This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in United Kingdom.
This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
The collection and use of personal data is primarily governed by the Data Protection Act 2018 (DPA 2018) which implements the General Data Protection Regulation (GDPR). It is not sector specific and applies to anyone collecting and using personal data. Personal data is any information relating to an identifiable person who can be directly identified (such as by their name and contact details) or indirectly identified in particular by reference to an identifier (such as an IP address, cookie data or location data). If a person collects information about individuals for any reason other than its own personal, family or household purposes, it will need to comply with the DPA 2018. The law will catch most businesses and organisations, whatever their size. It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
The Information Commissioner's Office (ICO) regulates data protection, provides advice and promotes good practice. It also conducts audits, considers complaints and breach reports, monitors compliance and takes enforcement action where appropriate.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Yes, under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data (known as a 'controller') need to pay a data protection fee to the Information Commissioner's Office (ICO) unless they are exempt. There is a three tier system based on the size of an organisation and how much personal data the organization is processing. The fee ranges from £40 to £2,900 dependent on number of employees or turnover.
All controllers are regarded by the ICO as eligible to pay a fee in tier 3 unless and until the controller tells the ICO otherwise.
Public authorities categorise themselves according to staff numbers. They do not need to take turnover into account.
There is an exemption where the processing of personal data falls within certain limited purposes such as for staff administration, advertising, marketing and public relations and accounts and records.
A fixed penalty regime (ranging from £400 to £4,000) applies where a controller should have notified and paid the appropriate fee to the ICO and has not. The fixed penalty may be increased to the statutory maximum of £4,350 for controllers in respect of a failure to provide the ICO with sufficient information to determine the appropriate fee/exemption, depending on aggravating factors (for example, a failure to engage or co-operate with the ICO).
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The UK (along with the EU) uses the terms personal data and special category data. These concepts are not identical to the term personally identifiable information (PII).
Personal data is any information relating to an identified or identifiable natural person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. If a business is considering whether an individual is identifiable the business will need to take into account the information it is processing together with all the means reasonably likely to be used to identify that individual. Even if an individual is identified or identifiable, directly or indirectly, from the data, it is not personal data unless it ‘relates to’ the individual. When considering whether information ‘relates to’ an individual, the business needs to take into account a range of factors, including the content of the information, the purpose or purposes for which it is processing it and the likely impact or effect of that processing on the individual.
Other key definitions include:
- a 'controller' who is the party that determines the purposes and the means by which the personal data is processed. For example a business decides what data it collects on, and how it uses it in respect of its employees. It will be a controller in respect of that data.
- a 'processor' is the person which processes personal data on behalf of the controller. For example a service provider who provides payroll services for an employer.
Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?
A controller will be responsible for, and must be able to demonstrate compliance with, the fundamental data protection principles, namely to:-
- process personal data lawfully, fairly and transparently;
- ensure the purposes of processing are specified, explicit and legitimate;
- ensure the processing of personal data is adequate, relevant and not excessive;
- keep personal data accurate and up to date;
- not keep personal data longer than necessary; and
- process personal data in a secure manner.
There is also an overriding principle of accountability. A controller is responsible for and must be able to demonstrate compliance with the principles by having appropriate, documented records, processes, policies and training.
A controller must provide a 'fair processing notice' setting out how the data will be used and disclosed, the lawful basis for the processing and the individual's rights amongst other things. This information should be easily accessible, easy to understand, and in clear and plain language.
A controller must also establish a legal basis for processing personal data, and show that one of the following applies:
- individual has given their consent to the processing;
- processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for the compliance with a legal obligation;
- processing is necessary to protect the vital interest of the data subject or another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of a task carried out in the public interest or in the exercise of official authority; or
- processing is necessary for the purpose of the legitimate interests pursued by the controller or a third party except where such rights and freedoms of the data subject (particularly where the data subject is a child).
There are more limited lawful bases for processing special category data, one of which must apply in addition to one of the lawful bases above where the data is special category data. These include (but are not limited to) processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defense of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, social security and social protection law. Full details are set out in Article 9 of the GDPR and Parts 1 and 2 of Schedule 1 of the DPA 2018.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
Consent is one of the lawful bases that controllers can rely on to process personal data. It tends to be used where no other lawful basis can be relied upon as it can be difficult to achieve consent and it can be withdrawn by the individual. It is used when required by law for example for direct marketing by email or text (unless the soft opt in applies).
In order for consent to be valid, it must meet the requirements. Consent is defined as:
'any freely given, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'.
