Penningtons Manches Cooper LLP
The following law(s) specifically govern personal data / information:
The UK data protection regime is set out in the Data Protection Act ( DPA) 2018 and the UK GDPR.
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It was amended on 1 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU. It sits alongside and supplements the UK GDPR.
The UK GDPR is an adapted version of the EU GDPR (EU 2016/679) created when The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) No 2) Regulations 2019) were adopted under the European Union (Withdrawal) Act 2018. The UK GDPR came into effect on 1 January 2021 and sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies. It is based on the EU GDPR, with some changes to make it work more effectively in a UK context.
The key data protection principles in this jurisdiction are:
The UK GDPR sets out 7 key principles that need to be followed when processing personal data. The principles are set out in Chapter 2 of the UK GDPR (articles 5 to 11) and in summary are:
- Lawfulness, fairness and transparency: Personal data must be processed fairly, lawfully and in a manner transparent to the data subject.
- Purpose limitation: Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data minimisation: Personal data processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date or be rectified.
- Storage limitation: Personal data must be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality (security): Personal data must be processed in a way that ensures appropriate security measures are in place to protect against unauthorised and unlawful processing, as well as accidental loss.
- Accountability: The data controller is responsible for what it does with personal data and how it complies with the other principles, even if it uses other entities to execute the processing, and must have appropriate measures and records in place to demonstrate its compliance.
The supervisory authority / regulator in charge of data protection is:
The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. For contact details see:
Is there a requirement to register with a supervisory authority / regulator?
Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data must pay an annual data protection fee to the ICO unless they are exempt.
A self-assessment tool is available to assist organisations in deciding if a fee needs to be paid to the ICO and, if so, the amount payable https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/.
The cost of the annual data protection fee depends on size and turnover. There are three tiers ranging from £40 and £2,900, but most organisations will pay between £40 and £60. The fee can be paid online at https://ico.org.uk/registration/new. To complete the form the following information is needed:
- credit/debit card or other payment details;
- details about the organisation being registered (e.g. Companies House number (if applicable), name, address); and
- details about number of staff and turnover.
Is there a requirement to notify the supervisory authority / regulator?
No, a notification to the ICO before executing processing activities is not generally necessary.
However, if a DPIA is carried out that identifies a high risk and you cannot do anything to reduce it, prior consultation with the ICO is required under UK GDPR. An organisation cannot go ahead with the processing until it has consulted the ICO.
The focus is on the ‘residual risk’ after taking any mitigating measures. If the DPIA identified a high risk but steps have been taken to reduce the risk so it is no longer high, it is not necessary to consult.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
The data subject rights are set out in Chapter 3 of the UK GDPR (articles 13 to 22) and in summary are:
- the right to be informed about the collection and the use of their personal data
- the right to access personal data and supplementary information
- the right to have inaccurate personal data rectified, or completed if it is incomplete
- the right to erasure (to be forgotten) in certain circumstances
- the right to restrict processing in certain circumstances
- the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
- the right to object to processing in certain circumstances
- rights in relation to automated decision making and profiling.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the UK GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:
- are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as of the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Organisations must carry out a Data Protection Impact Assessment (DPIA) before carrying out any type of processing that is likely to result in a high risk to individuals. Evaluating whether processing is likely to result in a high risk should involve consideration of the likelihood and severity of the potential harm.
Article 35 of the UK GDPR provides some examples of processing activities likely to result in high risk:
- use of systematic and extensive profiling with significant effects;
- processing special category or criminal offence data on a large scale; or
- systematically monitoring publicly accessible places on a large scale.
In these cases a DPIA is compulsory. The list is non-exhaustive; other processing operations that pose a similarly high risk would also require a DPIA.
The ICO DPIA guidance is based on the guidelines endorsed by the EDPB (see: https://ec.europa.eu/newsroom/article29/items/611236). These define nine criteria of processing operations likely to result in high risk. While the guidelines suggest that, in most cases, any processing operation involving two or more of these criteria requires a DPIA, organisations may consider that just meeting one criterion could require a DPIA.
The ICO DPIA Guidance also sets out a further ten types of processing operation that mean a DPIA is compulsory if you plan to:
- use innovative technology (in combination with any of the criteria from the European guidelines);
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data (in combination with any of the criteria from the European guidelines);
- process genetic data (in combination with any of the criteria from the European guidelines);
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (in combination with any of the criteria from the European guidelines);
- track individuals’ location or behaviour (in combination with any of the criteria from the European guidelines);
- profile children or target marketing or online services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
The ICO provides screening checklists (see: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/), that organisations can use to assess whether a DPIA is required.
Even if there is no specific indication of likely high risk, the ICO DPIA guidance provides that it is good practice to do a DPIA for any major new project involving the use of personal data.
Does this jurisdiction have any specific data breach notification requirements?
Article 33 of the UK GDPR provides that notification to the ICO is required where a breach is likely to result in a risk to individuals' rights and freedoms. The ICO must be notified without undue delay, but not later than 72 hours after becoming aware of the breach, where feasible. If longer is taken then the organisations must give reasons for the delay.
