Data Protection and the New UK GDPR Landscape
By Frank Suttie
()
About this ebook
Data Protection: The New UK GDPR Landscape takes the reader through the key principles of data protection law and explores the scope of UK legislation and how to assure compliance with the law. Also featured are important recent developments including the Morrisons data breach case and the ECJ judgment on data transfers under the US/UK Privacy Shield.
Chapters will cover:
a brief history of UK data protection law
understanding terminology and how it is used
the key data protection principles
what it means to be a data controller or data processor
transparency – how to draft privacy policies
what is special about ‘special category data’?
children’s data – duties reflecting the position of children
international data transfers – the new UK approach
information governance – what the law expects
managing subject access rights
artificial intelligence and data protection – the tension between innovation and privacy
the likely future pathway for data protection in the UK
Each topic is illustrated with case studies and references to relevant case law.
This Special Report will be of interest to in-house counsel and individuals responsible for personal data management and governance, including data protection officers and anyone with responsibility for data systems and infrastructure at a senior level.
Related to Data Protection and the New UK GDPR Landscape
Related ebooks
EU General Data Protection Regulation (GDPR), third edition: An Implementation and Compliance Guide Rating: 0 out of 5 stars0 ratingsEU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide Rating: 5 out of 5 stars5/5EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition Rating: 0 out of 5 stars0 ratingsEU GDPR – An international guide to compliance Rating: 0 out of 5 stars0 ratingsData Protection Compliance in the UK: A Pocket Guide Rating: 5 out of 5 stars5/5Upcoming Updates In Data Protection: Whistleblowing Channels Rating: 0 out of 5 stars0 ratingsEU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsUltimate GDPR Practitioner Guide (2nd Edition): Demystifying Privacy & Data Protection Rating: 0 out of 5 stars0 ratingsLEGAL ASPECTS OF DATA PROTECTION Rating: 0 out of 5 stars0 ratingsData Protection vs. Freedom of Information: Access and Personal Data Rating: 4 out of 5 stars4/5Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the United States Rating: 0 out of 5 stars0 ratingsInternet Law and Protection of Fundamental Rights Rating: 0 out of 5 stars0 ratingsData Protection and the Cloud: Are the risks too great? Rating: 4 out of 5 stars4/5Your Right To Know: How to Use the Law to Get Government Secrets Rating: 0 out of 5 stars0 ratingsDigital Identity Management Rating: 0 out of 5 stars0 ratingsRegulating Cross-Border Data Flows: Issues, Challenges and Impact Rating: 0 out of 5 stars0 ratingsThe Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection Rating: 0 out of 5 stars0 ratingsProtection of whistleblowers: Recommendation CM/Rec(2017)7 and explanatory memorandum Rating: 0 out of 5 stars0 ratingsNetwork neutrality: From policy to law to regulation Rating: 0 out of 5 stars0 ratingsManaging Cybersecurity Risk: Cases Studies and Solutions Rating: 5 out of 5 stars5/5The EU General Data Protection Regulation (GDPR): A Commentary, Second Edition Rating: 0 out of 5 stars0 ratingsLaws That Shape Our Lives: Public Policy Essays Rating: 0 out of 5 stars0 ratingsFrequently Asked Questions in Anti-Bribery and Corruption Rating: 0 out of 5 stars0 ratingsThe California Consumer Privacy Act (CCPA): An implementation guide Rating: 4 out of 5 stars4/5Our Data, Ourselves: A Personal Guide to Digital Privacy Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsArtificial Intelligence Regulation: Fundamentals and Applications Rating: 0 out of 5 stars0 ratingsCyber Security: Essential principles to secure your organisation Rating: 0 out of 5 stars0 ratingsA concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsStatistical Disclosure Control Rating: 0 out of 5 stars0 ratings
Law For You
How to Think Like a Lawyer--and Why: A Common-Sense Guide to Everyday Dilemmas Rating: 3 out of 5 stars3/5Legal Words You Should Know: Over 1,000 Essential Terms to Understand Contracts, Wills, and the Legal System Rating: 4 out of 5 stars4/5Law For Dummies Rating: 4 out of 5 stars4/5Win In Court Every Time Rating: 5 out of 5 stars5/5Secrets of Criminal Defense Rating: 5 out of 5 stars5/5Legal Writing in Plain English: A Text with Exercises Rating: 3 out of 5 stars3/5Criminal Law Rating: 0 out of 5 stars0 ratingsDictionary of Legal Terms: Definitions and Explanations for Non-Lawyers Rating: 5 out of 5 stars5/5The ZERO Percent: Secrets of the United States, the Power of Trust, Nationality, Banking and ZERO TAXES! Rating: 5 out of 5 stars5/5The Paralegal's Handbook: A Complete Reference for All Your Daily Tasks Rating: 4 out of 5 stars4/5Legal Forms for Everyone Rating: 4 out of 5 stars4/5The Common Law Rating: 4 out of 5 stars4/5Wills and Trusts Kit For Dummies Rating: 5 out of 5 stars5/5Critical Race Theory: The Cutting Edge Rating: 4 out of 5 stars4/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5Patents, Copyrights and Trademarks For Dummies Rating: 4 out of 5 stars4/5Win Your Case: How to Present, Persuade, and Prevail--Every Place, Every Time Rating: 5 out of 5 stars5/5Family Trusts: A Guide for Beneficiaries, Trustees, Trust Protectors, and Trust Creators Rating: 5 out of 5 stars5/5Estate & Trust Administration For Dummies Rating: 0 out of 5 stars0 ratingsWith Liberty and Justice for Some: How the Law Is Used to Destroy Equality and Protect the Powerful Rating: 4 out of 5 stars4/58 Living Trust Forms: Legal Self-Help Guide Rating: 5 out of 5 stars5/5Make Your Own Living Trust Rating: 4 out of 5 stars4/5No Stone Unturned: The True Story of the World's Premier Forensic Investigators Rating: 4 out of 5 stars4/5Drafting Affidavits and Statements Rating: 4 out of 5 stars4/5The Socratic Method: A Practitioner's Handbook Rating: 4 out of 5 stars4/5The Everything Executor and Trustee Book: A Step-by-Step Guide to Estate and Trust Administration Rating: 3 out of 5 stars3/5Jews Don’t Count Rating: 4 out of 5 stars4/5
