data processed by a controller.

However, the Act does contain further legal bases that can be relied upon to process more sensitive data, i.e. 'special category data' and 'criminal convictions and offences data'.

The further legal bases are set out in Schedule 1 of the Act and include, for example, in Schedule 1, Part 1, Paragraph 1 a specific legal basis for processing of 'special category data in the employment context where obligations or rights are imposed by law on the controller or the data subject in connection with employment, social security, or social protection law.

In order to rely upon some legal bases in the Act, an appropriate policy document (as defined in Schedule 1, Part 4) will be required by the controller.

The Act also contains a number of exemptions which apply, including to the requirement to have a 'legal basis' for processing. For example, Schedule 2, Part 5, Paragraph 26 sets out exemptions for the 'special purposes', which include the purposes of journalism. Therefore, in certain circumstances, the requirement for a legal basis will not apply.

Finally, where the controller is engaged in direct marketing, in addition, it will be necessary for a controller to check that the requirements for sending electronic communications to an individual set down by PECR are met (such as prior consent, where applicable).

6. Principles

There are seven data protection principles that govern all data processing, and which are set out in Article 5 of the UK GDPR. Personal data must be:

  • Lawfulness, fairness and transparency principle: Processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5(1)(a));
  • Purpose limitation principle: Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (save for certain archiving purposes, as defined) (Article 5(1)(b));
  • Data minimisation principle: adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed) (Article 5(1)(c));
  • Accuracy principle: Accurate and, where necessary, kept up to date, whereby every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay (Article 5(1)(d));
  • Storage limitation principle: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (save for archiving purposes, as defined) (Article 5(1)(e)); and
  • Integrity and confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (Article 5(1)(f)).

Finally, the controller is responsible for, and must be able to demonstrate compliance with these principles (e.g. by way of policies and records). This final principle is called the 'accountability' principle (Article 5(2) of the UK GDPR).

7. Controller and Processor Obligations

7.1. Data processing notification

In the UK, controllers are required to pay an annual charge ('the data protection fee') and provide specified information to the ICO. The relevant legislation are the Data Protection (Charges and Information) Regulations 2018, which came into effect on 25 May 2018 and replaced the notification scheme under the previous law.

At present, there are three tiers of data protection fee, ranging from £40 to £2,900. The level of fee is dependent on the type of organisation, size, and turnover (e.g. charities pay the lowest 'tier' of fee, regardless of size and turnover). Certain organisations, such as organisations which only process personal data for not-for-profit purposes or maintaining a public register, are exempt from paying a fee. Failure to pay the correct fee where this is due from a controller is punishable by a fine of up to £4,350 (150% of the top tier fee)

The ICO publishes a Data Protection Public Register of fee payers, which can be consulted on their website. The information which is published to the register includes the name and address of the controller, registration number, tier of fee paid, date paid and expiry/renewal data, any other trading names, contact details for the data protection officer (if applicable) ('DPO'), and their name, if they have consented for this to be published.

7.2. Data transfers

There are no data localisation requirements in the UK, that is, the data does not need to be physically kept in the UK.

However, there are stringent requirements for international data transfers of personal data.

Under Article 44 of the UK GDPR, it is required that any international data transfer of personal data to a third country or international organisation should only take place under certain conditions and/or with certain safeguards in place.

These are further set out in Articles 45 to 49 of the UK GDPR and include the following:

Adequacy

A transfer may take place where it is based on adequacy regulations published by the UK Secretary of State for the Home Department under Section 17A of the Act (Article 45 of the UK GDPR).

At present, the following countries have been deemed 'adequate' in order for transfers to take place from the UK without the requirement for further safeguards:

  • the European Economic Area ('EEA') countries (i.e. the EU Member States and European Free Trade Association ('EFTA') states);
  • EU or EEA institutions, bodies, offices, or agencies;
  • Gibraltar;
  • countries, territories, and sectors covered by the European Commission's ('the Commission') full adequacy decisions (in force as of 31 December 2020) (Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay); and
  • countries subject to the Commission's partial findings of adequacy (in force as of 31 December 2020) concerning Japan (private sector organisations only) and Canada (covering data that is subject to Canada's Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA')).

