Data Privacy Comparative Guide -

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

The main pieces of legislation which govern data privacy in the United Kingdom are the General Data Protection Regulation (2016/679) (GDPR) and the Data Protection Act 2018 (DPA 2018).

The Privacy and Electronic Communications Regulations (PECR) address the use of personal data for electronic marketing and transpose the European ePrivacy Directive (2002/58/EC), until such time as the directly applicable proposed Regulation on Privacy and Electronic Communications is finalised.

However, as the United Kingdom left the European Union on 31 January 2020, it is currently in a transition period until 31 December 2020 and it remains to be seen how much future European legislation (including the proposed ePrivacy Regulation) will continue to apply.

Once the transition period is complete on 31 December 2020, amendments will be made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 to allow the GDPR and the DPA 2018 to remain effective and integrate fully with UK law (UK GDPR), although there will be some immediate minor adjustments, particularly with regard to international data transfers. At the time of writing, it is unclear how much divergence the UK GDPR will have from the GDPR over time, but companies doing business in Europe and the United Kingdom will need to comply with both regimes.

The main immediate question is whether the United Kingdom will secure an adequacy ruling from the European Commission which would allow data transfers to occur from the European Union to the United Kingdom without further safeguards. This is by no means a certainty, given the small number of countries which have achieved adequacy to date and the length of time (minimum two years) it takes to secure an adequacy ruling.

The US bulk data acquisition regime resulted in the EU-US Privacy Shield being invalidated recently as part of the Schrems II decision. The United Kingdom also engages in such activities, although there are stringent safeguards, as set out in the Investigatory Powers Act 2016. It remains to be seen whether the wide-ranging powers open to UK intelligence agencies will jeopardise a future adequacy ruling by the European Commission after the end of the transition period on 31 December 2020. A recent (at the time of writing) decision by the European Court of Justice ruled that national governments cannot force internet and phone companies to store information such as location data and metadata for reasons of crime prevention or national security. This could well threaten the United Kingdom's efforts to reach a deal with the European Union on data transfers. Even if the United Kingdom were granted adequacy status, privacy campaigners like Max Schrems may well bring a court case against it.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Financial services: A number of requirements are common to the GDPR and the financial services regulatory regime in the United Kingdom. As part of their regulatory obligations, financial services firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls, including data protection.

There is also a tension to be navigated and documented between data protection principles such as minimisation of data and financial services regulatory requirements to retain data for specified retention periods – particularly when such financial services regulations are not European in origin.

Cookies and marketing: The PECR sit alongside the DPA 2018 and the GDPR and give individuals specific privacy rights in relation to electronic communications.

The PECR cover the following areas:

electronic marketing, including marketing calls, texts, emails and faxes;
the use of cookies and similar technologies for the purposes of tracking information about people accessing a website or other electronic service;
the security of public electronic communications services; and
the privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg, caller identification and call return), and directory listings.

Law enforcement: Law enforcement is governed by Part III of the DPA 2018, which implemented the Law Enforcement Directive. The far-reaching nature of these provisions came as a surprise even to the UK government, when it was held that it had largely ignored the DPA 2018 when sharing data concerning the so-called ISIS Beatles (four British ISIS hostage executioners) and had so acted unlawfully. Intelligence agencies have their own more permissive bespoke regime for data processing, as set out in Part IV of the DPA 2018.

Marketing and advertising: While not a separate regime, the Data & Marketing Association has worked closely with the Information Commissioner's Office (ICO) to produce guidance tailored to the specific needs of the UK marketing industry, covering issues such as consent, legitimate interests and profiling. The ICO has also published guidance on the subject and this should be consulted in tandem with this.

Telecommunications: The PECR – which sit alongside the DPA 2018 and the GDPR and are derived from the European ePrivacy Directive – also set out specific rules relating to electronic communications such as marketing calls, cookies, security of communications services and privacy relating to traffic, location data, itemised billing, line identification and directory listings; and give rights to affected persons and companies.

Other specific European legislation applies to the telecommunications industry. The Telecommunications Framework Directive (2002/21/EC) requires telecommunications network and service providers to take appropriate security measures to ensure the security and integrity of telecoms networks.

The Network and Information Systems Regulations 2018 implement the EU Directive on Security of Network and Information Systems. As with the Telecommunications Framework Directive, the regulations require relevant organisations to secure networks by taking technical and organisational measures appropriate to the risk. In a similar vein to the GDPR, organisations must notify a regulator without undue delay and in any event within 72 hours in respect of a significant or substantial incident. The application of these regulations is wider than just telecoms and also covers critical infrastructure in general.

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 reflect the EU Telecoms Privacy Directive and permit monitoring of telecommunications systems for limited purposes, such as employee monitoring, provided that it is proportionate and subject to certain procedures.

There are also various pieces of UK legislation which apply to the telecommunications industry from a security and intelligence perspective. The Regulation of Investigatory Powers Act 2000 and its recent regulations govern the interception of communications, the carrying out of surveillance and gathering, and the use and disclosure of data by government agencies, including security and law enforcement services in the interests of national security, prevention of serious crime and promotion of the economic wellbeing of the United Kingdom. The Investigatory Powers Act 2016 requires communication service providers to keep a record of internet history of their subscribers for one year and available for access by public bodies on the production of a warrant or if the data sought is in relation to a ‘serious crime'. The Police Act 1997 Act outlines the requirements for the consideration and authorisation of interference in respect of property and wireless telegraphy. The Intelligence Services Act 1994 governs the issue of warrants and authorisations enabling action to be taken by the intelligence services in relation to interference with property and wireless telegraphy.

Pharmaceuticals: Pharmaceutical businesses must consider the effects of the GDPR when processing data for medical research, pharmacovigilance and clinical trials.

The GDPR allows flexibility to process personal data where necessary for scientific research purposes, but additional safeguards must be applied if anonymous data is not being used. The GDPR also provides a limited exemption from the right of erasure of personal data for scientific research purposes, but this must be applied carefully.