Reviews for Data Protection and the New UK GDPR Landscape
0 ratings0 reviews
Book preview
Data Protection and the New UK GDPR Landscape - Frank Suttie
Data Protection and the New UK GDPR Landscape
Author
Frank Suttie
Managing director
Sian O’Neill
Data Protection and the New UK GDPR Landscape is published by
Globe Law and Business Ltd
3 Mylor Close
Horsell
Woking
Surrey GU21 4DD
United Kingdom
Tel: +44 20 3745 4770
www.globelawandbusiness.com
Printed and bound in Great Britain by Ashford Colour Press Ltd
Data Protection and the New UK GDPR Landscape
ISBN 9781787423701
EPUB ISBN 9781787423718
Adobe PDF ISBN 9781787423725
Mobi ISBN 9781787423732
© 2021 Globe Law and Business Ltd except where otherwise indicated.
The right of Frank Suttie to be identified as author of this work has been asserted by him in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.
All rights reserved. No part of this publication may be reproduced in any material form (including photocopying, storing in any medium by electronic means or transmitting) without the written permission of the copyright owner, except in accordance with the provisions of the Copyright, Designs and Patents Act 1988 or under terms of a licence issued by the Copyright Licensing Agency Ltd, 6–10 Kirby Street, London EC1N 8TS, United Kingdom (www.cla.co.uk, email: licence@cla.co.uk). Applications for the copyright owner’s written permission to reproduce any part of this publication should be addressed to the publisher.
DISCLAIMER
This publication is intended as a general guide only. The information and opinions which it contains are not intended to be a comprehensive study, or to provide legal or financial advice, and should not be treated as a substitute for legal advice concerning particular situations. Legal advice should always be sought before taking any action based on the information provided. The publishers bear no responsibility for any errors or omissions contained herein.
Table of contents
Introduction
I. A brief history of data protection in the UK
II. Personal data, control and processing defined
III. The key data protection principles
IV. Demonstrating that processing is lawful
V. What it means to be a data controller or processor
VI. Transparency – how to draft privacy notices
VII. What’s special about ‘special category’ data?
VIII. Children’s data – taking extra care
IX. Managing photographs and video personal data
X. Information governance – what the law expects
XI. Managing subject access rights
XII. The role of the Information Commissioner’s Office and data protection enforcement
XIII. Artificial intelligence and data protection
XIV. Data protection post-Brexit – the hot topics
Notes
Reference sources
About the author
About Globe Law and Business
Introduction
Why publish a Special Report on data protection laws in the UK?
The answer is simple. Data protection law has undoubtedly become one of the most important areas of our legal system due to the vast advances in technology that have taken place over some three decades now, which in turn have led to the collation and processing of huge amounts of data.
It is also a particularly controversial area of our legal system, with privacy interest groups pitted against innovators and entrepreneurs, all working tirelessly with privacy campaigners seemingly responding to every new technological development with demands for ever-greater controls over data.
It is this background that has shaped our privacy laws. We saw by far the greatest step change in our data protection legislation in May 2018 with the coming into effect of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – a piece of legislation better known as the General Data Protection Regulation or GDPR. This reworking and further development of the law relating to the privacy of the individual proved so significant that the acronym GDPR instantly entered our vocabulary – and, as we shall see, remains in our vocabulary even after the exit of the UK from the EU.
The GDPR has presented business owners, management teams, public authorities and even the smallest of charities with significant new compliance obligations. Many of those affected struggle to put in place internal resources to ensure that they meet the compliance requirements; they have therefore recourse – more than they perhaps wish to – to professional advisers to draft privacy notices and advise them on data breaches. The call upon the time of professional advisers in May 2018 was significant, with many of them tested on their own understanding of an area of law that is, for many, easy neither to assimilate nor to relate to in a way that leads to sound legal advice.