Finally, it should also be noted that the Commission has adopted an adequacy decision (Commission Implementing Decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the UK) in favour of the UK, which will allow international data transfers of personal data from the EEA to the UK, based on the current data protection framework.

Safeguards

A transfer may take place where it is subject to appropriate safeguards (Article 46 of the UK GDPR).

In the absence of adequacy regulations, a controller or processor wishing to transfer personal data to a third country or international organisation can only do so if appropriate safeguards are in place, and on the condition that both enforceable data subject rights and legal remedies for data subjects are available.

The appropriate safeguards can be one of the following:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • BCRs in accordance with Article 47 of the UK GDPR;
  • standard data protection clauses specified in regulations made by the Secretary of State under Section 17C of the Act;
  • standard data protection clauses specified in a document issued (and not withdrawn) by the ICO under Section 119A of the Act;
  • an approved code of conduct pursuant to Article 40 of the UK GDPR (together with binding and enforceable commitments to apply the appropriate safeguards); or
  • an approved certification mechanism pursuant to Article 42 of the UK GDPR (together with binding and enforceable commitments to apply the appropriate safeguards).

The ICO has issued a new International Data Transfer Agreement (IDTA) and a new International Data Transfer Addendum to the European Commission SCCs (Addendum). These are due to come into force on 21 March 2022. 

The ICO also has the power to authorise particular contractual clauses between parties, or administrative arrangements between public authorities. 

Derogations

A transfer may take place in limited circumstances and only on specified conditions (Article 49 of the UK GDPR).

In the absence of adequacy regulations and safeguards, as above, a controller or processor wishing to transfer personal data to a third country or international organisation can only do so on the following specified conditions:

  • consent condition: the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards (Article 49(1)(a));
  • contract with the data subject condition: the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request (Article 49(1)(b));
  • contract in the interests of the data subject condition: the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (Article 49(1)(c));
  • public interest condition: the transfer is necessary for important reasons of public interest (Article 49(1)(d));
  • legal claims condition: the transfer is necessary for the establishment, exercise, or defence of legal claims (Article 49(1)(e));
  • vital interests condition: the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent (Article 49(1)(f)); or
  • public register condition: the transfer is made from a register which according to domestic law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in domestic law for consultation are fulfilled in the particular case (Article 49(1)(g)).

Finally, there is a further derogation where none of the above apply, if the transfer is not repetitive, if it concerns only a limited number of data subjects, if it is necessary for the purposes of compelling legitimate interests pursued by the controller (which are not overridden by the interests or rights and freedoms of the data subject), and if the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller also needs to inform the ICO and the data subject of the transfer and provide specified information (compelling legitimate interests condition) (Article 49(1)).

7.3. Data processing records

There are separate mandatory requirements for controllers and for processors set out under Article 30 of the UK GDPR to maintain data processing records in writing (including in electronic form).

Controllers

Controllers are required to include the following mandatory information:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the DPO;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data has been, or will be, disclosed including recipients in third countries or international organisations; and
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.

Controllers are also required to consider including the following (optional) information:

  • where possible, the envisaged time limits for erasure of the different categories of data; and
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Processors

Processors are required to include the following mandatory information relating to processing activities carried out on behalf of a controller:

  • the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the DPO;
  • the categories of processing carried out on behalf of each controller; and
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in Article 49(1)(2), the documentation of suitable safeguards.

Processors are also required to consider including where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Small organisations (employing less than 250 persons) are exempt from the requirement to maintain mandatory data processing records, unless the processing is likely to result in a risk to data subjects, the processing is not occasional, or the processing involves 'special category data' or 'criminal convictions and offences data'.

7.4. Data protection impact assessment

There is a mandatory requirement for controllers to carry out a DPIA in certain circumstances pursuant to Article 35 of the UK GDPR:

  • in any case where the processing is likely to result in a high risk to the rights and freedoms of individuals (Article 35(1));
  • where the controller is using personal data to carry out a systematic and extensive evaluation of personal aspects of individuals based on automated processing (including profiling) and which produces legal effects for (or similarly significantly affects) the individuals (Article 35(3)(a));
  • where the controller is processing 'special category data' or 'criminal convictions and offences data' on a large scale (Article 35(3)(b)); or
  • where the controller is carrying out systematic monitoring of a publicly accessible area on a large scale (Article 35(3)(c)).

