Penningtons Manches Cooper LLP
What law(s) specifically govern personal data / information?
The UK data protection regime is set out in the UK GDPR and Data Protection Act 2018 (DPA ).
The UK GDPR is an adapted version of the EU General Data Protection Regulation (EU 2016/679) (EU GDPR) created when The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) No 2) Regulations 2019) were adopted under the European Union (Withdrawal) Act 2018. The UK GDPR came into effect on 1 January 2021 and sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies. It is based on the EU GDPR, with some changes to make it work more effectively in a UK context.
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It was amended on 1 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU. It sits alongside and supplements the UK GDPR.
In addition, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) contains some specific requirements relating to cookies and to use of personal data for electronic marketing.
What are the key data protection principles in this jurisdiction?:
The UK GDPR sets out 7 key principles that need to be followed when processing personal data. The principles are set out in Chapter 2 of the UK GDPR (articles 5 to 11) and in summary are:
- Lawfulness, fairness and transparency : Personal data must be processed fairly, lawfully and in a manner transparent to the data subject.
- Purpose limitation: Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data minimisation: Personal data processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date or be rectified.
- Storage limitation: Personal data must be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality (security): Personal data must be processed in a way that ensures appropriate security measures are in place to protect against unauthorised and unlawful processing, as well as accidental loss.
- Accountability: The data controller is responsible for what it does with personal data and how it complies with the other principles, even if it uses other entities to execute the processing, and must have appropriate measures and records in place to demonstrate its compliance.
What is the supervisory authority / regulator in charge of data protection?
The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. For contact details see: https://ico.org.uk/global/contact-us/
Is there a requirement to register with a supervisory authority / regulator?
Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data must pay an annual data protection fee to the ICO unless they are exempt.
A self-assessment tool is available to assist organisations in deciding if a fee needs to be paid to the ICO and, if so, the amount payable ( https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/ ).
The cost of the annual data protection fee depends on size and turnover. There are three tiers ranging from £40 and £2,900, but most organisations will pay between £40 and £60. The fee can be paid online at https://ico.org.uk/registration/new . To complete the form the following information is needed:
- credit/debit card or other payment details;
- details about the organisation being registered (e.g. Companies House number (if applicable), name, address; and
- details about number of staff and turnover.
Is there a requirement to notify the supervisory authority / regulator?
No, a notification to the ICO before executing processing activities is not generally necessary.
However, if a Data Protection Impact Assessment (DPIA) is carried out that identifies a high risk and you cannot do anything to reduce it, prior consultation with the ICO is required under UK GDPR. An organisation cannot go ahead with the processing in these circumstances until it has consulted the ICO.
The focus is on the ‘residual risk’ after taking any mitigating measures. If the DPIA identified a high risk but steps have been taken to reduce the risk so it is no longer high, it is not necessary to consult.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, please see https://ico.org.uk/registration/new
What are the key data subject rights under the data protection laws of this jurisdiction?
The data subject rights are set out in Chapter 3 of the UK GDPR (articles 13 to 22) and in summary are:
- The right to be informed
Pursuant to articles 13 and 14 of the UK GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
- Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in article 15 of the UK GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
- Right to rectification of errors
Pursuant to article 16 of the UK GDPR, data subjects have the right to rectification of inaccurate personal data.
- Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in article 17 of the UK GDPR apply.
- Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in article 18 UK GDPR.
- Right to data portability
Data subjects have a right to receive a copy of certain of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (article 20 of the UK GDPR).
- Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (article 6 para 1(e) of the UK GDPR) or legitimate interest of the controller (article 6 para 1(f) of the UK GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
- Right to withdraw consent
A data subject has the right to withdraw their consent at any time (article 7 para 3 of the UK GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
- Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
- Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (article 22 of the UK GDPR).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the UK GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:
- are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Organisations must carry out a DPIA before carrying out any type of processing that is likely to result in a high risk to individuals. Evaluating whether processing is likely to result in a high risk should involve consideration of the likelihood and severity of the potential harm.
Article 35 of the UK GDPR provides some examples of processing activities likely to result in high risk:
- use of systematic and extensive profiling with significant effects
- processing special category or criminal offence data on a large scale; or
- systematically monitoring publicly accessible places on a large scale.
In these cases a DPIA is compulsory. The list is non-exhaustive; other processing operations that pose a similarly high risk would also require a DPIA.
The ICO DPIA guidance is based on the guidelines endorsed by the European Data Protection Board (see: https://ec.europa.eu/newsroom/article29/items/611236 ). These define nine criteria of processing operations likely to result in high risk. While the guidelines suggest that, in most cases, any processing operation involving two or more of these criteria requires a DPIA, organisations may consider that just meeting one criterion could require a DPIA.
The ICO DPIA Guidance also sets out a further ten types of processing operation that mean a DPIA is compulsory if you plan to:
- use innovative technology (in combination with any of the criteria from the European guidelines);
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data (in combination with any of the criteria from the European guidelines);
- process genetic data (in combination with any of the criteria from the European guidelines);
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (in combination with any of the criteria from the European guidelines);
- track individuals’ location or behaviour (in combination with any of the criteria from the European guidelines);
- profile children or target marketing or online services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
The ICO provides screening checklists (see: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ ), that organisations can use to assess whether a DPIA is required.