EU pharmacovigilance legislation requires businesses to report adverse reactions and applies ‘without prejudice' to the data protection rules; it further notes that ‘it should be possible' to process personal data within pharmacovigilance reporting requirements while complying with the GDPR. The GDPR introduced a new legal ground for processing special categories of personal data, which may be helpful in the context of pharmacovigilance where the processing is necessary for reasons of public interest or health, but this is subject to various conditions.

The Clinical Trials Regulation (CTR) entered into force in 2014 and is expected to become applicable in 2020; it applies to the conduct of clinical trials throughout the European Union. The European Data Protection Board (EDPB) has clarified in an opinion that both the GDPR and the CTR apply at the same time; and that while the CTR contains specific data protection provisions, it does not permit derogation from or in any way reduce the requirement to comply with the GDPR.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

The Swiss-US Privacy Shield Framework provides a mechanism to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States. UK organisations can rely on this in instances where data is being controlled and/or processed in Switzerland and that data may be sub-processed and/or controlled in the United States.

The recent Schrems II decision of the Court of Justice of the European Union means that the European-US Privacy Shield Framework is no longer a valid means of transferring personal data to the United States.

Following the Schrems II decision, the Swiss Federal Data Protection and Information Commissioner (FDPIC) came to the conclusion that even if the Swiss-US Privacy Shield Framework guaranteed some rights to people in Switzerland, Privacy Shield did not offer an adequate level of protection as required by Swiss data protection law. While technically still legally valid as the FDPIC is a data protection authority and not a decision-making body, this effectively means that the Swiss-US Privacy Shield Framework will not be used any more either.

The earliest time for new Standard Contractual Clauses is the end of 2020, as announced in a meeting of the European Parliament on the future of EU-U.S. Data Flows. The announcement states that the new Standard Contractual Clauses will tackle the main legacy issues with the current set, notably addressing Article 28 of the GDPR and also allowing for transfers between an EEA processor and a non-EEA processor.

The United Kingdom having left the European Union means that the United Kingdom may become subject to other bilateral and multilateral instruments in the future, although negotiation of these will take time.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

In the United Kingdom, the ICO is responsible for enforcing data privacy legislation. The purpose of this regulator (known as a supervisory authority under the GDPR) is to uphold information rights in the public interest and promote openness by public bodies and data privacy for individuals.

Under the GDPR, the ICO, as a supervisory authority, has the following investigatory powers:

to carry out investigations in the form of data protection audits;
to notify a controller or processor of an alleged infringement of the GDPR;
to obtain access to all personal data and information necessary for the performance of its tasks; and
to obtain access to any premises of the controller or processor, including accessing data processing equipment (eg, IT systems).

The GDPR also gives the ICO the following corrective powers:

to issue warnings/reprimands;
to order compliance;
to impose limitations or bans on processing;
to impose fines; and
to suspend data flows.

The ICO's power to fine is set at the higher maximum and the standard maximum. The higher maximum amount is €20 million (or the equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles or any rights that an individual may have under the GDPR, or in relation to any transfers of data to third countries.

Otherwise, if there is an infringement of other provisions, such as administrative requirements of the GDPR, the standard maximum amount will apply, which is €10 million (or the equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

The ICO states that any monetary penalty is paid into the Treasury's Consolidated Fund and is not kept by the ICO.

While it is this power to fine which has attracted the most publicity, the power to suspend data flows or ban processing could effectively shut down a business.

Another power that the ICO has used is to issue a public notice of intent to fine, rather than a fine, which arguably has an equivalent effect in publicity terms. The ICO did this in July 2019 in respect of British Airways for £183 million and Marriott Hotels for £99 million. These fines are still being appealed and seem to have been delayed by agreement between the parties.

At the start of October 2020, the ICO issued for public consultation an updated version of its statutory guidance on how the ICO will exercise its data protection regulatory functions of information notices, assessment notices, enforcement notices and penalty notices, under the DPA 2018.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Codes of conduct: The GDPR introduced the concept of codes of conduct and certificate schemes which encourage trade associations and other representative bodies to draw up best practice guides that identify and address data protection issues that are particularly important to their members. The codes of conduct are designed to give sector-specific support in complying with the GDPR to organisations and build public trust and confidence in the sector's ability to comply with data privacy laws.

The ICO provides support in drafting and will review any codes of conduct that are drawn up to assess whether they are appropriate tools. Codes of conduct also require a monitoring method and, for private or non-public authorities, a monitoring body to deliver them. Once the code is approved, organisations can then sign up to it and, if appropriate, establish a monitoring body to assess compliance. By signing up to a code of conduct, both controllers and processors can ensure that the GDPR is being applied effectively and by doing so, help to establish operational compliance for the sector.

These codes of conduct and certifications are clearly permissive rather than mandatory, but will be taken into consideration when the ICO is assessing an organisation for enforcement purposes. The ICO released guidance in February 2020 on codes of conduct and certification and announced that organisations can submit their proposals for scheme criteria for approval.

At the time of writing, there are no approved certificate criteria or accredited certification bodies for issuing GDPR certifications, and no codes of conduct, although the United Kingdom Accreditation Services has been permitted by the European Data Protection Board (EDPB) to accredit certification bodies to deliver GDPR schemes using ICO-approved certification criteria. However, as the ICO will no longer be a supervisory authority under the GDPR, any codes of conduct accredited by the ICO will not be accredited after the end of the Brexit transition period.

International Organisation for Standardisation (ISO): The ISO has published ISO 27701, which is a standard for demonstrating a level of data security and endeavours to work with the GDPR. Organisations can receive this as a certification if they comply with its requirements, although it is not a certification for the purpose of the GDPR, as explained above.

Regulatory guidance: Apart from guidance issued by the ICO, the EDPB (known as the Article 29 Working Party prior to the GDPR) is the independent European working party of all the European supervisory authorities, which considers issues relating to the protection of privacy and personal data and publishes extensive guidance and opinions on a variety of specific data privacy areas, from automation and profiling to how to incorporate individual rights, privacy notices and territorial scope. The ICO is no longer a member following the exit of the United Kingdom from the European Union.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

As a general rule, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) apply to all organisations and entities that control and/or process personal data, although there are some specific exemptions which apply in certain limited circumstances. The GDPR and the DPA 2018 also do not apply to any personal or household processing of personal data that is wholly non-commercial, such as texting friends and family.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

Both the GDPR and the DPA 2018 set out limited exemptions; however, the Information Commissioner's Office (ICO) makes it clear that these should be relied upon only in specific circumstances. Where there is reliance on an exemption, organisations should justify its usage and document it in order to show compliance.