Consent can be given electronically, in writing or orally. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement/conduct clearly indicating acceptance of the proposed processing. In each case some affirmative action should be given. Silence, pre-ticked boxes or inactivity do not constitute consent.
When special categories of data are being processed consent also needs to be explicit.
For consent to be informed the data subject must be notified at least of the controller's identity and the purposes of processing. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, separate consent should be given for all of the purposes and should be clearly distinguishable.
The data subject will have, and must be informed of the right to withdraw his/her consent at any time. This will not affect the lawfulness of the processing preceding the withdrawal.
Consent may not be considered to be "freely given" if:
- performance of the contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract;
- there is a clear imbalance between the data subject and the controller (eg in an employment relationship); or
- the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Records of consents obtained should be kept to demonstrate compliance with the principles.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
Sensitive personal data is now called "special categories" of personal data.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (special category data) is prohibited.
There are exceptions to this prohibition. These include (but are not limited to) processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defense of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, social security and social protection law. Full details are set out in Article 9 of the GDPR and parts 1 and 2 of Schedule 1 of the Data Protection Act 2018 (DPA 2018). These contain further details about the circumstances in which these exceptions will be met and where such processing is therefore permitted.
The definition of "special categories" of personal data has been expanded to include biometric data for the purpose of uniquely identifying a natural person, and genetic data. "Data concerning health" has also been specifically defined as "Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. "Wellbeing" data could therefore be caught by the rules regarding the processing of "special category" personal data. References to sexual orientation have also been added to the definition.
Criminal convictions and offences are not included within the definition of special category data; however the DPA 2018 deals with this type of data in a similar way. In order to process criminal convictions a controller must have a lawful basis, meet a condition set out in Schedule 1 of the DPA 2018 and comply with the safeguards set out in that Act.
How do the laws in your jurisdiction address children’s PII?
Children need particular protection when their personal data is being collected and processed as they may be less aware of the risks involved or their rights. A controller will need to assess the safeguards that they will need to put in place to make sure that the processing is fair and that a lawful basis is met. For example where consent is the lawful basis for processing the child's parent or guardian will need to be contacted to consent to the processing. A controller should keep under review age verification and parental responsibility mechanisms to ensure that it is using the most appropriate mechanisms to reduce the risks.
In relation to the offer of online services directly to a child (information society services), if the data subject is a child of at least 13 years old and they have given consent to the processing of his/her personal data, the processing will be lawful. Where the child is below 13 years old, such processing shall be lawful only if consent is given or authorised by the holder of parental responsibility over the child. This will not apply if the information society services offered to the child are preventative or counselling services.
The controller must make reasonable efforts to verify that consent is given or authorised.
Any information and communication where processing is addressed to a child, should be in clear and in plain language that the child can easily understand. Children have the same rights as adults in relation to the processing of their data and the right to erasure of data is particularly relevant if they gave their consent to the processing when they were a child.
An issue may arise because a different age will apply in different countries, so businesses with a European reach will have to know the location of the child to ensure the right rules can be applied.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Both controllers and processors must maintain a record of processing activities (ROPA) which must be made available to the Information Commissioner's Office (ICO) on request.
The ROPA should contain:
- The name and contact details of the organisation (and where applicable, of other controllers, the organisation representative and their data protection officer).
- The purposes of the processing.
- The lawful basis for the processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of any transfers to third countries including documenting the transfer mechanism safeguards in place.
- Retention periods.
- A description of any technical and organisational security measures.
This obligation does not apply to organisations with fewer than 250 employees unless the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or data related to criminal convictions or offences.
To comply with the accountability principle and to meet its privacy by design obligations, a controller must document its processes and policies so that it can demonstrate how it has sought to comply with the data protection principles. It should have a range of policies tailored to its business such as a data protection policy, retention and disposal policy, data breach policy, marketing policy, consent records, data maps, training materials and processes to comply with the data protection principles and to enable individuals to exercise their rights etc.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
A controller must carry out a data protection impact assessment (DPIA) if the processing is likely to result in a high risk to individuals.
If, in the DPIA, a controller identifies a high risk that they cannot mitigate or reduce, they must consult with the Information Commissioner's Office (ICO) prior to commencing the processing. When consulting the ICO, a controller shall provide details of:
- where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
- the purposes and means of the intended processing;
- the measures and safeguards provided to protect the rights and freedoms of data subjects;
- where applicable, the contact details of the data protection officer;
- the data protection impact assessment; and
- any other information requested by the ICO.