Even if there is no specific indication of likely high risk, the ICO DPIA guidance provides that it is good practice to do a DPIA for any major new project involving the use of personal data.
Does this jurisdiction have any specific data breach notification requirements?
Article 33 of the UK GDPR provides that notification to the ICO is required where a breach is likely to result in a risk to individuals' rights and freedoms. The ICO must be notified without undue delay, but not later than 72 hours after becoming aware of the breach, where feasible. If longer is taken then the organisations must give reasons for the delay.
When assessing the risk to individuals’, organisations need to consider the specific circumstances of the breach, including the likelihood, severity and potential impact of the risk. The ICO guidelines provide that the following factors should be taken into account when assessing risk:
- type of breach.
- nature, sensitivity and volume of personal data.
- ease of identification of individuals.
- severity of consequences for individuals
- special characteristics of the individual (for example, children or other vulnerable individuals may be at greater risk).
- number of individuals affected.
- specific characteristics of the data controller (e.g. a medical organisation processing special categories of personal data will pose a greater threat than the mailing list of a newspaper).
The guidelines state that an example of where a breach is unlikely to result in such a risk may be where personal data are already publicly available and therefore disclosure of the data does not, of itself, constitute a further risk to the individual or where data are encrypted, and the relevant key is not at risk of compromise.
When an organisation decides against reporting a breach, it should ensure it documents any decisions and retains any relevant evidence in support of its decision that the breach does not pose any risk to individuals' rights and freedoms.
The requirement to communicate a breach to individuals is triggered where a breach is likely to result in a high risk to their rights and freedoms (see article 34, UK GDPR) and the obligation falls on the controller.
The threshold for communicating a breach to individuals is higher than for notifying the ICO. Consequently where notification to individuals is required, notification to the ICO will always be required. The same factors as set out above apply when assessing whether communication to individuals is required. A presumption of high risk to individuals is suggested where the data involved is one of the special categories of data identified in article 9 of the UK GDPR and section 10(1) of the DPA 2018.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR provides that organisations must inform those concerned directly and without undue delay.
Article 33(5) of the UK GDPR and section 67(6) of the DPA 2018 provide that all data breaches (including those not reported) must be recorded, including the facts relating to the breach, the effects of the breach and any remedial action taken in response. The ICO may inspect these records.
The ICO has a self assessment tool to assist organisations in determining whether a particular breach needs to be reported (see: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/ ).
What restrictions apply to the international transfer of personal data / information?
Yes, Chapter 5 of the UK GDPR restricts the transfer of personal data to countries outside the UK or to international organisations. Transfers are only permitted if:
- the receiver is located in a country or territory or is an international organisation covered by the UK ‘adequacy regulations’ (the UK has ‘adequacy regulations’ in relation to the EEA countries, Gibraltar, countries, territories and sectors covered by the European Commission’s adequacy decisions in force at 31 December) (see article 45);
- the transfer is made subject to one of the appropriate safeguards set out in articles 46:
- the transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
The UK is the subject of an adequacy decision by the European Commission under the GDPR and the Law Enforcement Directive. This means that transfers of personal data from the EEA to the UK can continue as they did before Brexit without the need for further safeguards, such as SCCs or data transfer impact assessments.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, article 3 of the UK GDPR and s207 of the DPA 2018 (subject to limited exceptions) extend the territorial scope of the UK data protection regime such that it applies to the processing of personal data:
- in the context of the activities of an establishment of a controller or a processor in the UK, regardless of whether that processing takes place in the UK or not;
- of data subjects who are in the UK by a controller or processor not established in the UK, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the UK, or
- the monitoring of their behaviour as far as their behaviour takes place within the UK; or
- by a controller not established in the UK, but in a place where the law of the UK (or a part) applies by virtue of public international law.
What rules specifically deal with marketing?
PECR sits alongside the DPA 2018 and the UK GDPR to provide rules about sending marketing and advertising by electronic means, such as by telephone, fax, email, text, and picture or video message, or by using an automated calling system. PECR also includes other rules relating to cookies, telephone directories, traffic data, location data, and security breaches.
Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for-profit organisations (e.g. charities, political parties, etc.).
In many cases, organisations will need consent to send people marketing, or to pass their details on and such consent must meet the UK GDPR standard (including that the consent is a positive action from the individual, freely given, specific and informed and capable of verification).
The ICO recommends that opt-in boxes are used. The rules on calls, texts, and emails are stricter than those on mail marketing, and consent must be more specific.
Organisations can make live marketing calls to numbers not registered with the Telephone Preference Service (TPS) or the Corporate TPS (CTPS), but only if the recipient has not objected to the organisation’s calls in the past and the organisation is not marketing claims management services (calls for this purpose require consent). Pension scheme calls can only be made to individuals (including sole traders and partnerships) if authorised and with consent or meeting existing customer criteria.
Organisations should note that some businesses (sole traders and some partnerships) register with the TPS, and others (companies, some partnerships and government bodies) register with the CTPS. For business-to-business calls, organisations therefore need to screen against both the TPS and the CTPS registers, as well as its own ‘do not call’ list.
