Complying with the UK GDPR: Your Data Protection Questions Answered

28 January 2021

It’s the 28th of January – that can only mean one thing:

Happy Data Protection Day!

Sadly, it isn’t a bank holiday. It is, however, an opportunity to raise awareness and promote best practices in data protection.

Earlier this week, we hosted a webinar led by Duncan Gillespie, one of our esteemed lawyers who specialises in all aspects of regulatory law including the GDPR. Although the webinar covered various issues, the primary focus was around Article 27 of the GDPR which regards the need to appoint an EU and/or UK representative for GDPR purposes. Didn’t manage to catch it live? Watch it on demand to get an overview of what Article 27 means for your business and your obligations moving forward.

In light of Data Protection Day and the end of the Brexit transition period, we thought we would call upon the expertise of our specialist lawyers to answer some of the key questions we’ve been receiving recently with regard to the UK GDPR and data protection laws more broadly.

What is the effect of Brexit on the application of the General Data Protection Regulation (GDPR) to the UK?

The EU GDPR was established to effectively create a one-stop-shop of data protection laws, which would unify and simplify legislation for all member states and allow the flow of data throughout the EU. Upon the end of the Brexit transition period, the GDPR was incorporated into UK law as the UK GDPR (retained from EU Regulation 2016/679 EU) on 31 December 2020.

It’s worth noting that the EU GDPR will still apply directly to organisations who have an established presence in the EU, and organisations who are outside of the EU but who process the personal data of EU citizens in relating to offering goods and services, or monitoring behaviour (such as location data) of individuals in the EU.

Another key point to note relates to Article 27 of the GDPR. Now that the UK has left the EU, UK companies who intend to process the personal information of EU citizens must appoint an EU representative who will act as the main point of contact for individuals in the EU. At the same time, non-UK based companies who are subject to the UK GDPR (i.e. EU companies processing data of UK citizens) must appoint a UK GDPR representative.

Another deviation from the EU GDPR is the appointment of the Information Commissioner, the leading data protection authority in the UK, as the leading supervisor and enforcer on UK GDPR – replacing the European Data Protection Board as the highest supervisory authority.

What does the EU-UK Brexit deal mean for transfers of personal data?

Now that a Brexit trade agreement has been reached, businesses can finally get more clarity on the position on EU-UK data transfers.  While the UK was not granted ‘adequacy’ as many anticipated, the EU-UK Trade and Cooperation Agreement (the Agreement) does contain a bridging agreement that allows the continued free flow of personal data from the EU/EEA to the UK for up to 6 months after the end of the transition period.

This is particularly good news, especially considering the recent research that revealed the cost of having to put alternative transfer mechanisms in place could have cost UK businesses £1.6 billion. We recommend that during these 6 months, businesses work to put in place alternative transfer mechanisms to protect themselves against the potential disruption to the flow of data between the EU and the UK. For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs).
When can we expect an adequacy decision?

The references to adequacy decisions for the UK do not absolutely guarantee that they will be conferred. After the 6-month period that the bridging mechanism will be in place for, we can either expect an adequacy decision to be taken or an extension of the bridging mechanism.

Does PECR still apply in the UK?

Since it’s a domestic UK law, the PECR (UK’s national implementation of the European ePrivacy Directive) continues to apply post-Brexit. The PECR covers the protection of personal data in relation to electronic communications, specifically cookies and online marketing communications.

What information does the UK GDPR apply to?

Just like the EU GDPR, the UK GDPR applies to ‘personal data’. This means any information on a natural person from which they can be identified or potentially identified from.

The GDPR clarifies that this applies whenever an individual can be identified, directly or indirectly, “by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Of course, context is everything – for example, a name as common as John Smith is technically a piece of personal data, but it doesn’t help us to identify a unique individual since there are so many people with this name. However, when combined with other information such as an address or place of work, that piece of information becomes sensitive and helps to identify an individual. If you are unsure whether or not you are processing personal data, it’s best to err on the side of caution and comply with the principles of the GDPR.