The ICO will respond within eight weeks of the request for consultation and provide written advice to the controller. Where appropriate the ICO can issue a warning not to process the personal data.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
Yes, a data protection impact assessment (DPIA) should be carried out where the intended processing is "likely to result in high risks" to data subjects.
Some examples of when a processing is "likely to result in high risks" includes:-
- a systematic or extensive evaluation of personal aspects identified through means of automated processing, and on which decisions are based that produce legal effects or significantly affect the person;
- processing special categories of data, such as health data, on a large scale or personal data relating to criminal convictions and offences; and
- a systematic monitoring of a publicly accessible area on a large scale.
The current Information Commissioner's Office (ICO) guidance also indicates a DPIA should be conducted if the controller will:
- use innovative technology (in combination with any of the criteria from the European guidelines available on the European Data Protection Board's website);
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data (in combination with any of the criteria from the European guidelines);
- process genetic data (in combination with any of the criteria from the European guidelines);
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behavior;
- profile children or target marketing or online services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
The assessment should be carried out prior to any processing and contain at least:-
- a description of the proposed processing, its purposes and the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks.
The controller should also seek the advice of the data protection officer (if it has one) when carrying out the above assessment. When appropriate, the controller should seek the views of the data subject (or their representatives) on the intended processing, and consult the ICO prior to processing where the DPIA indicates the processing will result in a high risk due to the absence of available measures to mitigate the risk.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
A person must appoint a data protection officer (DPO) if:
- it is a public authority or body (except for courts acting in their judicial capacity);
- its core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
- its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. A group of undertakings can select a single DPO providing that the DPO is easily accessible from each establishment. A single DPO may also be designated for several public bodies/authorities. The DPO does not have direct statutory liability under the DPA 2018.
If a decision is made to voluntarily appoint a DPO the business should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
The DPO’s tasks are:
- to inform and advise on data protection laws;
- to monitor compliance with data protection laws, and with the business' data protection polices, including training staff and conducting internal audits;
- to advise on, and to monitor, data protection impact assessments;
- to cooperate with the Information Commissioner's Office and other supervisory authorities; and
- to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Individuals have the right to be informed about the collection and use of their personal data. Transparency is a key requirement.
At the time personal data is obtained from a data subject, a controller must provide the data subject with all of the following privacy information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- the legitimate interests pursued by the controller or by a third party where the legitimate interests lawful basis is being used;
- the recipients or categories of recipients of the personal data, if any;
- source of the data;
- retention periods;
- details of the individuals rights, including the right to withdraw consent;
- the right to lodge a complaint with a supervisory authority;
- if there is a statutory or contractual obligation to provide certain details and the consequences of not providing these;
- if automated decision making or profiling is being conducted with meaningful information about the logic used and the intended consequences of the processing; and
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the mechanism that is being relied upon to allow the transfer and where relevant how to obtain a copy.
When personal data is obtained from a source other than the individual it relates to, the individual needs to be provided with the above privacy information
- within a reasonable period of obtaining the personal data and no later than one month;
- if you use the data to communicate with the individual, at the latest, when the first communication takes place; or
- if you envisage disclosure to someone else, at the latest, when you disclose the data.
The controller must actively provide privacy information to individuals. They can meet this requirement by putting the information on their website, but they must make individuals aware of it and give them an easy way to access it which includes at the point of collection of their data. For all audiences, information must be:
- easily accessible; and
- use clear and plain language.
When providing the information to individuals a combination of techniques can be used such as a layered approach to presenting the information, privacy dashboards, just in time notices and icons. It is also good practice to carry out user testing on draft privacy information to get feedback on how easy it is to access and understand. After it is finalised, regular reviews should be carried out to check it remains accurate and up to date. If the controller plans to use personal data for any new purposes, they must update their privacy information and proactively bring any changes to people’s attention.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
Processors do not have the same obligations as controllers and do not have to pay a data protection fee. However, they do have a number of direct obligations of their own.
New statutory obligations are imposed on processors in relation to processing contracts, security measures, security breach notifications, data protection officers and record-keeping.
Processors are also subject to the relevant investigative and corrective powers of a supervisory authority (such as the Information Commissioner's Office) and may be subject to administrative fines or other penalties for breaches of its direct obligations under the Data Protection Act 2018 . They may also be contractually liable to the controller for any failure to meet the terms of its agreed contract. This will of course depend on the exact terms of that contract.