Organisations must not call any number on the TPS or CTPS list without specific prior consent.
The rules on automated calls are stricter. Organisations must not make an automated marketing call – that is, a call made by an automated dialling system that plays a recorded message – unless the recipient has specifically consented to receive this type of call. General consent for marketing, or even consent for live calls, is not enough – it must specifically cover automated calls.
Organisations making marketing calls must allow their number (or an alternative contact number) to be displayed to the person receiving the call.
Organisations must not send marketing texts or emails to individuals without their specific prior consent. There is a limited exception for previous customers, known as the soft opt-in (for further details see below).
Organisations must stop sending marketing messages to any person who objects or opts out of receiving them.
Organisations must carry out rigorous checks before relying on indirect consent (i.e. consent originally given to a third party). Indirect consent is highly unlikely to be valid for calls, texts, or emails.
Neither the DPA nor PECR ban the use of marketing lists, but organisations must take steps to ensure a list was compiled fairly and accurately reflects peoples’ wishes. Bought-in call lists should be screened against the TPS. It will be very difficult to use bought-in lists for text, email, or automated call campaigns as these require very specific consent (either where the specific organisation is named or it is within a precisely defined category of organisation).
The ICO’s direct marketing checklist summarises the rules on direct marketing (see: https://ico.org.uk/media/for-organisations/documents/1551/direct-marketing-checklist.pdf ).
The ICO has also recently published a new direct marketing hub accessible through its website .
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, there are different rules for marketing to companies and marketing to individuals (which includes sole traders and some partnerships). The ICO has published an at-a-guide to the different marketing rules that apply to individuals and companies under the DPA 2018 and PECR (see: https://ico.org.uk/media/for-organisations/documents/1551/direct-marketing-checklist.pdf ). As part of the new direct marketing hub, the ICO has published further guidance on business-to-business marketing .
Under PECR organisations can only send marketing emails or texts to individuals if they have specifically consented, or if the PECR ‘soft opt-in’ applies (see below for further details).
Organisations can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, ICO guidance provides that it is good practice to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.
See above for details of the rules with regard to regard to live calls and automated calls.
The UK GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the UK GDPR will apply - even if they are acting in a professional capacity. Consequently, organisations may need to consider the UK GDPR if they are emailing employees at a corporate body who have personal corporate email addresses (e.g. [email protected]).
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Yes, see above. Direct electronic marketing is governed in the UK by both the UK GDPR and PECR.
Consent is required before sending emails to individual subscribers (unless the PECR ‘soft opt-in’ set out below applies). Where PECR requires consent, that consent must meet the UK GDPR standards (including that the consent is a positive action from the individual, freely given, specific and informed and capable of verification).
PECR – soft opt-in
For individual subscribers without prior consent to send marketing, organisations can only send email marketing if the individual is an existing customer who bought (or negotiated to buy) a similar product or service from the organisation in the past and the organisation gave them a simple way to opt out both when it first collected their details and in every message subsequently sent. If relying on the soft opt-in, organisations must be able to demonstrate that the relevant individuals were given the opportunity to opt-out both at the time of collection of their details and in every subsequent message.
What rules specifically deal with cookies?
PECR covers the use of cookies. The ICO has issued guidance on the use of cookies (see: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/ ) to comply with PECR and UK GDPR. In summary, this requires organisations to:
- state they use cookies;
- state what they use cookies for and
- request consent to use cookies (unless the cookies are strictly necessary) and such consent must be to the UK GDPR standard ((including that the consent is a positive action from the individual, freely given, specific and informed and capable of verification).
The website script should not collect cookies until explicit consent has been obtained. In order for the consent to be valid the various purposes of the cookies must be broken down and the user given the ability to check/uncheck the cookies to indicate their preference. Only cookies that are strictly necessary for provision of the service (such as session cookies to set the individual’s language) may be pre-checked. The website must also allow the consent to be altered by the user at any time.
Organisations are required to prepare a cookie policy outlining what cookies the website collects and if any cookies are strictly necessary for it to operate. The ICO has recommended that all organisations undertake a ‘cookie audit’ to understand better the cookies their websites use and the reasons why. Following such audits, organisations should review their practices and policies in line with the ICO guidance.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The ICO has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the DPA 2018 – Law Enforcement Processing.
Under Part 6 of the Act, there are two tiers of penalty for an infringement of Part 3 - the higher maximum and the standard maximum.
The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.
If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The ICO may also issue fines of up to £500,000 for non compliance with direct marketing laws.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Controllers and processors who are not established in the UK are generally required under article 27 of the UK GDPR to designate a representative in the UK where their activities fall within the territorial scope of the UK data protection regime under article 3, specifically if they involve processing personal data of data subjects within the UK in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the UK.
The minimum age a data subject must reach in order to give valid consent to the processing of their own personal data is 13 in the UK.
What upcoming data protection developments should multinational organisations be aware of?
The UK government has also announced that it intends to consult on a future data protection regime that could move away in some elements from the EU regime (though will need to be mindful of its adequacy decision from the EU as it does so).