Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Following the end of the Brexit Implementation Period on 31 December 2020, the United Kingdom is no longer subject to the European Union General Data Protection Regulation (GDPR).
Currently, the Data Protection Act (DPA) of 2018 is the primary data protection legislation in the United Kingdom (UK) which amended and replaced the Data Protection Act of 1998. Ever since the UK formally left the European Union (EU), the GDPR has been in a “frozen” state, encapsulated within the DPA 2018, which is now referred to as the UK GDPR. The UK GDPR and DPA 2018 should be read together.
The DPA 2018 comprises a total of seven parts, three of which relate to data processing. Parts 2, 3, and 4 of DPA 2018 pertain to general processing by law enforcement bodies and intelligence services, respectively. For the purposes of this article, the focus will be mainly on general processing that applies to both private companies and public authorities.
So what responsibilities do organizations have in the existing UK data protection legal framework? What are the data subjects’ rights? And what powers do the regulators have? Read on below to learn more:
Here’s how the DPA 2018 applies to organizations:
The UK GDPR and the DPA apply to all forms of automated, structured, or unstructured personal data processing regarding data subjects based in the United Kingdom. Data processing by an individual during a purely personal or household activity is not included.
As far as the DPA and the UK GDPR’s territorial scope is concerned, it can be condensed as follows:
Like all other major data protection laws, the DPA and the UK GDPR place certain obligations and responsibilities over organizations that collect and process users’ data. Some of these responsibilities include the following:
Organizations must have one of the following lawful basis for the processing of personal data:
The UK GDPR and DPA define consent as “freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data”.
Under this description, consent gained from the user can only be valid if it is:
The UK GDPR and the DPA require organizations to undertake standard security measures to protect all collected data appropriately. This includes implementing the following mechanisms:
When a data breach has occurred, organizations are required to assess the severity of the potential or actual impact on individuals as a result of the breach. If it is likely that there will be a risk to an individual's rights and freedoms, organizations must notify the breach to the Information Commissioner's Office without undue delay and no later than 72 hours after having become aware of the breach.
The report to the ICO must include the following information:
If the data controller fails to notify the ICO within 72 hours, it must include an explanation for the delay.
If the data breach is likely to present a “high risk” to the rights and freedoms of individuals, the data controller must inform the data subjects of such without undue delay.
The communication must include the following:
Data processors are also required to notify personal data breaches to data controllers without undue delay after becoming aware of the personal data breach.
The data controller must hire a Data Protection Officer (DPO) unless the controller is a court, or other judicial authority, acting in its judicial capacity.
The hired DPO must have the following:
In case data processing activity is likely to result in a high risk to the rights and freedoms of individuals, the data controller/processor must conduct a data protection impact assessment (DPIA) before beginning the processing of data.
The DPIA must include the following:
The data processor or data controller must maintain a regular record of all processing activities.
Such a record must contain information about how the processing satisfies the lawful basis of processing conditions and how personal data is retained and erased per the policies explained in the UK GDPR and DPA documents.
Cross-border or international data transfers are allowed if there is a legal basis for doing so and one of the following criteria is met:
In the absence of the above mechanisms, the cross-border transfer can take place in any of the following exceptions. These exceptions can be utilized in exceptional cases and not for routine data transfers.
For the purposes of transfer of personal data from the UK to third countries, the Secretary of State may specify which third countries ensure an adequate level of data protection The European Economic Area countries are considered to be adequate. More recently, the Secretary of State presented the international data transfer agreement (IDTA) and UK addendum to the new EU Standard Contractual Clauses. Here’s a detailed resource for more information on how these two affect data transfers to and from the UK to and from the EU.
Here are the data subject rights users are entitled to as per the DPA and the UK GDPR. These rights can be exercised upon data subject’s request under certain limited circumstances and have exemptions as discussed below:
All data subjects have a right to be informed about the collection and usage of their personal data. This right entails giving them precise, unambiguous information about what organizations (as controllers or processors) do with their personal data in concise, easily accessible, and plain language. The right to be informed includes the following:
All users have the right to access and know exactly what information has been collected on them. This includes the following:
The data subject will be informed if his/her personal data is transferred to a third country or an international organization and the safeguards organizations undertake. Moreover, data subjects have a right to obtain a copy of the personal data that is being processed.