GDPR exemptions: The GDPR makes it possible for exemptions to be put in place by countries, including for reasons of national security, defence or public security, prevention of crime, judicial independence, breaches of ethics for regulated professions, protection of the data subject or the enforcement of civil law claims.

There are also a number of specific situations which may allow organisations to deviate from the GDPR, including:

freedom of expression and information;
public access to official documents;
processing of national identification numbers;
achievement of purposes in the public interest, scientific or historical research purposes or statistical purposes;
obligations of secrecy; and
processing of personal data by churches and religious associations.

DPA 2018 exemptions: The DPA 2018 allows organisations in certain circumstances to deviate from data privacy regulations, including:

crime, law and public protection, including taxation, legal professional privilege and the right against self-incrimination, disclosure that is prohibited or restricted by existing rules, immigration, audit, functions designed to protect the public and functions of the Bank of England;
regulation, Parliament and the judiciary, including regulatory functions relating to legal services, the health service and children's services, parliamentary privilege, judicial appointments, independence and proceedings and crown honours, dignities and appointments;
journalism, research and archiving, including academia, art and literature, research and statistics and archiving in the public interest;
health, social work, education and child abuse, including health, education or social work data processed by a court or in an individual's best interests, to prevent serious harm or when restricting a right of access;
finance, management and negotiations, including processing in relation to corporate finance, management forecasts and negotiations;
references and exams, including confidential references, exam scripts and exam marks; and
subject access requests, including information about other people for the protection of the rights of others.

2.3 Does the data privacy regime have extra-territorial application?

The GDPR has extra-territorial application – it is intended to protect the personal data of people located in the European Union and therefore as a general rule applies to organisations that handle such data regardless of where they are based or where the processing takes place. The GDPR is also intended to hold organisations in the European Union to the same standards when handling personal data of people anywhere in the world, when such data is handled in the context of the organisations' establishments in the European Union.

The GDPR covers both organisations based in the European Union and those outside if the organisation offers goods or services to people located in the European Union or monitors the online behaviour of people located in the European Union. Importantly, this territorial scope test is not one of nationality, residency or tax status, as is the case with other legislation.

The UK GDPR has similar extra-territorial scope, which means that organisations both inside and outside the United Kingdom will find themselves subject to the UK GDPR as well as the GDPR if they process personal data of people located in the United Kingdom or offer goods or services to or monitor behaviour of people located in the United Kingdom.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

‘Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the General Data Protection Regulation (GDPR)).

(b) Data processor

‘Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

(c) Data controller

‘Controller' means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law (Article 4(7) of the GDPR).

(d) Data subject

‘Data subject' means an identifiable natural person.

(e) Personal data

‘Personal data' means any information relating to an identified or identifiable natural person (‘data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier – such as a name, an identification number, location data or an online identifier – or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).

(f) Sensitive personal data

Under the GDPR, special categories of data are subject to a higher threshold for protection. Article 9(1) of the GDPR defines ‘special category data' as the following:

personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person's sex life; and
data concerning a person's sexual orientation.

(g) Consent

The ‘consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) of the GDPR).

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

The GDPR also defines the following terms which form an important part of the UK data privacy regime:

‘Personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
‘Joint controller' refers to two or more controllers that jointly determine the purposes and means of processing.
‘Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
‘Biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
‘Genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question.
‘Profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person – in particular, to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

Individuals and/or organisations that determine the purpose for which personal data is processed (controllers) must pay a data protection fee to the Information Commissioner's Office (ICO), unless they are exempt. Organisations that fail to register can face a maximum fine, at the time of writing of £4,350. The ICO can send notices of its intent to fine organisations unless they pay.

4.2 What is the process for registration?

Organisations that are controllers register online via the ICO website and registration must be renewed annually. Below is the list of tiers at the time of writing that an organisation can fall under, due to its turnover and number of staff, which determines the registration fee and the associated fee:

Tier 1 – micro-organisations with a maximum turnover of £632,000 or no more than 10 members of staff: £40
Tier 2 – small and medium-sized enterprises with a maximum turnover of £36 million or no more than 250 members of staff: £60
Tier 3 – large organisations which do not meet the criteria of Tier 1 or 2: £2,900.

There is a £5 discount for payments made by direct debit.

The ICO's website should be consulted for the latest tariffs.

4.3 Is registered information publicly accessible?

The registered information is publicly accessible via the ICO website at https://ico.org.uk/ESDWebPages/Search.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

There are six lawful bases for processing personal data, set out in Article 6 of the General Data Protection Regulation (GDPR). At least one of these must apply whenever personal data is being processed:

Consent: The data subject has given clear unambiguous consent to allow the processing of personal data for a specific purpose.
Contract: The processing of the personal data is a necessary part of a contract with an individual or forms part of the specific steps before entering into a contract.
Legal obligation: The processing is necessary to comply with the law (this does not include contractual obligations).
Vital interests: The processing is necessary in order to protect someone's life.
Public task: The processing is necessary to perform a task in the public interest or for official functions, and the task or function in question has a clear basis in law.
Legitimate interests: The processing is necessary for legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests (this does not apply if a public authority is processing data to perform official tasks).

Special category data: The GDPR differentiates between personal data and special categories of data. Special category data is any personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, data concerning a person's sex life and data concerning a person's sexual orientation. Processing criminal offence data, while not special category data, is also subject to a higher threshold under the Data Protection Act 2018 (DPA 2018).

Organisations are prohibited from processing special category data, even if they have one of the Article 6 bases, unless it falls under an exception in Article 9 of the GDPR. The first five of the conditions for processing are provided solely in Article 9. The other five require authorisation or a basis in UK law, which means there are additional conditions set out in the DPA 2018 which should be considered.

