Data Protection and the New UK GDPR Landscape

By Frank Suttie

With the United Kingdom’s exit from the European Union now confirmed, this new Special Report provides a practical explanation of data protection laws as they will exist in a post-EU environment. GDPR will continue, and will be known as UK GDPR, reinforced by additional legislation specific to UK circumstances.

Data Protection: The New UK GDPR Landscape takes the reader through the key principles of data protection law and explores the scope of UK legislation and how to assure compliance with the law. Also featured are important recent developments including the Morrisons data breach case and the ECJ judgment on data transfers under the US/UK Privacy Shield.

Chapters will cover:

a brief history of UK data protection law
understanding terminology and how it is used
the key data protection principles
what it means to be a data controller or data processor
transparency – how to draft privacy policies
what is special about ‘special category data’?
children’s data – duties reflecting the position of children
international data transfers – the new UK approach
information governance – what the law expects
managing subject access rights
artificial intelligence and data protection – the tension between innovation and privacy
the likely future pathway for data protection in the UK
Each topic is illustrated with case studies and references to relevant case law.

This Special Report will be of interest to in-house counsel and individuals responsible for personal data management and governance, including data protection officers and anyone with responsibility for data systems and infrastructure at a senior level.

• Language: English
• Publisher: Globe Law and Business
• Release date: Feb 22, 2021
• ISBN: 9781787423718

Book preview

Data Protection and the New UK GDPR Landscape

Author

Frank Suttie

Managing director

Sian O’Neill

Data Protection and the New UK GDPR Landscape is published by

Globe Law and Business Ltd

3 Mylor Close

Horsell

Woking

Surrey GU21 4DD

United Kingdom

Tel: +44 20 3745 4770

www.globelawandbusiness.com

Printed and bound in Great Britain by Ashford Colour Press Ltd

Data Protection and the New UK GDPR Landscape

ISBN 9781787423701

EPUB ISBN 9781787423718

Adobe PDF ISBN 9781787423725

Mobi ISBN 9781787423732

© 2021 Globe Law and Business Ltd except where otherwise indicated.

The right of Frank Suttie to be identified as author of this work has been asserted by him in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced in any material form (including photocopying, storing in any medium by electronic means or transmitting) without the written permission of the copyright owner, except in accordance with the provisions of the Copyright, Designs and Patents Act 1988 or under terms of a licence issued by the Copyright Licensing Agency Ltd, 6–10 Kirby Street, London EC1N 8TS, United Kingdom (www.cla.co.uk, email: licence@cla.co.uk). Applications for the copyright owner’s written permission to reproduce any part of this publication should be addressed to the publisher.

DISCLAIMER

This publication is intended as a general guide only. The information and opinions which it contains are not intended to be a comprehensive study, or to provide legal or financial advice, and should not be treated as a substitute for legal advice concerning particular situations. Legal advice should always be sought before taking any action based on the information provided. The publishers bear no responsibility for any errors or omissions contained herein.

Table of contents

Introduction

I. A brief history of data protection in the UK

II. Personal data, control and processing defined

III. The key data protection principles

IV. Demonstrating that processing is lawful

V. What it means to be a data controller or processor

VI. Transparency – how to draft privacy notices

VII. What’s special about ‘special category’ data?

VIII. Children’s data – taking extra care

IX. Managing photographs and video personal data

X. Information governance – what the law expects

XI. Managing subject access rights

XII. The role of the Information Commissioner’s Office and data protection enforcement

XIII. Artificial intelligence and data protection

XIV. Data protection post-Brexit – the hot topics

Notes

Reference sources

About the author

About Globe Law and Business

Introduction

Why publish a Special Report on data protection laws in the UK?

The answer is simple. Data protection law has undoubtedly become one of the most important areas of our legal system due to the vast advances in technology that have taken place over some three decades now, which in turn have led to the collation and processing of huge amounts of data.

It is also a particularly controversial area of our legal system, with privacy interest groups pitted against innovators and entrepreneurs, all working tirelessly with privacy campaigners seemingly responding to every new technological development with demands for ever-greater controls over data.

It is this background that has shaped our privacy laws. We saw by far the greatest step change in our data protection legislation in May 2018 with the coming into effect of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – a piece of legislation better known as the General Data Protection Regulation or GDPR. This reworking and further development of the law relating to the privacy of the individual proved so significant that the acronym GDPR instantly entered our vocabulary – and, as we shall see, remains in our vocabulary even after the exit of the UK from the EU.

The GDPR has presented business owners, management teams, public authorities and even the smallest of charities with significant new compliance obligations. Many of those affected struggle to put in place internal resources to ensure that they meet the compliance requirements; they have therefore recourse – more than they perhaps wish to – to professional advisers to draft privacy notices and advise them on data breaches. The call upon the time of professional advisers in May 2018 was significant, with many of them tested on their own understanding of an area of law that is, for many, easy neither to assimilate nor to relate to in a way that leads to sound legal advice.

