KNOWLEDGE BASE Data Protection Regulations In the UK
The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure to verify any regulations, statistics, guidelines, or other information that are important to your efforts.
Brexit Update:
Since the UK officially left the European Union on January 31, 2020, the relationship between the two has evolved and continues to be shaped by the ongoing implementation of the withdrawal agreement.
Key Dates:
-
January 31, 2020: UK officially left the EU and entered a transition period that ended on December 31, 2020.
-
December 31, 2020: The transition period ended, and the UK fully exited the EU single market and customs union.
-
January 1, 2021: The UK-EU Trade and Cooperation Agreement came into effect, outlining the post-Brexit relationship between the two entities.
-
2023/2024 Current: The UK and EU are still navigating the ongoing implementation and potential revisions of their post-Brexit relationship.
It's crucial for businesses operating in either the UK or the EU to stay informed about the latest developments and adjust their operations accordingly.
Data Protection Regulations In the UK
In the business world today, the collection, use, and disclosure of personal data by a company is an integral part of its functioning and success. Data collection, use, and disclosure activities have many risks for both consumers and companies. For consumers, the unauthorized access and use of their personal data could mean identity theft, which can affect every aspect of their lives for many years. For companies, big, medium, and small, a data breach can be ruinous. For a security breach, companies face criminal prosecution, civil penalties, audit, lawsuit liability, extreme expense to notify customers, to investigate the breach, to compensation customers, and update the system to prevent another such breach, and a loss of profits from a decrease in consumer confidence and a negative reputation.
What laws and regulations apply?
Many countries place a huge importance and strict obligations on companies’ collection, use, and disclosure of personal data, the UK has a comprehensive data protection regime in place, which includes the Data Protection Act (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations (PECR). Following Brexit, the UK GDPR became fully operational in January 2020. This regulation effectively replaced the DPA 2018 for most purposes, though both pieces of legislation co-exist in some aspects.
Data Protection Act
To whom and what does the Data Protection Act apply?
Data Controller
The Data Protection Act requires that data controllers ensure that any processing of personal data for which they are responsible complies with the Act. You will be considered a data controller if you, either alone or jointly, determine the purpose for which and the manner in which any personal data are, or are to be, processed. This applies to “persons” recognized by law, which includes individuals, organisations, and corporations, whether incorporated or not.
Data controllers will usually be organisations or corporations, but can be individuals, e.g., self employed individuals. Even if the responsibility is placed on an individual within your organisation or corporation, that individual will be acting on behalf of the organisation, and your organisation will be considered the data controller.
A data processor is any person, other than an employee of the data controller, who processes data on behalf of the data controller. Data processors are not directly subject to the Act. As a data controller, you remain responsible for ensuring all data processing complies with the Act, whether you process personal data in-house or hire or engage a data processor. If processing personal data is required by law, the person required to process the data is considered the data controller.
Most, if not all, data processors will also be data controllers, because of the processing they do for their own administrative purposes.
Personal Data
The UK GDPR only applies to information defined as personal data. In general, determining what information is considered data under the UK GDPR is relatively straight forward; it is 1) information processed, or intended to be processed, wholly or partially by automatic means, e.g., a computer, or 2) information processed by means other than automatic that forms part of, or is intended to form part of, a relevant filing system, e.g., manual information in a filing system. Data is considered personal if it relates to an identified or identifiable individual. The UK government is currently proposing a new bill, the Data Protection and Digital Information Bill, that may bring further changes to data protection laws. However, it's not yet law, and the core principles of personal data definition are expected to remain consistent.
Processing
The UK GDPR applies to the processing of personal data. Processing means obtaining, recording, or holding information or data or carrying out any operation or set of operations on the information or data, including: organisation, adaptation, alteration, retrieval, consultation, or use of the information or data, disclosure by transmission, dissemination, or otherwise making the information or data available, or alignment, combination, blocking, erasure, or destruction of the information or data.
The definition of processing is so broad, it is difficult to think of anything an organisation might do with information or data that would not be considered processing.
How do I comply with the UK GDPR?
Schedule 1 to the UK GDPR lists the following 8 data protection principles:
-
Understand the GDPR & Data Protection Act:
Begin by thoroughly understanding the core principles and requirements of the UK GDPR and the Data Protection Act 2018 (DPA 2018). You can find official texts and guidance from the Information Commissioner's Office (ICO).
-
Identify Personal Data & Processing Activities:
Map out all personal data your organization collects, stores, and processes. This includes identifying data sources, types of data collected, and the purposes for which you use it. Clearly define all processing activities you perform on the data.
-
Implement Data Protection Principles:
Ensure your data handling practices follow the seven data protection principles of the UK GDPR:
-
Lawfulness, fairness, and transparency
-
Purpose limitation
-
Data minimization
-
Accuracy
-
Storage limitation
-
Integrity and security
-
Accountability
4. Conduct Data Protection Impact Assessments (DPIAs):
For high-risk processing activities (e.g., large-scale profiling, sensitive data collection), conduct DPIAs to identify and mitigate potential risks to individuals' privacy.
5. Implement Appropriate Technical & Organizational Measures (TOMs):
Put in place robust technical and organizational measures to safeguard personal data from unauthorized access, loss, or misuse. This includes secure storage, access controls, encryption, and incident response plans.
6. Establish Data Subject Rights Mechanisms:
Ensure individuals can exercise their rights under the UK GDPR, such as accessing their data, requesting rectification or erasure, and restricting processing. Implement clear procedures for handling data subject requests.
7. Appoint a Data Protection Officer (DPO) (if required):
If your organization meets certain criteria (e.g., large-scale processing of sensitive data), appoint a qualified Data Protection Officer (DPO) responsible for overseeing data protection compliance.
