Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

UNITED KINGDOM DATA PRIVACY REGULATIONS

EU GDPR

 

In May 2018, the General Data Protection Regulation (GDPR) will be effective.  Over the next year, be vigilant to changes made in the United Kingdom's data protection laws as they adjust to meet the new regulation.

The GDPR includes many of the same principles as found in the Data Protection Directive, but there are multiple new requirements:

  • Data Access Rights:  The right-to-be-forgotten and the right to data portability;
  • Mandatory DPO:  Mandatory Data Protection Officer depending on amount and type of processing or monitoring for both data controllers and data processors;
  • Data Controllers:  Appropriate procedures and policies, employee training, records of processing activities, privacy by design;
  • Consent:  Opt-in or explicit consent only, required for every use and additional use, as easy to withdraw as it was to give;
  • Data Breach Reporting:  Mandatory reporting to DPA/Supervisory Authority within 72 hours.  Notifications sent to affected individuals.
  • One Stop Shop:  Businesses established in multiple member states will choose one Data Protection Agency as their Supervisory Authority.

The Article 29 Working Party is issuing guidance, one topic at a time, to give direction to the new requirements.

Who Me?

 

The United Kingdom Data Protection Act 1988 (revised July 30, 2016) requires compliance from both data controllers and data processors.

Controller:

Those who, either alone or with others, control the contents and use of personal data.

Data Controllers can be, but are not limited to:

  • Any other European Economic Area (EEA) State that makes use of equipment in the United Kingdom for business and data handling,
  • A business in the United Kingdom,
  • A partnership or associate with an organisation in the United Kingdom,
  • A person who holds an office, branch or agency in the United Kingdom.

Processor:

Any person/entity who processes data on behalf of the data controller. Data processors are expected to, at the very least, be contractually obligated to uphold the standard required of the data controller based on the DPA.

SENSITIVE DATA

In addition to personal data, the United Kingdom defines certain personal information as sensitive data.  This data may have additional requirements related to data protection, data subject access, etc.

Sensitive personal data includes, but not limited to:

  • The racial/ethnic origin of the data subject,
  • Political opinions, religious beliefs or other beliefs of a similar nature,
  • Trade Union membership information,
  • Physical or mental health or condition,
  • Sexual life,
  • The commission or alleged commission by the data subject of any offence, or
  • Any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

REGISTRATION

Registration under the United Kingdom’s Data Protection Act requires individuals and organisations that process/control personal information to register with the Information Commissioner's Office (ICO).

  • The ICO considers it a best practice to register for those businesses that may:
    • Use CCTV for crime prevention and/or
    • Process information by doing any of the following with the information: obtaining it; recording it; storing it; updating it; and sharing it.

There are exceptions to ICO registrations. For more information on registration requirements and exemptions visit the ICO website.

  • Registration fees are processes are different in every EU country. For more information on the United Kingdom's Data Protection registration fees visit the ICO website.

CODE

Codes of Practice

The Information Commissioner has formally approved several Codes of Practice related to personal data; a few of which are listed here:

  • Data Sharing Code of Practice
  • Subject Access Code of Practice
  • The Employment Practice Code
  • Direct Marketing Guidelines
  • Anonymisation: Managing Data Protection Risk Code of Practice
  • Personal Information Online Code of Practice

For more information or updates on United Kingdom’s Data Protection Codes of Practices visit the ICO Website.

Each Code of Practice is comprised of requirements related to a specific element of personal data control or processing. For example, the Personal Information Online Code discusses encryption and anonymisation related to certain types of personal data.

BREACH REPORTING

Breach Reporting & Notification

In the ICO's breach reporting information, they ask:

  • Are there any legal or contractual requirements?
  • Can notification help you meet your security obligations?
  • Can notification help the data subjects?
  • Were a large number of people are affected, or there are very serious consequences?

If so, it is advisable that you inform the Information Commissioner’s Officer (ICO) of the breach.

The ICO does not have a set time limit for reporting (unless you are PECR; however, the upcoming GDPR mandates 72 hours.

Beyond the ICO, you must know who else to notify after the discovery of a breach. Consider notifying the police, individuals affected, regulatory bodies, third parties, banks and other financial entities, or the media.

SUBJECT RIGHTS

Data Subject Rights Requirements

The Data Protection Act establishes several requests data subjects could make to data controllers/processors in which such entities must comply. A few of these rights include; the right to:

  • Access information/update one's information;
  • Data portability;
  • Be forgotten; and
  • Request automated decision-taking reasoning.

For data deletion or cease processing compliance, the UK ICO mandates that under normal circumstances, electronic communications should stop within 28 days of receiving the notice, and postal communications should stop within two months.

Contact the Privacy Experts at CSR