This Special Report is intended to support the process of giving that sound advice. Focus is on the key deliverables expected of an adviser – understanding just what personal data is (not as straightforward as it may sound), how to draft effective and compliant privacy notices and how to respond to the expectations of data subjects when rights afforded to individuals are exercised.

The report covers many other topics, some in areas that businesses and others affected struggle with, in the author’s experience. To give one example: the particularly onerous process that a data controller should undertake when entrusting another party with personal data for processing.

To maintain the readability of this Special Report and in recognition that this is not a textbook, a number of subjects are covered only briefly. With this in mind, tribute can be paid to the Information Commissioner’s Office (ICO) which, as part of its responsibilities, has worked hard to further develop the data protection landscape not just through guidance and enforcement, but also through education. Some of the references quoted in this report will take the reader to the ICO’s online resources. These are presented in a particularly effective way, providing self-assessment questions around compliance and steering the reader towards even deeper understanding of the compliance expectations that the ICO has.

This Special Report was completed in early January 2021, just as the EU-UK Trade and Cooperation Agreement entered into provisional effect as a treaty between EU member states and the UK. While it was hoped that issues relating to the continued transfer of personal data between EU member states (and also those comprising the European Economic Area (EEA)) would be addressed within the same timescale through an EU ‘adequacy’ decision,¹ this outcome has not been achieved. An interim period has been agreed² during which personal data may continue to be passed from the EEA to the UK for processing pending the conclusion of deliberations within the EU concerning whether the UK privacy laws meet the standards required for an adequacy decision.

This Special Report reflects the way data protection legislation will apply in the UK now that the country has left the EU. An EU adequacy decision in relation to the UK data protection legislation is expected to be taken and, as is explained in this publication, a grace period of up to six months has been provided for. Should an EU adequacy decision not be achieved, the procedures referred to in this report concerning international transfers to third countries will be relevant to the processing of personal data within the UK of data originating from the EU.

I. A brief history of data protection in the UK

1. Introduction

Concern over the privacy of individuals has existed for longer than might be thought. Even before the emergence of computers, activists were lobbying for personal privacy. Evidence exists for example³ in the form of a treatise – The Right to Privacy – in which the authors (US lawyers Samuel D Warren and Louis D Brandeis) promoted the concept of privacy as being a right to be left alone.

Jump forward to 1948 and the legacy of the Second World War begins to influence matters of privacy with the adoption of the Universal Declaration of Human Rights.

The emergence of affordable information technology in the 1970s then led to an exponential growth in the collection and storage of data – including personal data. Slowly but surely, momentum in the promotion of personal privacy and the protection of personal data began to rise as a socially significant issue, rapidly becoming a challenge presented by society to governments across the world.

In 1980 the Organisation for Economic Co-Operation and Development became one of the first global organisations to appreciate and address the significance of the need to take measures to protect personal data in order to counter-balance the fast-increasing opportunities to exploit data collected from, or relating to, individuals.

A year later the Council of Europe adopted the Data Protection Convention.⁴ This treaty effectively marked the beginning of the period in which European countries started to address just exactly what legislative measures should be adopted at national level. In many ways, Europe has led the way in the development of data protection legislation.

At a national level, it is arguably the UK that led the way in creating a legal regime of personal data protection with the enactment of the Data Protection Act 1984. That statute set out a basic framework of compliance requirements at a time when the internet was still, in relative terms, in its infancy and the capability to store data was limited.

The 1984 act introduced a series of principles to be followed when personal data was being processed, created a number of offences associated with compliance duties and introduced a requirement to register with the then Office of the Data Protection Registrar. Perhaps most importantly, the act introduced the principle of compensation for individuals whose personal data had been compromised.

By far the most significant milestone, though, has been the coordinated efforts of the member states of the European Community (as it then was) leading to the adoption of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data (the European Data Protection Directive). Key concepts that came into existence at that time, and which have played a major role in the continuing development of data protection, included the concept of the individual’s consent being required for the processing of personal data and the development of the scope of protection through the definition of the scope of processing activities. It even introduced, at this relatively early stage, a concept that some data processed concerning an individual would carry with it particular sensitivities.

To create a collaborative network of regulators across the EU, Article 29 of the European Data Protection Directive provided for the creation of a committee which became known as the Article 29 Working Party. The aim of the working party was to provide expert advice to member states, secure as much consistency as possible in relation to the application of the directive and fulfil various other advisory tasks – including through the publication of guidance material. Under the GDPR, the working party has become the European Data Protection Board.

The UK adopted the 1995 directive through the enactment of the Data Protection Act 1998, which repealed the Data Protection Act 1984. The outcome was legislation that provided greater protection for personal data linked to the harmonisation of rules relating to the collecting, retaining and processing of personal data