The DPA has introduced several exemptions to the right of access such as personal data processed for crime and taxation-related purposes such as for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or imposition of a similar nature is exempt from the right of access. Similarly, there are exemptions to the right of access if personal data relates to legal professional privilege, data to protect the public, regulatory functions relating to legal services, the health service, and children’s services, and there are exemptions concerning child abuse data, health, education, and social data and academic data.
All data subjects have the right to request rectification or modification of any data collected on them if it has become outdated/incorrect/obsolete since it was collected.
All data subjects have the right to request that any data collected on them be deleted and any further data processing be ceased. A data subject can exercise this right in the following circumstances:
All data subjects have the right to receive any data collected on them in a structured, commonly used, and machine-readable format that can be easily accessed via an appropriate electronic device without any hindrance as long as:
All data subjects have the right to request a data processor or data controller to cease all data processing activities related to their data, including direct marketing or scientific or historical research purposes, or statistical purposes. The data processor or data controller must abide by this request unless there are legitimate legal, contractual, and public interest reasons for continuing to do so.
All data subjects can request a restriction on the processing of their personal data in the following cases:
Where a data subject has exercised her/her right to restrict the processing, data can only be processed with the data subject’s consent or if there is a legitimate reason related to legal claims, protection of rights of another person, or public interest.
All data subjects have the right to request an end to automated decision-making. This includes profiling which may lead to legal implications for the data subject.
However, data subjects cannot exercise this right under the following circumstances:
If a data subject makes a rectification, erasure, or restriction of processing data requests, the data processor or data controller must ensure that it communicates such requests to all parties with whom the data subject’s data was previously shared.
However, the data processor or data controller is exempt from making such a communication if it proves impossible or would require a disproportionate effort.
Lastly, the DPA contains exceptions to data subjects’ rights. The aforementioned rights do not apply in situations pertaining to:
The Information Commissioner's Office (ICO) is the primary regulatory authority and holds investigative, corrective, and advisory powers and is responsible for enforcing both the UK GDPR and the DPA 2018 within the British territories.
Among the ICO’s responsibilities include advising the Parliament, the government, other institutions, and bodies in matters related to legislation on ensuring data subject rights and processing of personal data. In addition to that, ICO is also responsible for making and presenting to the parliament an annual report on the types of infringements that took place and measures that were taken.
The ICO is also responsible to promote public awareness and understanding of the risks, rules, safeguards, and rights in relation to processing, along with spreading awareness to controllers and processors on their obligations. ICO must also handle the complaints lodged by data subjects, adopt standard contractual clauses and maintain a public register of certification mechanisms and data protection seals and marks
Furthermore, the ICO also has the power to issue, per its own initiative or on request, opinions related to the protection of personal data to the Parliament, the government, other institutions, and bodies, as well as the general public.
The ICO is also responsible for preparing a code of practice meant to provide practical guidelines related to sharing personal data per data protection legislation’s requirements.
In case of infringements and non-compliance with notices (information, assessment or enforcement notices), administrative fines can be imposed on the organization or a person. While deciding whether to impose an administrative fine and the amount, various factors are taken into consideration, such as:
The standard maximum amount of penalty that can be imposed is £8,700,000 or 2% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher. This penalty is generally imposed in case there is an infringement of obligations of the
The higher amount of penalty is £17,500,000 or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher. This penalty is generally imposed when the following are not dealt with as prescribed by the UK GDPR and DPA 2018:
The GDPR often comes across as an intimidating piece of legislation for most organizations since it places so many responsibilities on them while detailing them down to the minute details. The fact that the DPA is supposed to be read alongside the UK GDPR makes compliance for organizations in the UK all the more complicated.
However, it doesn’t necessarily have to be so. An effective way to initiate compliance efforts can be to lay the proper foundations. Some steps that can help tremendously in that regard include the following:
The GDPR remains a formidable piece of data protection legislation. Despite what its detractors might say, it managed to strike the perfect balance between ensuring user privacy and giving organizations enough leeway to appropriately market their products/services to their desired customers.
The UK is a unique case since, despite no longer being part of the EU, its primary data protection legislation, the Data Protection Act of 2018, is supposed to be read alongside the UK GDPR. For organizations hoping to be in complete compliance with the UK’s data protection framework in the UK, this can pose a challenge.
Securiti aims to alleviate that issue.
Securiti has built a reputation in the privacy industry by providing enterprises with reliable data compliance and governance solutions. These solutions include DSR automation, cookie management, vendor risk assessments, and data mapping.
Request a demo today and learn more about how Securiti can aid your data compliance efforts in the UK.