The General Data Protection Regulation (EU GDPR) is an EU law which came into force on 25 May 2018, alongside the UK Data Protection Act 2018. Following the United Kingdom’s withdrawal from the EU, the UK GDPR came into effect on 1 January 2021.
Thorntons’ specialist Data Protection team are on hand to advise you on your obligations under UK GDPR and other data protection legislation, and can work with your organisation to ensure your compliance and data protection resilience.
The UK GDPR sets out the key principles, rights and obligations for most processing of personal data in the UK.
For individuals, the UK GDPR aims to strengthen individuals’ rights in relation to how their personal data are processed, giving them greater control over their own identity, privacy and interactions with others. For organisations, it aims to remove unnecessary barriers to trade and co-operation and enable the free flow of data, while ensuring proper protections are in place.
The Data Protection Act 2018 sets out the framework for data protection law in the UK. It sits alongside and supplements the UK GDPR. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, provides for certain exemptions, and sets out the functions and powers of the Information Commissioner. The Information Commissioner’s Office (the ICO) regulates data protection in the UK.
PECR - If your organisation processes any personal data in relation to electronic marketing, cookies and location data, it must also comply with the Privacy and Electronic Communications Regulations (PECR).
EU GDPR - You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. If the latter applies to your organisation, you may also need to appoint an EU Representative under the EU GDPR.
Personal data is defined as information relating to individuals:
- Who can be identified or who are identifiable directly from the information in question, or
- Who can be indirectly identified from that information in combination with other information
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
Information about companies or public authorities is not personal data. However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
When using personal data, there are two types of users: Controllers and Processors. A Controller determines, either jointly or alone, the purposes and means of processing, in other words the why and how of processing. A Processor, on the other hand, processes personal data on behalf of the Controller. It is important to understand the different roles as the law treats them differently. See the following question and answer for Processors’ data protection responsibilities.
When using personal data, Controllers must comply with the data protection principles. Personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept for no longer than is necessary
- Kept secure, using both organisational, contractual and technical measures designed to your processing activity and resources
This involves ensuring the correct policies, procedures, notices and records are in place to document processing activity and compliance across the organisation. An example of this may be undertaking Data Protection Impact Assessments as necessary. Controllers may also require to appoint a Data Protection Officer to support good data protection compliance across your organisation.
A Processor is any entity which processes personal data on behalf of the Controller. They act on behalf of, and only on the instructions of, the relevant Controller.
Processors may handle a broad range of processing activities on behalf of a Controller, such as:
- Cloud-based data storage
- IT services
- Human resources functions such as payroll
The crucial difference between Controllers and Processors is that Processors exercise no control over what data is collected and what it is used for; they merely facilitate the collection of data and use it for set purposes decided by the Controller.
If you are a Processor, you do not have the same obligations as a Controller under the UK GDPR but you do have a number of direct obligations of your own. These include:
- Requirements to only process personal data according to the Controller's instructions
- Restrictions on engaging other Processors
- Requirements to implement appropriate technical and organisational measures to secure personal data
- Data breach notification requirements
- Requirements to appoint a Data Protection Officer in certain situations
- Restrictions on transferring personal data outside the UK
- Record-keeping requirements
The UK GDPR provides individual data subjects with a range of rights, with the most common being the right to access their personal data. Individuals can exercise these rights at any time and the Data Controller has one month to respond, which can be extended by a further two months in certain circumstances.
If your organisation fails to handle data subject rights appropriately, it could face a penalty of the greater of 4% of annual turnover or £17.5 million. Our Data Protection team can support your organisation with handling data subject rights requests including redaction.
Mishandling of personal data is likely to result in an infringement of the rights of individuals, a breakdown of trust your staff, clients or customers have in your organisation, reputational damage, and may lead to a personal data breach.
A serious mishandling of personal data could lead to a penalty being imposed by the UK regulator, the Information Commissioner’s Office (ICO) up to the greater of 4% of global turnover or £17.5 million. The ICO also has wider investigatory and corrective powers, as well as the power under the Privacy and Electronic Communications Regulations 2003 to impose a monetary penalty on a Data Controller of up to £500,000. Our Data Protection team can support your organisation with mitigating the risk of a personal data breach and ensuring an effective response if there is a breach.
We have a team of experienced data protection lawyers and data protection compliance professionals with years of experience available to help your organisation ensure its data protection compliance, mitigate the risk of data breaches and build effective data protection governance.
We offer a range of Data Protection Support Services, including compliance gap analysis, training courses, support dealing with data subject rights and help in handling any data breach.
If you need more than ad hoc support, Thorntons provides a flexible, tailored outsourced specialist Data Protection Officer (DPO) Service to organisations for a fixed monthly fee. Available for both those who are required by law to have a DPO and those who do so voluntarily, our bespoke package is built round your organisation’s needs.
Please call our specialist Data Protection team on 03330 430350 for practical advice and support on how Thorntons can assist you with ensuring your organisation complies fully with the GDPR. Or complete our online enquiry form and an expert in our Data Protection team will call you back.