The ICO has published a list of processing operations which are likely to result in a high risk, and so require a mandatory DPIA. For further guidance, the ICO has published Guidance on DPIAs ('the DPIA Guidance'), especially on when a DPIA is required, which includes the following:

  • innovative technology: processing involving the use of innovative technologies, or the novel application of existing technologies (including artificial intelligence ('AI'));
  • denial of service: decisions about an individual's access to a product, service, opportunity, or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data;
  • large-scale profiling: any profiling of individuals on a large scale;
  • biometrics: any processing of biometric data;
  • genetic data: any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject;
  • data matching: combining, comparing, or matching personal data obtained from multiple sources;
  • invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 of the UK GDPR would prove impossible or involve disproportionate effort;
  • tracking: processing which involves tracking an individual's geolocation or behaviour, including, but not limited to, the online environment;
  • targeting of children or other vulnerable individuals: the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling, or other automated decision-making, or if you intend to offer online services directly to children; and
  • risk of physical harm: where the processing is of such a nature that a personal data breach could jeopardise the health or safety of individuals.

The ICO also has the power to publish a whitelist of processing operations which are exempted from conducting a DPIA. No whitelist has been published to date by the ICO.

The DPIA has to contain certain elements as set out in Articles 35(7) to (9), but a single assessment may cover a set of similar processing operations presenting similar risks (e.g. a whole CCTV system for an organisation). Within the DPIA Guidance, the ICO has published a template DPIA, which specifies how to carry out a DPIA.

The controller should seek the advice of a DPO, and may need to consult with the ICO in circumstances where the 'residual risk' of the processing, after taking mitigating measures, is still assessed to be 'high risk' (Article 36 of the UK GDPR).

7.5. Data protection officer appointment

There is a mandatory requirement for controllers and processors to appoint a DPO in certain circumstances pursuant to Article 37 of the UK GDPR:

  • where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • where the core activities of the controller or the processor consist of regular and systematic monitoring of data subjects on a large scale; or
  • where the core activities of the controller or the processor consist of processing on a large scale of 'special category data' or 'criminal convictions and offences data'.

The primary duties of the DPO are to monitor compliance with the UK GDPR, to provide advice to the controller or processor, and to act as a liaison with the ICO. Details relating to the position of the DPO and their tasks is set out in Articles 38 and 39 of the UK GDPR, respectively.

The contact details of the DPO need to be published and also communicated to the ICO (Article 37(7)). The ICO's link to provide details is here

7.6. Data breach notification

There is a mandatory requirement to notify personal data breaches, in certain circumstances, to both the ICO and to the data subjects affected by the breach. The relevant provisions are set out in Articles 33 (notification to the ICO) and 34 (notification to the data subject) of the UK GDPR.

The duties to notify a data breach are different for a controller and for a processor.

For a controller, it is necessary to notify the ICO without undue delay, and, where feasible, no later than 72 hours after becoming aware of the data breach. The breach must be notified to the ICO, unless it is unlikely to result in a risk to the rights and freedoms of individuals. The elements set out in Article 33(3) of the UK GDPR should be included in the notification. The ICO has a template form to complete and information on data breach notification, accessible here.

The processors are required to notify their controller of the breach, without undue delay (Article 33(2) of the UK GDPR).

In the event that the personal data breach is likely to result in a high risk to the rights and freedoms of individual data subjects, the latter should be notified without undue delay (Article 34). There are a small number of exceptions that apply as set out in Article 34(3) (e.g. where notification would involve disproportionate effort; however, in that case there should be a public communication to inform individuals in an equally effective manner).

7.7. Data retention

The 'storage limitation' principle in Article 5(1)(e) of the UK GDPR states that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

The only exception to this is storage for certain archiving purposes only, including archiving in the public interest, scientific or historical research purposes, or statistical purposes, in which case the data may be held indefinitely, subject to required safeguards as set out in Article 89(1) of the UK GDPR and Section 19 of the Act.

In practice, this means that most organisations need to set retention periods for data and ensure good data hygiene practices, including regular deletion of data at the end of the retention period. Retention periods may be linked to specific statutory requirements (e.g. requirements to hold certain company and financial records) or limitation periods for certain types of claim (e.g. employment tribunal claims).