Article 9 lists the exceptions for processing special category data:

explicit consent;
employment, social security and social protection (if authorised by law);
vital interests;
not-for-profit bodies;
made public by the data subject;
legal claims or judicial acts;
reasons of substantial public interest (with a basis in law);
health or social care (with a basis in law);
public health (with a basis in law); and
archiving, research and statistics (with a basis in law).

Clause 10 of the DPA 2018 deals with the processing of criminal convictions and requires an additional ground to be able to carry out the processing, as set out in Part 1, 2 or 3 of Schedule 1 of the DPA 2018. It is also usually necessary to have an appropriate policy document and a record of processing to record this. Some example of grounds that may apply to processing criminal offence data are:

prevention or detection of unlawful acts;
prevention of the public against dishonesty;
regulatory requirements relating to unlawful acts and dishonesty;
prevention of fraud; or
suspicion of terrorist financing or money laundering.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

The GDPR establishes six data protection principles that all organisation must observe when dealing with personal data, as follows:

Lawfulness, fairness, and transparency: The processing of any personal data should be lawful and fair. Transparency requires that individuals whose data is being collected, used or processed in any way know the extent of this. This requirement also necessitates that information relating to the processing of those personal data can be easily understood and accessed.
Purpose limitation: Personal data should be collected for a specific, explicit and legitimate purpose, and this should be determined clearly at the point of collection. Furthermore, information may not be further processed in a manner that is incompatible with the initial purpose. However, further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered to be incompatible with the initial purposes.
Data minimisation: The processing of personal data should be limited to what is necessary in relation to the purpose for which it is processed. Part of fulfilling this is by ensuring that there was no other way of fulfilling the purpose for which the personal data was processed, and that the period for which the personal data is stored is limited to a strict minimum.
Accuracy: Controllers must ensure that personal data is accurate and kept up to date if necessary; and take every reasonable step to satisfy that the personal data if inaccurate, depending on the reason they are processed, are erased or rectified without delay. Controllers also have an important role in recording how the information was collected/received and the source of that information.
Storage limitation: Personal data collected that allows data subjects to be identified should be kept only for as long as necessary. Careful attention should be paid such that data controllers are not keeping personal data longer than is required, as dictated by the purpose. Controllers should periodically review the personal data they hold to ensure that they are not holding on to more personal data information than is necessary.
Integrity and confidentiality: Personal data should be processed in a manner that is appropriately safeguarded against unauthorised or unlawful access to or use of personal data. Organisations should ensure there are appropriate technical and organisational measures to ensure to assist with this an any other accidental loss or destructions.
Accountability: Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the ICO.

The threshold for compliance with each of the principles is heightened when dealing with special categories of data.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

Documentation and accountability: The GDPR requires that controllers and processors document their processing activities as a means of illustrating compliance with data privacy requirements. This can also help organisations to monitor and improve their data governance, and be a first step to responding to any request or investigation by the ICO. The key documentation requirements are as follows:

privacy notices to data subjects as required by the GDPR;
a data protection policy explaining how the organisation processes personal data;
an appropriate policy document as required by the DPA 2018;
a record of processing as required by the GDPR, which must be produced to the ICO upon demand;
data protection impact assessments for higher risk processing;
legitimate interest assessments when relying on legitimate interests as a lawful basis; and
training materials and records of training.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Contractual requirements for controllers and processors: Whenever a controller uses a processor, there is a requirement that a written agreement be in place. This is so that a controller can satisfy itself that the processor implements appropriate safeguards to protect personal data, as required by the General Data Protection Regulation (GDPR).

The contract should set out the following processing details:

the subject matter of the processing;
the duration of the processing;
the nature and purpose of the processing;
the type of personal data involved;
the categories of data subject; and
the controller's obligations and rights.

The processor agreement between a controller and a processor must also include the following obligations that are prescribed by Article 28 of the GDPR. These are usually heavily negotiated and a processor's perspective on compliance will come from a very different perspective to a controller's view, with many different commercial nuances reflected in their respective drafts. The obligations to address in a processor agreement as follows:

Unless required by law, the processor must act only on the controller's documented instructions, including regarding the transfer of data to countries outside the European Economic Area (EEA).
The processor must ensure that the individuals processing the data are bound by confidentiality.
The processor must take suitable steps to ensure the security of processing.
Sub-processors can only be engaged by the processor with the controller's prior authorisation and under a written contract which flows down the same data protection obligations and the processor must retain liability for its sub-processors.
The processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights.
Based on the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
At the controller's choice, the processor must delete or return all personal data to the controller at the end of the contract; and unless the law requires its storage, the processor must also delete existing personal data.
The processor must submit to audits and inspections by the controller and its auditors. The processor must also give the controller whatever information it needs to demonstrate that it can meet its data privacy obligations.

Requirements for controllers: Whenever a controller shares data with another controller, it is either as joint controllers engaging in a shared endeavour or independent controllers processing the same personal data for difference purposes.

The GDPR requires that certain issues be dealt with between joint controllers, which may be by a contract or a joint privacy notice, particularly as regards which controller is responsible for issuing the privacy notice and responding to data subject requests.

There is no requirement for independent controllers to address particular points in a contract, but it is good practice to do so, to address compliance with data protection law, notification of personal data breaches and cooperation for the purposes of responding to the Information Commissioner's Office (ICO) and data subject requests.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

Under the UK data protection regime there are several ways that data can be transferred abroad:

Article 45 of the GDPR – transfers on the basis of an adequacy decision: There are a number of countries outside the European Economic Area on which the European Commission has passed an adequacy decision, meaning that the European Commission is satisfied that these third countries or international organisations have adequate level of data protection and transfers can be made to these countries or international organisations. Countries for which adequacy decisions have been issued include Andorra, Argentina, Canada, Guernsey, Jersey and the Isle of Man, Switzerland, Israel, the Faroe Islands, New Zealand, Uruguay and Japan.

The UK government has confirmed that countries deemed adequate by the European Commission will continue to be adequate for transfers from the United Kingdom under the UK GDPR after the end of the transition period following the exit of the United Kingdom from the European Union.

The main immediate question is whether the United Kingdom will secure an adequacy ruling by the European Commission which would allow data transfers to occur from the European Union to the United Kingdom without further safeguards. This is by no means a certainty, given the small number of countries which have achieved adequacy to date and the length of time (minimum two years) it takes to secure an adequacy decision.