Any party can also bring a claim directly against a processor. A processor can be held liable to pay compensation for any damage caused by its processing (including non-material damage such as distress). The processor will only be liable for the damage if:
- they have failed to comply with the provisions specifically relating to processors; or
- they have acted without the controller’s lawful instructions or against those instructions.
Processors will not be liable if they can prove they are not in any way responsible for the event giving rise to the damage.
If processors are required to pay compensation but are not wholly responsible for the damage, they may be able to claim back from the controller the share of the compensation for which they were liable.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
Yes, there are minimum mandatory contractual provisions that data processing clauses/contracts with a processor must contain, which includes an obligation to flow-down those obligations to sub-contractors. Failing to include these is itself a breach. If data is being shared between two independent controllers an appropriate data sharing agreement should be entered into by the parties.
The new contractual commitments to be imposed on processors, include assisting with many of the obligations imposed on controllers (such as controllers' obligations to respond to the exercise of data subject rights, data security and other governance obligations).
Processors also have a direct statutory "policing" obligation, to "immediately inform" the controller if, in the processor's opinion, an instruction infringes the Data Protection Act 2018.
A restriction on appointing sub-processors must also be included whereby sub-processors cannot be engaged without the controller's prior consent, which may be general, but if general then proposed changes must be notified in advance to give controllers a chance to object. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub-processor's obligations.
A controller will conduct due diligence on a proposed processor to enable it to show how it has sought to comply with the data protection principles. This will include the security measures that the processor has in place.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
Transfers of personal data to countries outside the EEA are restricted. These restrictions apply to all transfers, no matter the size of transfer or how often they are carried out.
To enable a restricted transfer to take place a business must identify if the transfer is to a country which is covered by an EU Commission “adequacy decision”. Details of such countries can be found on the Information Commissioner's Office's website at www.ico.org.uk. If there is no adequacy decision then the business must put in place an appropriate safeguard to enable the transfer to take place. Most businesses use the EU Commission model contracts however there are other mechanisms such as binding corporate rules for internal group transfers that can be used.
In the absence of a EU Commission adequacy decision, or of appropriate safeguards, a transfer shall only take place if one of the specific derogations/conditions apply such as the data subject has given their explicit consent, the transfer is necessary for performance of a contract, or for important reasons of public interest or the establishment, exercise or defence of legal claims or necessary to protect the vital interests of the data subject or another where the data subject is physically or legally unable to give consent.
It is also still possible to rely on Privacy Shield for transfers to the USA, subject to any potential future case-law challenges.
A controller should consider the impact that Brexit will have on its processing arrangements. In particular, flows of data from the EU to the UK should be assessed and a decision made as to the whether adequate safeguards need to be put in place post Brexit. In relation to transfers from the UK to the EU the UK government has stated that these transfers can continue as there will be a transitional provision for a UK adequacy decision in respect of the EU countries. Thought should also be given as to the data protection regime that will apply to a controller with European operations post Brexit as it will be subject to the UK and European data protection regimes.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
Both the controller and processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data. The parties should take into account factors such as the state of the art, implementation costs and the context of processing. Such measures could include pseudonymisation, encryption of personal data and a process for regularly testing the effectiveness of such measures.
Measures should be put in place following an evaluation of the risks in order to prevent unauthorised or accidental processing and to ensure it is possible to establish the precise details of any processing that takes place. The measures must ensure the confidentiality, integrity and availability of the systems and services that process personal data, and the data itself. Such measures should enable the controller to restore the personal data in a timely manner in the event of a physical or technical incident.
Does your jurisdiction impose requirements of data protection by design or default?
Yes, a business must put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is known as privacy by design. It means a controller should consider data protection in everything it does and in any new projects, systems and processes (or changes to existing ones).
In essence, this means a business has to integrate data protection into its processing activities and business practices, from the design stage right through the lifecycle.This pro-privacy methodology includes appropriate measures in order to safeguard data subjects, both when determining the means for processing and when processing personal data. These measures can include the encryption and pseudonymisation of personal data.
It also means that controllers must implement measures to ensure that only personal data which is necessary for each specific purpose is processed. This applies to the amount of personal data, extent of processing and period of storage.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Yes. Under the Data Protection Act 2018, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A business should ensure it has robust breach detection, investigation and internal reporting procedures in place to help it determine whether it needs to notify the personal data breach to the relevant supervisory authority (e.g. the Information Commissioner's Office) and the affected individuals about a personal data breach.
A business must keep a record of any personal data breaches, regardless of whether it is required to notify the breach.