7.8. Children's data

Children are afforded additional protections by the UK GDPR. For example, where children are being offered an information society service ('ISS') (e.g. via an online social media site) and the ISS wishes to rely upon the child's consent in order to process data, the child will need to be 13, or over, in order to validly provide consent. Where data have been collected by an ISS on the basis of the child's consent, the individual can seek to have their data erased through exercising the right to erasure ('right to be forgotten') in Article 17(1)(f) of the UK GDPR. Data processing involving children will likely be classified as high risk and require the completion of a DPIA.

The ICO's detailed Guidance on Children and the UK GDPR sets these additional protections out in more detail.

The ICO has also published the Age Appropriate Design: A Code of Practice for Online Services, which addresses issues relating to the processing of children's data and design of an ISS, such as apps, games, websites, and connected toys.

7.9. Special categories of personal data

The UK GDPR prohibits the processing of 'special category data' as defined in Article 9(1) by default. In order to have lawful grounds to process 'special category data', it is necessary for the controller or processor to rely on the lawful grounds of processing set out in Article 9(2) of the UK GDPR.

These lawful grounds for processing 'special category data' are further supplemented by Schedule 1 of the Act, which set out a range of more detailed grounds for processing 'special category data', such as 'preventing fraud' (Schedule 1, Part 2, Paragraph 14) or 'standards of behaviour in sport' (Schedule 1, Part 2, Paragraph 28). In some cases, as specified in the Act, an appropriate policy document will be necessary for processing the 'special category data'. The requirements for an appropriate policy document are set out in Schedule 1, Part 4 of the Act.

The UK GDPR also prohibits the processing of 'criminal convictions and offences data' unless authorised by domestic law and subject to safeguards, as defined in Article 10 of UK GDPR. The conditions for processing 'criminal convictions and offences data' are set out in Schedule 1, Part 3 of the Act. The safeguards for processing are set out in Schedule 1, Part 4 of the Act and include, where specified, the implementation of an appropriate policy document.

7.10. Controller and processor contracts

Article 28 of the UK GDPR requires a contract (or other binding legal act) to be in place between the controller and the processor, including certain mandatory clauses. This should be in writing, including in electronic form (Article 28(9)).

The contract should contain a description of specific aspects of the data processing, and clauses to address the following elements (Article 28(3)). The processor will:

  • process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by domestic law, in which case the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a));
  • ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b));
  • take all measures required pursuant to Article 32 (i.e. implementing appropriate technical and organisational security measures) (Article 28(3)(c));
  • respect the conditions for engaging a subprocessor set out in Articles 28(2) and (4) (Article 28(3)(d));
  • assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the UK GDPR (Article 28(3)(e));
  • assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36, taking into account the nature of processing and the information available to the processor (Article 28(3)(f));
  • at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless domestic law requires storage of the personal data (Article 28(3)(g)); and
  • make available to the controller all information necessary to demonstrate compliance with the obligations (i.e. in Article 28) and allow for, and contribute to, audits, including inspections, conducted by the controller or another auditor mandated by the controller (Article 28(3)(h)).

8. Data Subject Rights

The data subject rights are set out in Chapter III of the UK GDPR and supplemented by exemptions set out in Schedules 2 to 4 of the Act.

Compliance with each of the data subject rights is subject to the further general requirements set out in Article 12 of the UK GDPR.

This includes the requirements for any communication to a data subject to meet the requirements of transparency (concise, transparent, intelligible, and easily accessible, using clear and plain language, especially for any information addressed specifically to a child).

In addition, the controller must respond without undue delay and in any event within one calendar month of receipt of the request (Article 12(3)). This period may be extended by two further months, where requests are complex or numerous.

In the event that the request is manifestly unfounded or excessive, the controller is either entitled to charge a reasonable fee or refuse to act on the request (Article 12(5)).

8.1. Right to be informed

Data subjects have the right to be informed of the ways in which a controller will be processing their personal data.

Under the UK GDPR, controllers are required to provide certain privacy information in relation to data processing where personal data is collected directly from the data subject (under Article 13 of the UK GDPR) and where it is collected indirectly, for example via a third party (under Article 14 of the UK GDPR, subject to the exceptions in Article 14(5), such as where the data subject already has the information or the provision of information proves impossible or would involve a disproportionate effort).