Transfers subject to appropriate safeguards: If a country is not subject to an adequacy decision, then the GDPR requires that an organisation use one of the following safeguards.

Standard contractual clauses: This is the most common and widely used alternative legal basis to an adequacy decision. These are model clauses which have been approved by the European Commission and allow personal data to be transferred when embedded within a contract. The clauses impose contractual obligations on both the data exporter and the data importer and state the rights of the individuals whose personal data is transferred. Data subjects can directly enforce those rights against the data importer and the data exporter. There are different variants for transfers between a controller and a processor and between a controller and a controller. The European Commission has advised the European Data Protection Board (EDPB) that it is looking to update the existing standard contractual clauses are based on EU Directive 95/46/EC, which pre-dated the GDPR. Until then, UK and EU-based data controllers can still enter into these model clauses.

Applying the standard contractual clauses in an effective way is not always easy, as the standard contractual clauses pre-date the extra-territorial effect of the GDPR and do not cater well for non-linear data flows or chains of sub-processors.

The situation is complicated further after the end of the transition period following the exit of the United Kingdom from the European Union, as if the United Kingdom does not secure an adequacy ruling, it will be considered a third country and standard contractual clauses would need to be entered into in order to cover transfers from Europe to the United Kingdom.

Binding corporate rules (BCRs): These are legally binding codes of conduct operating within multinational group companies and apply in instances of transfers of personal data from one group entity based in the EEA to another group entity outside the EEA. The group may be a group of undertakings or a corporate group – for example, franchises or joint ventures. The terms within BCRs are approved by the competent data protection authority, which is the ICO in the United Kingdom. Two types of BCRs can be approved:

BCRs for controllers, which are used by the group entity to transfer data that it has responsibility for, such as employee or supplier data; and
BCRs for processors which are used by entities acting as processors for other controllers and are normally added as an addendum to the service level agreement or processor contract.

Article 47 of the GDPR goes into further detail in relation to BCRs.

Again, this is complicated by the exit of the United Kingdom from the European Union, as multinational companies whose BCRs were approved by the ICO will have to switch to a new lead authority in the European Union, meaning very long backlogs.

Approved codes of conduct: Restricted transfers can be made if the receiver has signed up to a code of conduct, which has been approved by the ICO. The GDPR endorses the use of approved codes of conduct to demonstrate compliance with its requirements. The code of conduct must include safeguards to protect the rights of individuals whose personal data is transferred and which can be directly enforced. This is a new option under the GDPR and as at the time of writing there have not yet been any approved codes of conduct.

Contractual clauses authorised by the ICO: Restricted transfers can be made if the receiver has entered into a bespoke contract governing a specific restricted transfer which has been individually authorised by the ICO. Where the United Kingdom is the exporter of data, the ICO will have had to have approved the contract. At present the ICO is not authorising any such bespoke contracts until guidance has been produced by the EDPB.

A legally binding and enforceable instrument between public authorities or bodies: Restricted transfer between two public authorities or bodies using a legal instrument provides ‘appropriate safeguards' for the rights of the individuals whose personal data is being transferred, and is legally binding and enforceable. The ‘appropriate safeguards' must include enforceable rights and effective remedies for the individuals whose personal data is transferred. If a public authority or body does not have the power to enter into legally binding and enforceable instruments, it may consider an administrative arrangement which includes enforceable and effective individual rights.

Approved certification mechanisms: Restricted transfers can be made if the receiver has certification under a scheme approved by the ICO. The certification scheme must include appropriate safeguards to protect the rights of individuals whose personal data is being transferred and which can be directly enforced. The GDPR also endorses the use of approved certification mechanisms to demonstrate compliance with its requirements. This option is newly introduced by the GDPR and at the time of writing no approved certification schemes are as yet in use.

Article 49 – Derogations for specific situations: Derogations under Article 49 provide exemptions from the general principle that personal data may be transferred to a third country only if an adequate level of protection is provided for in that third country. A data exporter should first try to do so through one of the approved mechanisms; it is only when there is no appropriate mechanism that the Article 49 derogations may be relied upon. These derogations or exceptions allow transfers in specific situations, such as:

based on consent;
for the performance or conclusion of a contract;
for the exercise of legal claims;
to protect the vital interests of the data subject where he or she cannot give consent; or
for important reasons of public interest.

The EDPB has documented guidance on these derogations, which should be consulted before seeking to rely on these, as they apply only in very limited scenarios.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

When transferring data both nationally and internationally, measures should be carefully considered and implemented to reduce any risk to personal data. Pseudonymisation and encryption are both effective ways of ensuring that the data does not fall into the wrong hands and if it does so, the personal data may still be adequately protected.

Pseudonymisation replaces identifying information with artificial identifiers in order to mask the data. Although this is a key feature in protecting data and has been emphasised in the GDPR, this alone does not prevent unauthorised access. It is for this reason that the GDPR also mentions encryption, which –although similar to pseudonymisation, in that it replaces identifiers – it also ensures that only authorised users can have access to data sets with the right encryption key.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Data subjects have a significant number of rights under the General Data Protection Regulation (GDPR). It is worth bearing in mind that these are not absolute rights and a number of qualifications and exemptions apply which should be considered carefully when responding:

Right to be informed: Individuals have the right to be informed about when their personal data is being collected and why. This is a key aspect of fulfilling transparency.
Right to access: Individuals have a right to ask to see the information that is held on them. These requests can be made either orally or in writing, and organisations must respond within one month of receiving the request. Organisations cannot charge individuals to fulfil this request.
Right to rectification: Individuals have the right to seek to have their personal data corrected if they are inaccurate or completed if they are incomplete. Individuals can make a request for rectification orally or in writing, and organisations must respond within one month of receiving the request. There are some limited instances in which a request for rectification can be refused.
Right to be forgotten: Individuals can ask for their information to be erased. Individuals can make a request for rectification orally or in writing, organisations must response within one month of receiving the request. It is important to remember that this right is not absolute and can be applied only in limited circumstances.
Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and applies only in certain circumstances. When processing is restricted, the controller is permitted to store the personal data, but not use it.
Right to data portability: This allows individuals to obtain and use their personal data for their own purposes across different services. It allows for personal data to be easily copied from one IT environment to another. Doing this enables individuals to take advantage of applications and services that can use this data to find them better deals or understand their spending habits. This right applies only to information that an individual has provided to a controller. Some organisations in the United Kingdom already offer data portability through data and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
Right to object (to direct marketing): Under the GDPR, individuals have an absolute right to stop their data being used for direct marketing. Individuals can make a request for rectification orally or in writing, and organisations must response within one month of receiving the request.
Right to review automated decision making/profiling: Automated individual decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual) are covered by the GDPR. Profiling can be part of an automated decision-making process. The GDPR has additional rules to protect individuals where an organisation is carrying out solely automated decision making that has legal or similarly significant effects on them. If processing under Article 22, this must be identified and, if so, give individuals must be informed about the processing. Organisations that use such methods should consider ways of incorporating the individual's ability to question the decision making or request human intervention.

Some limited exemptions apply to some of these rights, further details of which can be found in the Data Protection Act 2018, as summarised in the response to question 2.2 and that should be carefully considered by a controller responding to a data subject request.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

There are no formal requirements or barriers to exercising data subject rights, so it is important for an organisation to train its staff on recognising data subject requests as the clock starts ticking on the timeline for responding to a request (generally a month; but there are specific rules on calculating time periods which should be considered).

Organisations should include in their privacy notice the contact details of their data protection officer or the relevant person or team responsible for data protection matters, to encourage data subjects to contact that person; but a data subject can contact anyone at an organisation and need not mention that he or she is exercising his or her rights under the GDPR or data protection laws in order to make an effective data subject request.

7.3 What remedies are available to data subjects in case of breach of their rights?

Data subjects can complain to the Information Commissioner's Office (which may then investigate and/or fine the organisation).

Data subjects also have a right to claim compensation through the courts in instances where they have suffered material or non-material damage due to a GDPR infringement. Compensation can be claimed from both controllers and processors.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

The appointment of a data protection officer (DPO) is mandatory in the following circumstances:

the processing is being carried out by a public authority or body, except for courts;
the core activity of the controller or processor consists of processing operations which require the regular monitoring of data subjects; or
the core activity of the data controller and processor involves the processing of special categories of data on a large scale, or of data that relates to criminal convictions or offences.

There is guidance which expands on these triggers. Otherwise, an organisation can voluntarily choose to appoint a DPO; but it is important to bear in mind that all obligations, powers and responsibilities of a mandatorily appointed DPO then apply to the voluntarily appointed DPO.

If an organisation does not appoint a voluntary DPO, it still needs to ensure that appropriate staff are responsible for and report on data protection matters.

8.2 What qualifications or other criteria must the data protection officer meet?

The DPO must be independent, an expert in data protection and sufficiently resourced, and report to the highest level of management.

8.3 What are the key responsibilities of the data protection officer?

The key responsibilities of the DPO under the GDPR are to:

inform and advise organisations and employees about data protections laws and their obligations in relation to those;
manage organisations' compliance with data protections laws, ensuring that company policies and procedures, where relevant, are compliant;
carry out and monitor data protection impact assessments;
be the first point of contact for the Information Commissioner's Office (ICO) and cooperate with the ICO; and
be the first point of contact internally for any data protection issues.

A DPO must be mindful of high-risk processing of personal data, including instances where special categories of data are being processed. In instances where the DPO's advice is not followed, the organisation should clearly document the reasons for not doing so.

A DPO can be responsible for other tasks; however, tasks should not conflict with what is required as a DPO by virtue of a tension which can sometimes exist between an organisation's aims and its data protection obligations. For this reason, the DPO is not usually the organisation's lawyer and is more likely to sit in the compliance or operations teams.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

The role of a DPO can be outsourced to an external organisation, as long as the externally appointed DPO has the same tasks and duties as that of an internally appointed DPO and is easily accessible to employees, the ICO and data subjects.

It is also possible to appoint a DPO to act for a group of companies or public authorities. In doing so, it is important that the organisation can determine whether the shared DPO has the resources to realistically carry out its role in both organisations.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Documenting is the principal way that organisations can fulfil the principle of accountability required by the GDPR. There are several specified areas in which records must be maintained, such as the purposes of processing personal data, data sharing and retention.

Some examples of key documentation that is typically required include:

privacy notices to data subjects as required by the GDPR;
a data protection policy explaining how the organisation processes personal data;
an appropriate policy document as required by the Data Protection Act 2018;
a record of processing as required by the GDPR, which must be produced to the ICO upon demand;
data protection impact assessments for higher-risk processing;
legitimate interest assessments when relying on legitimate interests as a lawful basis; and
training materials and records of training.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

When processing personal data, individuals whom it concerns must be informed why their information is needed, what will be done with it and who will have access to it. This information must be provided in a manner that can be easily understood by the intended audience, and there is detailed guidance on formatting, tone and style which should be taken into consideration.

The best way to relay this information may be in written form in a document called a privacy notice, which as a general rule should be provided to data subjects at the point in which the data is collected from them, although there are qualifications to this which need to be carefully considered. The privacy notice must be tailored to the organisation's data protection practices and operations, and the ICO considers very negatively copying and pasting wholesale of privacy notices among organisations. Privacy notices must contain:

the contact details of the controller;
the contact details of a data protection officer or person responsible for data protection related matters;
the purpose(s) of the processing and the lawful basis for the processing;
if there is reliance on legitimate interest, details of what that is;
details of any other recipient of the data;
information concerning transfers to third parties if applicable and safeguarding measures;
the retention period for the information;
the existence of data subject rights;
where processing is based on consent, an explanation that data subjects can withdraw consent at any time, without affecting what was processed based on the consent prior to withdrawal;
an explanation of the right to lodge a complaint with the ICO;
whether providing personal data is a statutory or contractual requirement and, if applicable, the consequences of failure to provide the personal data;
whether the personal data will be subject to any automated decision-making processes that will be applied to the data, including profiling, and how decisions are made based on that; and
if the purpose of why the data was collected changes, advance notice of this change and any other information required.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

One of the key principles of the General Data Protection Regulation (GDPR) is to ensure that personal data is processed securely, which requires organisations to put in place ‘appropriate technical and organisational measures' to ensure that personal data held is not compromised or damaged, and/or does not fall into the wrong hands.