What constitutes a GDPR breach?

Although cases are assessed individually, a personal data breach is defined within the GDPR as a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Contrary to popular belief, a GDPR breach doesn’t solely happen because of a cyber-attack. Although a vulnerable network infrastructure does, too often, lead to data of subjects falling into the hands of cyber criminals, infringements of the GDPR also happen due to negligent behaviour of employees or poor data protection practices in the organisation more broadly. Breaches can occur as a result of lack of training, a poor security system or a lack of controls over files and sensitive information. If an employee loses a device that contains personal information of data subjects, this classifies as a breach.

What are the penalties for a breach of the GDPR?

The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements. Of course, not all infringements of the GDPR lead to a financial penalty. The UK’s ICO will determine the suitable penalty for a breach in the GDPR, which could be a warning, a temporary or permanent ban on data processing or a suspension of data transfers. It’s worth noting that the ICO has since clarified that it prefers to work with organisations to improve their practices rather than seeking maximum fines. However, since the GDPR states that all individuals whose data was used, lost, deleted or accessed unlawfully or accidentally must be made aware of the infringement, it isn’t only a financial penalty that organisations should be concerned about. In an age where trust in business is low, the reputational damage that a breach to the GDPR can cause is not something any growing organisation needs.

What are the GDPR consent requirements?

Consent is an issue that has, since the enforcement of the EU GDPR in 2018, been subject to many a debate and the centre of a string of data protection infringement cases. To be clear, the UK and EU GDPR both seek to uphold a high standard for consent. Although consent is just one of the 6 legal bases by which organisations can process data, consent is one of the easiest to satisfy. The other legal bases are:

  • Processing is necessary to satisfy a contract to which the data subject is a party.
  • You need to process the data to comply with a legal obligation.
  • You need to process the data to save somebody’s life.
  • Processing is necessary to perform a task in the public interest or to carry out some official function.
  • You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

An organisation must choose one legal base and stick with it – which is why most opt for the basis of consent. In this case, consent cannot be assumed; it should be freely given and give people an easy and clear choice on how you use their data. You must be specific and granular when obtaining consent – for example, one tick-box for cookies doesn’t act as a blanket consent for all forms of data processing.

With regard to monitoring of behaviour, the ICO ruled that the only form of valid consent on websites is consent given prior to the initial tracking through cookie banners. Critically, pre-ticked boxes do not count as consent.

Do UK companies need to have an EU representative under Article 27?

If a UK company falls are processing the personal data of individuals in the EU and don’t have a presence in Europe, (branch, subsidiary, office) then the answer is yes, they need to appoint an EU representative. That representative can be a natural person or a legal entity, but the appointment must be put in writing in a document that sets out the terms of the relationship with the company processing the data. Details of the representative should also be clearly stated in the company’s privacy statement. You only need one representative for the whole of EU, but they should be located in an area where the subjects’ data is being processed.

Is a company with fewer than 50 members of staff liable for fines if a breach of GDPR occurs?

While the National Information Security (NIS) Directive makes exemptions for fines on companies with fewer than 50 members of staff or a balance sheet smaller than €10m, the GDPR has no such exemptions. That said, fines under the GDPR are proportionate and intended not to hurt companies but rather to dissuade them from non-compliance.

How can 360 Business Law help?

Our data protection lawyers bring extensive experience in advising individuals, businesses and public bodies on compliance with the GDPR. Should you require support in any capacity, we’re are available to help your organisation ensure compliance with a full range of services tailored to your needs including drafting of privacy statements, risk assessments, RoPAs and expert legal advice so you can meet the expectations of the GDPR. For all these services, we offer centralised and predictable billing so that you can focus on ensuring best practice without worrying about rising costs. Get in touch with our team via the online chat service or complete the form below and we’ll get back to you shortly to arrange a free consultation.

Don’t forget to catch our webinar on Article 27 for more information on your obligations moving forward.

 

Copyright © 2020 360 Business & Private Client Law Limited. All rights reserved.