This requirement is frequently met through the provision of a 'privacy notice' or 'privacy policy', e.g. when presented to the data subject or hosted on the controller's website. As with the response to the data subject in relation to other rights, the privacy notice or policy also needs to meet the requirements of transparency set out in Article 12 of the UK GDPR.

The UK GDPR is supplemented by Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g. where data is being processed in circumstances where it is subject to legal professional privilege). 

8.2. Right to access

Data subjects have the right, under Article 15 of the UK GDPR, to obtain access to their personal data and certain information about it through DSARs.

DSARs include:

  • the right for a data subject to obtain from the controller confirmation as to whether or not personal data concerning them is being processed;
  • specified information set out in Articles 15(1) and (2) of the UK GDPR; and
  • access to a copy of the personal data (in a commonly used electronic form, unless otherwise requested).

The UK GDPR is supplemented by Schedules 2 to 4 of the Act, which set out numerous exemptions from compliance in certain circumstances (e.g. where data is being processed in circumstances where it is subject to legal professional privilege, or where it may prejudice negotiations, or the conduct of business in cases where the data relates to management forecasting and planning).

The exercise of the right to access should not adversely affect the rights and freedoms of others, including third parties. Particular care should be taken when determining whether to disclose personal data relating to third parties to the data subject, and controllers should refer to the test in Schedule 2, Part 3, Paragraph 16 of the Act.

8.3. Right to rectification

Data subjects have the right, under Article 16 of the UK GDPR, to obtain rectification of inaccurate personal data concerning them, and have incomplete data completed by means of a supplementary statement.

The UK GDPR is supplemented by Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g. data processed for scientific or historical research purposes, or statistical purposes).

8.4. Right to erasure

Data subjects have the right, under Article 17 of the UK GDPR, to obtain erasure of their personal data in certain circumstances (also known as 'the right to be forgotten').

These circumstances in which the right can be exercised are limited, and include cases where:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed (Article 17(1)(a));
  • the data subject withdraws consent on which the processing is based according to Articles 6(1)(a) and 9(2)(a), and where there is no other legal ground for the processing (Article 17(1)(b));
  • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) (Article 17(1)(c));
  • the personal data have been unlawfully processed (Article 17(1)(d));
  • the personal data have to be erased for compliance with a legal obligation in domestic law (Article 17(1)(e)); or
  • the personal data has been collected in relation to the offer of an ISS referred to in Article 8(1) (Article 17(1)(f)).

There are also a number of exemptions for the controller in Article 17(3) of the UK GDPR, for example, where the processing is necessary for compliance with a legal obligation, or where it is necessary for the establishment, exercise, or defence of legal claims. Further exceptions are set out in Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g. where data is being processed in circumstances where it is subject to legal professional privilege). 

Where the controller has made data public and the data subject does exercise the right successfully, the controller will have to take reasonable steps to inform other controllers which are currently processing the data of the erasure request and that it extends to links and copies of the original personal data (see Articles 17(2) and 19).

8.5. Right to object/opt-out

Data subjects have the right, under Article 21 of the UK GDPR, to object to processing of their personal data in certain circumstances.

The circumstances in which the right can be exercised are limited, and include cases where:

  • the legal basis for processing was Article 6(1)(e) ('public interest') or 6(1)(f) ('legitimate interests'), including profiling based on those provisions, in which case the controller needs to demonstrate compelling legitimate grounds to continue the processing which overrides the rights of the data subject, or that they are processing for the establishment, exercise, or defence of legal claims (Article 21(1));
  • the purposes for processing are direct marketing (regardless of the legal basis), including profiling, whereby the data subject has the right to object at any time and the data must no longer be processed (Articles 21(2) and (3)); or
  • personal data is processed for scientific or historical research purposes, or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to their particular situation, has the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest (Article 21(6)).

The UK GDPR is supplemented by Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g. where data is being processed for the 'special purposes', including for journalistic purposes).

8.6. Right to data portability

Data subjects have the right, under Article 20 of the UK GDPR, to receive their personal data in a structured, commonly used, and machine-readable format. They also have the right to transmit their personal data to another controller (and can request that the controller transmits it directly, where this is technically feasible).