When assessing the risk to individuals, organisations need to consider the specific circumstances of the breach, including the likelihood, severity and potential impact of the risk. The ICO guidelines provide that the following factors should be taken into account when assessing risk:
- type of breach.
- nature, sensitivity and volume of personal data.
- ease of identification of individuals.
- severity of consequences for individuals.
- special characteristics of the individual (for example, children or other vulnerable individuals may be at greater risk).
- number of individuals affected.
- specific characteristics of the data controller (e.g. a medical organisation processing special categories of personal data will pose a greater threat than the mailing list of a newspaper).
The guidelines state that an example of where a breach is unlikely to result in such a risk may be where personal data are already publicly available and therefore disclosure of the data does not, of itself, constitute a further risk to the individual or where data are encrypted, and the relevant key is not at risk of compromise.
When an organisation decides against reporting a breach, it should ensure it documents any decisions and retains any relevant evidence in support of its decision that the breach does not pose any risk to individuals' rights and freedoms.
The requirement to communicate a breach to individuals is triggered where a breach is likely to result in a high risk to their rights and freedoms (see Article 34, UK GDPR) and the obligation falls on the controller.
The threshold for communicating a breach to individuals is higher than for notifying the ICO. Consequently where notification to individuals is required, notification to the ICO will always be required. The same factors as set out above apply when assessing whether communication to individuals is required. A presumption of high risk to individuals is suggested where the data involved is one of the special categories of data identified in Article 9 of the UK GDPR and section 10(1) of the DPA 2018.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR provides that organisations must inform those concerned directly and without undue delay.
Article 33(5) of the UK GDPR and section 67(6) of the DPA 2018 provide that all data breaches (including those not reported) must be recorded, including the facts relating to the breach, the effects of the breach and any remedial action taken in response. The ICO may inspect these records.
The ICO has a self assessment tool to assist organisations in determining whether a particular breach needs to be reported (see: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/).
Does your jurisdiction specifically restrict the transfer of personal data out of the jurisdiction? If so, please provide an overview of the restrictions and what transfer tools / mechanisms can be utilised to allow a lawful transfer of personal data.
Yes, Chapter 5 of the UK GDPR restricts the transfer of personal data to countries outside the UK or to international organisations. Transfers are only permitted if:
- the receiver is located in a country or territory or is an international organisation covered by the UK ‘adequacy regulations’ (the UK has ‘adequacy regulations’ in relation to the EEA countries, Gibraltar, countries, territories and sectors covered by the European Commission’s adequacy decisions in force at 31 December) (see article 45);
- the transfer is made subject to one of the appropriate safeguards set out in articles 46, such as Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) and data transfer impact assessments; or
- the transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
Do the data protection laws of your jurisdiction have “extra-territorial effect” on organisations outside your jurisdiction? If so, please describe.
Yes, article 3 of the UK GDPR and s207 of the DPA 2018 (subject to limited exceptions) extend the territorial scope of the UK data protection regime such that it applies to the processing of personal data:
- in the context of the activities of an establishment of a controller or a processor in the UK, regardless of whether that processing takes place in the UK or not;
- of data subjects who are in the UK by a controller or processor not established in the UK, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the UK, or
- the monitoring of their behaviour as far as their behaviour takes place within the UK;
- by a controller not established in the UK, but in a place where the law of the UK (or a part) applies by virtue of public international law.
Does your jurisdiction have any rules specifically dealing with marketing?
The Privacy and Electronic Communications (EC Directive)Regulations 2003 (PECR) sits alongside the DPA 2018 and the UK GDPR to provide rules about sending marketing and advertising by electronic means, such as by telephone, fax, email, text, and picture or video message, or by using an automated calling system. PECR also includes other rules relating to cookies, telephone directories, traffic data, location data, and security breaches.
Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not for profit organisations (e.g. charities, political parties, etc.).
In many cases, organisations will need consent to send people marketing, or to pass their details on and such consent must meet the UK GDPR standard (including that the consent is a positive action from the individual, freely given, specific and informed and capable of verification).
The ICO recommends that opt-in boxes are used. The rules on calls, texts, and emails are stricter than those on mail marketing, and consent must be more specific.
Organisations can make live marketing calls to numbers not registered with the Telephone Preference Service (TPS) or the Corporate TPS (CTPS), but only if the recipient has not objected to the organisation’s calls in the past and the organisation is not marketing claims management services (calls for this purpose require consent). Pension scheme calls can only be made to individuals (including sole traders and partnerships) if authorised and with consent or meeting existing customer criteria.
Organisations should note that some businesses (sole traders and some partnerships) register with the TPS, and others (companies, some partnerships and government bodies) register with the CTPS. For business to business calls, organisations therefore need to screen against both the TPS and the CTPS registers, as well as its own ‘do not call’ list.
Organisations must not call any number on the TPS or CTPS list without specific prior consent.