This Special Report is intended to support the process of giving that sound advice. Focus is on the key deliverables expected of an adviser – understanding just what personal data is (not as straightforward as it may sound), how to draft effective and compliant privacy notices and how to respond to the expectations of data subjects when rights afforded to individuals are exercised.
The report covers many other topics, some in areas that businesses and others affected struggle with, in the author’s experience. To give one example: the particularly onerous process that a data controller should undertake when entrusting another party with personal data for processing.
To maintain the readability of this Special Report and in recognition that this is not a textbook, a number of subjects are covered only briefly. With this in mind, tribute can be paid to the Information Commissioner’s Office (ICO) which, as part of its responsibilities, has worked hard to further develop the data protection landscape not just through guidance and enforcement, but also through education. Some of the references quoted in this report will take the reader to the ICO’s online resources. These are presented in a particularly effective way, providing self-assessment questions around compliance and steering the reader towards even deeper understanding of the compliance expectations that the ICO has.
This Special Report was completed in early January 2021, just as the EU-UK Trade and Cooperation Agreement entered into provisional effect as a treaty between EU member states and the UK. While it was hoped that issues relating to the continued transfer of personal data between EU member states (and also those comprising the European Economic Area (EEA)) would be addressed within the same timescale through an EU ‘adequacy’ decision,¹ this outcome has not been achieved. An interim period has been agreed² during which personal data may continue to be passed from the EEA to the UK for processing pending the conclusion of deliberations within the EU concerning whether the UK privacy laws meet the standards required for an adequacy decision.
This Special Report reflects the way data protection legislation will apply in the UK now that the country has left the EU. An EU adequacy decision in relation to the UK data protection legislation is expected to be taken and, as is explained in this publication, a grace period of up to six months has been provided for. Should an EU adequacy decision not be achieved, the procedures referred to in this report concerning international transfers to third countries will be relevant to the processing of personal data within the UK of data originating from the EU.
I. A brief history of data protection in the UK
1. Introduction
Concern over the privacy of individuals has existed for longer than might be thought. Even before the emergence of computers, activists were lobbying for personal privacy. Evidence exists for example³ in the form of a treatise – The Right to Privacy – in which the authors (US lawyers Samuel D Warren and Louis D Brandeis) promoted the concept of privacy as being a right to be left alone
.
Jump forward to 1948 and the legacy of the Second World War begins to influence matters of privacy with the adoption of the Universal Declaration of Human Rights.
The emergence of affordable information technology in the 1970s then led to an exponential growth in the collection and storage of data – including personal data. Slowly but surely, momentum in the promotion of personal privacy and the protection of personal data began to rise as a socially significant issue, rapidly becoming a challenge presented by society to governments across the world.
In 1980 the Organisation for Economic Co-Operation and Development became one of the first global organisations to appreciate and address the significance of the need to take measures to protect personal data in order to counter-balance the fast-increasing opportunities to exploit data collected from, or relating to, individuals.
A year later the Council of Europe adopted the Data Protection Convention.⁴ This treaty effectively marked the beginning of the period in which European countries started to address just exactly what legislative measures should be adopted at national level. In many ways, Europe has led the way in the development of data protection legislation.
At a national level, it is arguably the UK that led the way in creating a legal regime of personal data protection with the enactment of the Data Protection Act 1984. That statute set out a basic framework of compliance requirements at a time when the internet was still, in relative terms, in its infancy and the capability to store data was limited.
The 1984 act introduced a series of principles to be followed when personal data was being processed, created a number of offences associated with compliance duties and introduced a requirement to register with the then Office of the Data Protection Registrar. Perhaps most importantly, the act introduced the principle of compensation for individuals whose personal data had been compromised.
By far the most significant milestone, though, has been the coordinated efforts of the member states of the European Community (as it then was) leading to the adoption of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data (the European Data Protection Directive). Key concepts that came into existence at that time, and which have played a major role in the continuing development of data protection, included the concept of the individual’s consent being required for the processing of personal data and the development of the scope of protection through the definition of the scope of processing activities. It even introduced, at this relatively early stage, a concept that some data processed concerning an individual would carry with it particular sensitivities.
To create a collaborative network of regulators across the EU, Article 29 of the European Data Protection Directive provided for the creation of a committee which became known as the Article 29 Working Party. The aim of the working party was to provide expert advice to member states, secure as much consistency as possible in relation to the application of the directive and fulfil various other advisory tasks – including through the publication of guidance material. Under the GDPR, the working party has become the European Data Protection Board.
The UK adopted the 1995 directive through the enactment of the Data Protection Act 1998, which repealed the Data Protection Act 1984. The outcome was legislation that provided greater protection for personal data linked to the harmonisation of rules relating to the collecting, retaining and processing of personal data