The right can only be exercised in limited circumstances, including where the processing is based on consent or where it is necessary to perform a contract with the data subject. Also, the right only applies to data processing carried out by automated means.

The UK GDPR is supplemented by Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g. where data is being processed for the 'special purposes', including the purposes of journalism). 

8.7. Right not to be subject to automated decision-making

Data subjects have the right, under Article 22 of the UK GDPR, not to be subject to a decision based on automated processing (including profiling). This right only applies where the decision is based solely on automated processing (i.e. there is no meaningful human intervention), and where the decision produces legal effects or similarly significantly affects them.

The right does also not apply where the automated decision was:

  • necessary for entering into, or performance of, a contract with the data subject (Article 22(2)(a));
  • authorised under provisions of domestic law (and subject to suitable safeguards, as set out in Section 14 of the Act) (Article 22(2)(b)); or
  • based on the data subject's explicit consent (Article 22(2)(c)).

The controller is required to implement suitable safeguards for cases covered by Article 22(2)(a) and (c), including the right for the data subject to obtain human intervention, express their point of view, and appeal the decision.

There are additional safeguards in Article 22(4) where the automated decision-making is based on 'special category data'.

8.8. Other rights

Right to restriction of processing

Data subjects have the right, under Article 18 of the UK GDPR, to obtain the restriction of data processing in certain limited circumstances where:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data (Article 18(1)(a));
  • the processing is unlawful, the data subject opposes the erasure of the personal data, and requests the restriction of use instead (Article 18(1)(b));
  • the controller no longer needs the personal data for the purposes of the processing, but is required by the data subject for the establishment, exercise, or defence of legal claims (Article 18(1)(c)); or
  • the data subject has objected to processing pursuant to Article 21(1), pending the verification whether the legitimate grounds of the controller override those of the data subject (Article 18(1)(d)).

Where the data subject has exercised their rights successfully, the personal data must, with the exception of storage, only be processed in very limited circumstances, such as with the data subject's consent or for the establishment, exercise, or defence of legal claims (Article 18(2)).

The UK GDPR is supplemented by Schedules 2 and 3 of the Act, which provide exemptions from compliance in certain circumstances (e.g. where data is being processed for the 'special purposes', including for journalistic purposes). 

9. Penalties

The ICO has a range of powers available to enable it to investigate breaches of the UK GDPR and Act, and to impose penalties. These should be read alongside the ICO's functions in Part 5 of the Act.

It should be noted that there is a right to appeal against each of these notices to the First Tier Tribunal (Information Rights) (Section 162 of the Act).

These powers are set out in detail in Part 6 of the Act, as follows:

Information notices

The information notice requires a controller or processor to provide any information that the ICO reasonably requires, e.g. for the purposes of carrying out an investigation.

It is an offence to provide a false statement in response to an information notice, or to destroy, dispose of, conceal, block, or falsify information.

The ICO can seek an order from a court in the event of non-compliance with a requirement of an information notice.

Assessment notices

The assessment notice requires a controller or processor to permit the ICO to conduct an assessment (i.e. data protection audit) to determine whether or not they have complied with the UK GDPR and the Act.

It is an offence for a person to destroy, dispose of, conceal, block, or falsify information.

The power to issue an assessment notice is also accompanied with further wide-ranging powers, for example the entry of premises and the inspection of documents and equipment.

Enforcement notices

An enforcement notice requires a controller or processor to take certain steps, or to refrain from taking certain steps, as specified in the notice. It is only issued in circumstances where the ICO is satisfied that there has been a failure to comply with the UK GDPR or the Act. The powers under an enforcement notice are also wide-ranging and can include the imposition of a ban on processing under Section 150(3).

Powers of entry and inspection

The ICO can seek a specific warrant in order to enter premises and conduct further investigations (including without notice). The procedure for obtaining a warrant is set out in Schedule 15 of the Act.

Penalty notices

A penalty notice is only issued in circumstances where the ICO is satisfied that there has been a failure to comply with the UK GDPR or the Act. When imposing the penalty, the ICO has to have regard to the list of factors set out in  Article 83 of the UK GDPR (and also as set out in Section 155(3) of the Act).