A business may also be required to notify a security breach under sector specific laws such as Privacy Electronic Communications Regulations, eIDAS Regulation 2014 and NIS Regulation 2018 for certain service providers.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
The Data Protection Act 2018 introduces a duty on a controller to report certain types of personal data breaches to the relevant supervisory authority.
When a personal data breach has occurred, a business will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then the business must notify the breach to the Information Commissioner's Office (ICO). If it’s unlikely then the business does not have to report it. However, if the business decides it doesn’t need to report the breach, it will need to be able to justify this decision, and will need to keep a record of the breach, the analysis and the decision not to report.
In addition, if a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the business must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. The business will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, the business will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
The report to the ICO must be made within 72 hours of the controller becoming aware of the breach. If the business decides not to notify individuals, it will still need to notify the ICO unless it can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. The ICO has the power to compel a business to inform affected individuals if they consider there is a high risk.
A business must document the facts relating to the breach, its effects and the remedial action taken. This is part of its overall obligation to comply with the accountability principle, and allows the ICO to verify its compliance with its notification duties.
Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.
Individuals have a range of rights under the Data Protection Act 2018 (DPA 2018) . They have the right to be given a fair processing notice, access their personal data, rectify inaccurate or incomplete personal data and erase or restrict its use or transfer the personal data to another party in certain circumstances.
Where legitimate interests is the lawful basis for processing the data, a data subject can object to the processing in which case the controller must assess whether it can continue to process the data (this is called the legitimate interests balancing test/assessment). An individual has the absolute right to object to receiving direct marketing and to withdraw any consent they have given for a processing activity – if they object or withdraw their consent this must be complied with.
A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them unless certain conditions are met.
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why an organisation is using their data, and check they are doing it lawfully.
The right to have personal data erased is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For example if the personal data is no longer necessary for the purpose which it was originally collected or processed; if consent is the lawful basis and the individual withdraws their consent; if legitimate interests is the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing; the processing is for direct marketing purposes and the individual objects to that processing; and the business has processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle).
The data subject rights may not apply in certain circumstances (to the extent that applying the right would prejudice/prevent certain purposes) such as where personal data is processed for crime and taxation purposes. The DPA 2018 also contains a number of other exemptions, a number of which are narrowly applied in practice.
Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?
A data subject can bring an action against a controller or processor where they consider their rights have been infringed. Proceedings can be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. An individual can complain to the Information Commissioner's Office which can take enforcement action along with other relevant supervisory authorities.
Any person who has suffered material or non-material damage as a result of a breach by a controller or processor has the right to receive compensation from the controller or processor for the damage suffered (including for distress).
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
The Information Commissioner's Office (ICO) has a range of powers it can exercise, including restricting or stopping the processing of personal data.
In addition, the ICO can issue fines on a controller or a processor for its breach of the obligations that apply to it. There is a two tier system of fines reflecting the seriousness with which a breach of specified obligations is viewed. For example breaches of the principles, conditions applicable to consent, lawful basis, individual's rights and restricted transfers provisions are subject to the higher tier of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Breaches of obligations such as maintaining the record of processing activities, conducting a data protection impact assessment, a processor's obligations, privacy by design and appointing a data protection officer (amongst others) are subject to a lower standard tier where the maximum fine is €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The ICO in issuing a fine will take account of: the nature, gravity and duration of the infringement, any mitigating action taken, previous infringements and the intentional or negligent character of the infringement. The maximum amount of the penalty in sterling will be determined by applying a spot rate exchange set by the Bank of England on the day on which the penalty notice is given.
The ICO can issue an:
- information notice to require any person to provide information they reasonably require for the purposes of carrying out its functions, or investigating suspected failures or offences. It is an offence to fail to comply with an information notice, whether intentionally or recklessly and the court can make an order to compel the person to comply with the information notice.
- assessment notice to permit the ICO to carry out an assessment of a business to identify if they have complied with, or are complying with, data protection legislation. This can be done through means such as allowing the ICO access to specified premises, technology and directing the ICO to certain documents, and explaining such documents.
- an enforcement notice which requires a person to take steps specified in the notice, or refrain from taking steps specified in the notice, or both. The notice must include details of what the person has failed, or is failing, to do and the ICO's reasons for reaching that opinion.
An organisation can appeal if they consider that a decision notice issued by the ICO is wrong. They can also appeal against certain decisions made under the Data Protection Act 2018 (DPA 2018).