The rules on automated calls are stricter. Organisations must not make an automated marketing call – that is, a call made by an automated dialling system that plays a recorded message – unless the recipient has specifically consented to receive this type of call. General consent for marketing, or even consent for live calls, is not enough – it must specifically cover automated calls.
Organisations making marketing calls must allow their number (or an alternative contact number) to be displayed to the person receiving the call.
Organisations must not send marketing texts or emails to individuals without their specific prior consent. There is a limited exception for previous customers, known as the soft opt-in (for further details see below).
Organisations must stop sending marketing messages to any person who objects or opts out of receiving them.
Organisations must carry out rigorous checks before relying on indirect consent (i.e. consent originally given to a third party). Indirect consent is highly unlikely to be valid for calls, texts, or emails.
Neither the DPA nor PECR ban the use of marketing lists, but organisations must take steps to ensure a list was compiled fairly and accurately reflects peoples’ wishes. Bought in call lists should be screened against the TPS. It will be very difficult to use bought in lists for text, email, or automated call campaigns as these require very specific consent (either where the specific organisation is named or it is within a precisely defined category of organisation).
The ICO’s direct marketing checklist summarises the rules on direct marketing (see: https://ico.org.uk/media/for-organisations/documents/1551/direct-marketing-checklist.pdf).
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, there are different rules for marketing to companies and marketing to individuals (which includes sole traders and some partnerships). The ICO has published an at-a-glance guide to the different marketing rules that apply to individuals and companies under the DPA 2018 and PECR (see: https://ico.org.uk/media/for-organisations/documents/1551/direct-marketing-checklist.pdf).
Under PECR organisations can only send market-ing emails or texts to individuals if they have specifically consented, or if the PECR ‘soft opt-in’ applies (see below for further details).
Organisations can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, ICO guidance provides that it is good practice to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.
See above for details of the rules with regard to regard to live calls and automated calls.
The UK GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the UK GDPR will apply even if they are acting in a professional capacity. Consequently, organisations may need to consider the UK GDPR if they are emailing employees at a corporate body who have personal corporate email addresses (e.g. [email protected]).
Does your jurisdiction have any rules specially dealing with electronic marketing (for example, by email, text, WhatsApp message, online ads etc)?
Yes, see above. Direct electronic marketing is governed in the UK by both the UK GDPR and PECR.
Consent is required before sending emails to individual subscribers (unless the PECR ‘soft opt-in’ set out below applies). Where PECR requires consent, that consent must meet the UK GDPR standards (including that the consent is a positive action from the individual, freely given, specific and informed and capable of verification).
PECR – soft opt-in
For individual subscribers without prior consent to send marketing, organisations can only send email marketing if the individual is an existing customer who bought (or negotiated to buy) a similar product or service from the organisation in the past and the organisation gave them a simple way to opt out both when it first collected their details and in every message subsequently sent. If relying on the soft opt-in, organisations must be able to demonstrate that the relevant individuals were given the opportunity to opt-out both at the time of collection of their details and in every subsequent message.
Does your jurisdiction have any rules specifically dealing with cookies? If so, please provide further details (for example, is there a need to differentiate between the types of cookies used).
The website script should not collect cookies until explicit consent has been obtained. In order for the consent to be valid the various purposes of the cookies must be broken down and the user given the ability to check/uncheck the cookies to indicate their preference. Only cookies that are strictly necessary for provision of the service (such as session cookies to set the individual’s language) may be pre-checked. The website must also allow the consent to be altered by the user at any time.
What are the consequences of non compliance with data protections laws (including marketing laws) within your jurisdiction? Please provide an overview of the level of fines that may be imposed by a supervisory authority/regulator.
The ICO has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the DPA 2018 – Law Enforcement Processing.
Under Part 6 of the Act, there are two tiers of penalty for an infringement of Part 3 - the higher maximum and the standard maximum.
The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.
If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The ICO may also issue fines of up to £500,000 for non compliance with direct marketing laws.
In broad terms, are there any factors unique to your jurisdiction that you would advise a multinational to consider if it is processing personal data from individuals within your jurisdictions, without being located there?
Controllers and processors who are not established in the UK are generally required under Article 27 of the UK GDPR to designate a representative in the UK where their activities fall within the territorial scope of the UK data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the UK in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the UK.
The minimum age a data subject must reach in order to give valid consent to the processing of their own personal data is 13 in UK.
Are there any upcoming data protection developments that a multinational organisation should be aware of?
The UK has recently been made the subject of an adequacy decision by the European Commission. This means that transfers of personal data from the EEA to the UK can continue as they did before Brexit without the need for further safeguards, such as SCCs or data transfer impact assessments.
The ICO is currently consulting on its International Data Transfer Agreement (“IDTA”), which will replace the current SCCs if adopted. As part of this consultation, the ICO is seeking views on an appropriate period of time in which the current SCCs may continue to be used before they cease to be valid and must be replaced by the IDTA.
The UK government has also announced that it intends to consult on a future data protection regime that could move away in some elements from the EU regime (though will need to be mindful of its adequacy decision from the EU as it does so).