The maximum amount of a penalty that may be imposed is specified in Article 83 of the UK GDPR, or is defined as the 'standard maximum amount'.

The current maximum penalty in Article 83 depends on the provision of the UK GDPR that has been infringed. There are two tiers of potential penalty:

  • for a breach of certain compliance obligations of the controller and processor (e.g. Articles 25 to 39 of the UK GDPR), the maximum penalty is £8.7 million or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; and
  • for a breach of core privacy obligations (e.g. breach of the data protection principles under Article 5, non-compliance with data subject rights), the maximum penalty is £17.5 million or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Finally, alongside the civil penalty notice regime, it should also be noted that there a number of criminal offences set out in the Act, in particular Sections 170 to 173 which include criminal offences of unlawfully obtaining or disclosing personal data to another person without the consent of the controller (Section 170 of the Act) and knowingly or recklessly re-identifying personal data which has been de-identified (Section 171 of the Act). The ICO has the power to pursue a prosecution for these offences in the criminal courts.

9.1 Enforcement decisions

The ICO has taken three particularly significant enforcement decisions under the data protection legislation since the GDPR originally came into force in the UK on 25 May 2018, both in terms of the size of penalty imposed and the detailed reasoning which was published by the ICO for imposing each fine.

These are as follows:

Penalty notice imposed on British Airways Plc ('BA')

A third-party hacker accessed the BA systems via the login credentials of an employee of a supplier on, or around, 22 June 2018 (although BA was not aware of the ongoing cyber incident until notified by a third party in September 2018).

Through managing to escalate their privileged access to systems, within days the hacker had managed to identify a system which processed payment card details and was logging these in plain text. The hacker was able to access unencrypted information in relation to 108,000 payment cards. Separately from this, the hacker was also able to access the files containing the code for BA's website. By compromising the website, the hacker was able to misdirect customer payment card data to a fake website. In doing so, the hacker was able to harvest payment card details relating to a further 429,612 data subjects.

The ICO found that there were numerous failings to implement appropriate technical and organisational security measures as required by Articles 5(1)(f) and 32 of the UKL GDPR. These included limiting access to applications, data, and tools to those required for a user's role and protecting systems with multi-factor authentication, including those used by suppliers.

BA was fined £20 million, which was significantly reduced compared to the originally proposed penalty to take into account mitigating factors.

Penalty notice imposed on International, Inc. (30 October 2020)

A third-party hacker had been infiltrating the systems of Starwood Hotels and Resorts Worldwide, Inc. since approximately 2014 and remained undetected until 2018. The company had, by then, been acquired by Marriott.

The hacker was able to access personal data in the form of a number of databases containing guest reservations. In total, the incident affected up to 339 million guest records, of which approximately 7 million were associated with the UK.

The ICO found that there were numerous failings to implement appropriate technical and organisational security measures as required by Articles 5(1)(f) and 32 of the UK GDPR. Despite the hacker having infiltrated the systems prior to the acquisition, the duty for Marriott to keep personal data secure was a continuing one, which meant that they were responsible for the poor security of the legacy systems obtained from Starwood during the acquisition (and the hacker lurking inside them).

Marriott was fined £18.4 million, which was significantly reduced compared to the originally proposed penalty to take into account mitigating factors, including the rapid initial response and notification of data subjects.

Penalty notice imposed on Ticketmaster UK Limited (13 November 2020)

A third-party hacker managed to compromise a chat bot on the Ticketmaster UK's website in February 2018. Numerous banks and credit card providers, as well as customers and security researchers, attempted to notify Ticketmaster of fraudulent activity and/or that there was malicious code on the website. The incident was not fully dealt with until the chat bot was disabled in June 2018.

The compromised personal data included names, payment card numbers, expiry dates, and CVV numbers. 9.4 million customers across Europe were affected, including 1.5 million in the UK. There were 997 complaints from data subjects, including complaints of financial loss.

The ICO found that there were numerous failings to implement appropriate technical and organisational security measures as required by Article 5(1)(f) and 32 of the UK GDPR. Ticketmaster was found to have failed to assess the risks arising out of the chat bot, implement suitable security measures, and respond to the incident in a timely manner.

Ticketmaster was fined £1.25 million.