8. Stay Updated & Seek Expert Advice:
The UK GDPR landscape is constantly evolving. Regularly check for updates and amendments through the ICO website and consider seeking expert advice from data protection professionals for complex compliance matters.
The Data Sharing Code of Practice is a statutory code that provides advice to organisations that share data, either on an on-going basis, e.g., data sharing arrangement, or an ad hoc basis, e.g., single request for data.
As an employer, you are responsible for the protection of your employees’ personal data. The Employment Practices Code and the Quick Guide to the Employment Practices Code provide guidance to keep you within the law.
What are the risks of noncompliance?
The Information Commissioner’s Office (ICO) is tasked with compliance of the UK GDPR and the DPA. The ICO has a variety of enforcement mechanisms, which include: a notice of non-compliance, audits, monetary penalties of £17.5 million or 4% of global annual turnover (whichever is higher), and criminal prosecution. The ICO published a Guide on how it deals with complaints and a Data Protection Regulatory Action Policy. The ICO also publishes quarterly data breach trends.
Privacy and Electronic Communications (EC Directive) Regulations
The Privacy and Electronic Communications (EC Directive) Regulations complement the existing data protection regime and set out more specific privacy rights on electronic communications. PECR was derived from European law, it implemented the European Directive, 2002/58/EC. PECR has been updated twice, the 2004 Amendment changed rules on marketing calls to companies and the 2011 Amendment changed rules on cookies, reporting security breaches, and the Information Commissioner's Office’s enforcement powers. Following Brexit, the UK enacted the UK PECR in 2023, which remains largely aligned with the EU Directive but with some minor differences.
To whom and what do the Privacy and Electronic Communications Regulations apply?
The UK PECR applies if you:
-
market by phone, text, email, or fax;
-
use cookies or a similar technology on your website; or
-
compile a telephone (or similar public) directory.
In the context of data protection regulation, the PECR govern the use of cookies. Check out the UK PECR page for information about how the PECR apply to other areas of marketing.
The PECR apply to all cookies, including personal and anonymous. If cookie data is not anonymous, compliance with the Data Protection Act is also required. The PECR also apply to and affect mobile applications. Many applications store data on smart devices and some may also access data on a device, e.g., photos, contacts, etc. Clear information should be provided to users before users click to install an application.
What are the important terms to understand?
What is a cookie? - Cookies, also known as browser cookies or tracking cookies, are small, often encrypted, text files that are downloaded onto the ‘terminal equipment’ (e.g., a computer or smartphone) when a user accesses a website. Cookies allow a website to recognize a user’s device and store information about the user’s preferences and past actions. Cookies are not just created by the website the user is browsing, often called first party cookies, but also, by other websites that run ads, widgets, or other elements being loaded on the page, often called third party cookies. Cookies can expire at the end of a session or they can be stored for longer. Session cookies expire after a browser session. Session cookies can be used to remember what a user has put in a cart or shopping basket or for security reasons when accessing internet banking or webmail. Persistent cookies are stored on a user's’ device in between browsing sessions and can be used to remember a user’s preferences and choices or for targeted advertising.
How do I comply with the UK PECR?
1. Understand Your Obligations:
Applicability: Determine if the UK PECR applies to your activities. It covers electronic communications like email, SMS, cookies, and mobile apps.
Data Types: Identify the types of data you collect and process, including personal data and anonymous cookies. If processing personal data, ensure compliance with the UK GDPR and DPA 2018.
2. Implement Transparency Measures:
Clear Cookie Notice: Provide a clear and accessible cookie notice on your website, explaining the types of cookies used, their purposes, and user control options.
Data Collection Practices: Clearly explain how you collect and use data through your website, mobile app, or other electronic communication channels.
3. Obtain Informed Consent:
Consent Mechanism: Implement a user-friendly consent mechanism for non-essential cookies and data collection in your app. This should be separate from accepting general terms and conditions.
Granular Control: Offer users granular control over their consent, allowing them to choose which types of cookies or data collection they agree to.
Active Opt-In: Require users to actively opt-in to non-essential cookies and data collection. Pre-ticked boxes or implied consent are not valid.
4. Data Protection Practices:
Data Security: Implement robust technical and organizational measures to protect collected data from unauthorized access, loss, or misuse.
Data Retention: Only retain data for as long as necessary for legitimate purposes and in accordance with user consent.
Data Subject Rights: Respect user rights to access, rectify, erase, or restrict the processing of their data.
5. Stay Updated and Informed:
Data Protection and Digital Information Bill: Monitor the progress of this proposed bill, as it may introduce further changes to PECR and cookie regulations.
Essentially, a person setting cookies must:
-
tell people that cookies are being used
-
tell people what the cookies are doing
-
obtain consent to store cookies on a user’s device
Examples
Activities likely to fall within the exception include:
-
A cookie used to remember the goods a user wishes to buy when he proceeds to checkout or adds goods to his shopping cart.
-
Cookies that provide security that is necessary to comply with the security requirements of the seventh data protection principle for an activity that a user requested, like online banking.
-
Cookies that ensure the contents of your page load quickly and effectively by distributing the workload across multiple computers.
Activities unlikely to fall within the exception include:
-
Cookies used for analytical purposes, e.g., to count the number of unique visits to a website.
-
First and third party advertising.
-
Cookies used to recognize a user when they return to a website so that the greeting they received can be tailored.
What are the risks of noncompliance?
The Information Commissioner’s Office is tasked with the enforcement of the PECR. Enforcement can be in the form of a notice to compel an organisation to come into compliance with the PECR and failure to comply with this notice can be a criminal offense. The ICO can impose fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious PECR breaches. The ICO cookie enforcement information can be found on the ICO website.
KNOWLEDGE BASE Data Protection Regulations In the UK