The GDPR provides specifics around the security of processing and requires organisations to carefully consider the state of technology, at the time of implementation and throughout the processing:

the cost of implementation;
the nature, scope, context and purpose of processing; and
whether the level of security is appropriate to the risk.

Security covers not only network and information system security, but also physical and organisational security measures.

Contracts between controllers and processors and between controllers should describe the technical and organisational measures which are implemented, and these should be evaluated by controllers as part of due diligence.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

All organisations have a duty to report personal data breaches to the Information Commissioner's Office (ICO), unless it is unlikely to result in a risk to the rights or freedoms of natural persons – for example, because the data is encrypted or otherwise not accessible. This must be done within 72 hours of the organisation becoming aware of the breach. There is detailed guidance on when an organisation is deemed to be aware for this purpose. If this is not feasible, organisations must provide a reason to the ICO for the delay.

When reporting a breach, the GDPR requires the following information to be provided to the ICO:

a description of the nature of the personal data breach, including:
- where possible, the categories and approximate number of individuals concerned; and
- where possible, the categories and approximate number of personal data records concerned;
the name and contact details of the data protection officer (DPO) (if there is one) or other appropriate contact point where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken or to be taken to deal with the personal data breach; this may also include measures taken to mitigate any possible adverse effects.

It is accepted that it will not always be feasible to know all details surrounding a breach within 72 hours of becoming aware of it. The GDPR allows notification to occur in stages; however, controllers must prioritise the investigation and it is best practice to provide a reason for the delay and when information will likely be provided in full.

Breaches can be reported via the ICO website at https://ico.org.uk/for-organisations/report-a-breach/. Part of the form for reporting a personal data breach requires the organisation to confirm whether the relevant individuals at the organisation have been trained on data protection and when that took place, emphasising the importance of training as a mitigant when the ICO is considering any enforcement.

In general, since the GDPR came into force, organisations have vastly over-reported incidents which may not necessarily qualify as reportable personal data breaches, so it is important to consider carefully whether an incident necessitates being reported. Reporting in error could lead to unintended consequences if the ICO were to investigate. Organisations should maintain a register of data security incidents, including recording when an incident is not reported as well as when it is.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Where a breach will likely result in high risk to the rights and freedom of individuals, under the GDPR those concerned must be notified directly without undue delay. This takes precedence over notifying the ICO. An assessment will need to be made in relation to both the severity of the impact on individuals as a result of the breach and the likelihood of this occurring. It is important to notify individuals to allow them to take necessary steps to protect themselves from the breach.

It is important to inform individuals of the nature of the personal data breach in plain, clear and unambiguous language. It is also important to inform them of following (this is not an exhaustive list, but an indication of what should be included at the most basic level):

details of the DPO where applicable, or another relevant contact who can provide information about the breach or other related queries
a description of the likely consequences of the personal data breach; and
an explanation of the measures taken, or proposed to be taken, to deal with the personal data breach and where appropriate, of the measures taken to mitigate any possible adverse effects.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Internal procedures: Under Article 35(5) of the GDPR, it is important that organisations have in place mechanisms, procedures and processes that can detect when a breach has occurred, and ensure that a full record is kept internally, irrespective of whether the ICO had to be notified or whether the issue was resolved. This is an important part of ensuring that the principle of accountability is being fulfilled and also allows the ICO to verify an organisation's compliance with its notification duties under the GDPR.

Organisations should always conduct a thorough investigation into the reason for the breach and the steps that need to be taken internally and/or externally to ensure that a given breach does not reoccur. This, for example, may include resolving systematic issues, providing further training to staff and so on.

It is also recommended that organisations, as part of their day-to-day operation and management, have in place an appropriate risk matrix to help manage breaches. This will help to assess the impact of breaches and meet reporting and recording requirements. This will provide a basis for breach policy and help to demonstrate accountability as a controller.

Other considerations: Depending on the industry or sector of operation, there may be additional obligations in the event of a data breach. It is important to be mindful of what these might be. They include the following:

Communications service providers must notify the ICO of any personal data breach within 24 hours under the Privacy and Electronic Communications Regulations (PECR). The PECR breach notification form must be used, rather than the GDPR process.
UK trust service providers must notify the ICO of a security breach, which may include a personal data breach, within 24 hours under the Electronic Identification and Trust Services (eIDAS) Regulation. The eIDAS breach notification form or the GDPR breach-reporting process can be used to report the incident(s). However, if reporting under the GDPR, this must be done within 24 hours.
An operator of essential services or a digital service provider will have incident-reporting obligations under the EU Directive on Security of Network and Information Systems. These are separate from personal data breach notifications under the GDPR. If the incident is also a personal data breach, a report to the ICO will need to be made separately using the GDPR process.
Organisations should consider notifying third parties such as the police, insurers, professional bodies, banks and credit card companies, which can help to reduce the risk of financial loss to individuals.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

The UK government and UK law state that employers must keep employees' personal data safe, secure and up to date.

Employers are permitted to keep the following data about their employees without their permission:

name and address;
date of birth and sex;
education and qualifications;
work experience;
National Insurance number and tax code;
emergency contact details;
employment history with the organisation;
employment terms and conditions (eg, pay, hours of work, holidays, benefits, absence);
any accidents connected with work;
any training taken; and
any disciplinary action.

However, employers still need a lawful basis and an exception under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA 2018) to handle certain types of ‘sensitive' data (known as special categories of data under the GDPR), including race and ethnicity, religion, political membership or opinions, trade union membership, genetics, biometrics used for identification purposes (eg, iris scanning or fingerprints to access secure rooms or laptops), health and medical conditions, sexual history or orientation. Employers must keep sensitive data more securely than other types of data.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

As a general rule, surveillance of employees is not banned outright, but it is considered high-risk processing and will be subject to a high degree of scrutiny of data protection consideration before it should be put in place. Workplace surveillance may include installing closed-circuit television, monitoring work emails, reviewing and analysing phone records, scrutinising social medial presence and monitoring browsing history or keystrokes. New surveillance software offers employers functionality to track and monitor productivity which should be adopted cautiously especially if employees are working from home. These different types of surveillance all require their own kind of assessment under UK data privacy regulations.