Any person who has suffered material or non-material damage (including distress) as a result of an infringement of the DPA 2018 has the right to raise a claim against and the right to receive compensation from a controller or processor for the damage suffered. They can also complain to the ICO and relevant supervisory authorities.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
The Data Protection Act 2018 (DPA 2018) sets out exemptions from some of the rights individuals have and the obligations it imposes on a controller. The exemptions are intended to be considered on a case by case basis and if a controller relies on an exemption it should justify and document its reasons for doing so. This is part of the accountability obligation that applies to a controller.
There are a number of different exemptions which are detailed in Schedules 2 to 4 of the DPA 2018. These exemptions can relieve a controller of some of its obligations. For example in relation to the right to be informed, the right of access, dealing with other individual's rights and complying with the data protection principles. How the exemptions are applied and the extent of the exemption will differ depending on the purpose for which a controller is processing the personal data.
Examples of the types of purposes that may rely on an exemption in the DPA 2018 include:
- for the prevention and detection of crime, apprehension and prosecution of offenders and assessment or collection of a tax or duty;
- information required to be disclosed by law or in connection with legal proceedings;
- discharging functions designed to protect the public;
- discharging a regulatory function conferred under specific legislation;
- processing for journalistic, academic, artistic or literary purposes; and
- processing for scientific or historical research purposes or for statistical purposes.
There are also a number of exemptions that relate to the processing of health and social work data in certain circumstances.
Some exemptions only apply to the extent that complying with the DPA 2018 would prejudice the purpose for which a controller is using the data or where it would prevent or seriously impair the controller from processing personal data in a way that is required or necessary for its purpose. If this is not so then a controller must comply with the DPA 2018 as normal. Some exemptions have additional provisions that have to be met before the exemption can be relied upon.
Some types of processing of personal data are not covered by the GDPR. Examples of this (some of which are now covered by parts of the DPA 2018) are:
- personal data that is processed for purely personal or household activity with no connection to a professional or commercial activity. This type of processing is not covered by the DPA 2018;
- processing of personal data by competent law authorities for law enforcement purposes eg police investigating a crime. This processing is covered by the rules in Part 3 of the DPA 2018; and
- processing of personal data for the purposes of safeguarding national security or defence. This is covered by Part 2, Chapter 3 of the DPA 2018.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them. This applies where there is no human involvement in the decision-making process. Such a process can only be carried out by an organisation if the decision is:
- necessary for entering into or performance of a contract between the organisation and the individual;
- authorised by law (for example, for the purposes of fraud or tax evasion); or
- based on the individual’s explicit consent.
If special category personal data is involved the business can only carry out such processing:
- if it has the individual’s explicit consent; or
- if the processing is necessary for reasons of substantial public interest.
The controller must notify the data subject in writing as soon as possible that the decision has been based solely on automated processing. The data subject may within 1 month request the controller to reconsider the decision or take a new decision that is not based on automated processing. The controller then has to respond without delay and in any event within 1 month and consider the request.
Please describe any laws addressing email communication or direct marketing?
Marketing activities using personal data have to comply with the Data Protection Act 2018 (DPA 2018) and Privacy and Electronic Communications Regulations (PECR).
Where personal data is processed for the purposes of direct marketing, the data subject has an absolute right to object to the processing. This right should be explicitly brought to the attention of the data subject at the time their data is collected and presented clearly and separately from any other information.
Where the data subject objects to processing for direct marketing purposes, the business should not continue to process the data for such purposes (including any profiling relating to such direct marketing).
In addition under PECR there are rules governing marketing by certain methods. For example, electronic messages marketing (such as by email) and text marketing can only be sent to customers with their consent unless the soft-opt in applies. There are also rules relating to telephone marketing which requires the number to be screened against the Telephone Preference Service.
The soft-opt in applies where the details are collected in the context of a sale or a negotiation for a sale and (a) the marketing relates to the same/similar goods/services as those purchased or negotiated; (b) the customer is given the opportunity to opt-out at the time of the purchase or negotiation and in every communication thereafter; and (c) the marketing comes directly from the contracting entity/controller who has sold or is negotiating for the sale of the goods/services ie the same entity. The marketing must relate to similar products or services and the marketing recipient must be given a simple means of refusing marketing at the time their data is collected.
When relying on consent to market a business should specify the different methods they want to use eg by email, by text, by fax, by phone or by recorded call. In addition it must ask for specific consent if it wants to pass details to other companies, and it must name or describe those companies in detail.
A business should also keep clear records of consent, and keep a ‘do not contact’ list of anyone who objects, opts out or withdraws their consent.
At the time of writing, a new E-Privacy Regulation is currently being prepared which will impact the above.