In the United Kingdom, there is a general right to privacy in the workplace. The Regulation of Investigatory Powers Act, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations, the GDPR and the DPA 2018 all cover monitoring and surveillance. These regulations also apply alongside employment law, internet law and the Human Rights Act. Both the Information Commissioner's Office (ICO) and European data protection regulators have issued guidance on surveillance and monitoring in the workplace, which should be carefully reviewed and applied to organisations' particular situations.

Employers must also take note of the following when processing employee data:

Transparency: Employers should always inform employees that they may be subject to workplace monitoring. Monitoring without giving notice is permitted only in exceptional circumstances – for example, in instances in which an employer suspects criminal behaviour and informing the individual would adversely impact the investigation.
Consent: For most data processing at work, the legal basis cannot be employee consent. The reason for this is due to the nature of the relationship between employer and employee. If an employer says it requires consent and there is a real or potential relevant prejudice that arises from the employee not consenting (which is highly likely in the employment context, particularly in relation to the employer tracking the behaviour of the employee over time), then the consent is not valid, since it cannot be freely given.
Legal basis: If an employer seeks to rely on legitimate interest for the processing, it must be genuinely legitimate and fully documented as such, considering the method or specific technology, proportionality and less privacy intrusive option (eg, monitoring only public areas, such as break rooms, but not bathrooms; or sampling instead of continuous monitoring).
Security: Appropriate technical and organisational measures should be adopted to ensure security of the processing.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

The GDPR introduced further obligations for all controllers, including employers. Article 25 of the GDPR requires controllers to implement data protection measures in their organisations by both design and default.

Data protection by design: Data protection by design ensures that privacy and data protection issues are considered at the design phase of any system, service, product or process, and throughout the lifecycle of any of these things. Below are a number of requirements the GDPR sets out in relation to data privacy by design:

Put in place technical and organisational measures that are designed to effectively implement the data protection principles; and
Integrate safeguards into processing so that GDPR requirements are met and protect data subject rights.

Examples might include:

developing new and appropriate IT systems, services, products and processes that involve processing personal data; and
implementing organisational policies, processes, business practices and/or strategies that have privacy implications.

Essentially, privacy by design aims to integrate and embed data protection within processing activities and business practices

Data protection by default: Data protection by default requires that only data that is necessary to achieve the specific purpose is processed. This ties in with the data protection principles of data minimisation and purpose limitation.

Personal data must be processed to achieve the specific purpose(s). Data protection by default requires that:

the purpose of processing be specified before the processing starts;
individuals be appropriately informed; and
only the data required for the specific purpose be processed.

Data protection impact assessments: The GDPR requires that controllers carry out data protection impact assessments (DPIAs) to help identify and minimise data protection risks of higher-risk processing of personal data. The ICO and the European regulators have published detailed guidance explaining when processing might be considered higher risk and organisations should maintain records evidencing whether processing activities qualify as higher risk, by way of a screening checklist or similar.

DPIAs must:

describe the nature, scope, context and purposes of the processing;
assess necessity, proportionality and compliance measures;
identify and assess risks to individuals; and
identify any additional measures to mitigate those risks.

The data protection officer (if applicable) should be consulted and, where appropriate, individuals and relevant experts. Any processors may also need to assist in completing DPIAs, which should be possible as a correctly negotiated contract with a processor which is compliant with the GDPR will require the processor's assistance.

Implementation of the mitigants recommended in DPIAs – such as data minimisation, deletion, security measures and privacy notices – are key to compliance, as if ta high risk is identified after the DPIA is complete, the ICO must be consulted before commencing the processing.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

The Privacy and Electronic Communications Regulations (PECR) cover the rules on cookies and set out the following basic rules:

Tell people if there are cookies on a webpage;
Explain the purpose of the cookies what they are doing and why; and
Ensure that users consent to storing a cookie on their device.

If this is done the first time a cookie is set, this need not be repeated each time the same person visits the website; but fresh consent will need to be obtained if the use of cookies changes.

The PECR rules also cover the use of online identifiers and are therefore not restricted to cookies, but also include tags, beacons, pixels and other identifiers. The rules on cookies apply to the collection of all types of information from a terminal device and are not restricted to personal data alone. This means that the collection of what may be considered relatively benign information – such as analytics or crash data that is typically used by service providers for product improvement – requires consent even though no personal data is being collected. This is of particular relevance to connected devices/Internet of Things devices, as well as participants in the adtech ecosphere.

The Information Commissioner's Office (ICO) has produced detailed guidance on cookies and the techniques and methods that are considered lawful in order to obtain valid consent. This clarifies that ‘accept' and ‘decline' buttons should be of equal prominence, and that the use of nudge techniques to elicit consent is not acceptable.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

The ICO has published guidance on data protection and cloud computing, emphasising that controllers should keep a clear record of the data they intend to move to the cloud and retain control over what the cloud service provider does with that data. This requires careful review and negotiation of the contract, as cloud service providers often use data for their own commercial purposes.

Depending on what data is being moved to the cloud and what the use cases are, a data protection impact assessment (DPIA) should be conducted and the organisation's privacy notice should be revisited to ensure that they adequately explain the cloud arrangement to the data subjects.

The ICO specifies that a GDPR compliant contract should be negotiated with cloud service providers. This can often prove problematic, as cloud service providers typically take the view that they provide a standardised contract for their many customers and so cannot comply with the prescriptive terms of the GDPR in the way that a controller requires – in particular, with regard to assisting with security measures, data subject access requests and DPIAs, as well imposing controls over sub-processors and granting the right to audit and inspect. This requires determined negotiation and an understanding of what is market standard among cloud service provider contracts – all the more so when the customer operates in a regulated industry, such as financial services.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

Direct marketing: The UK Data Protection Act 2018 (DPA 2018) defines ‘direct marketing' as "the communication (by whatever means) of advertising or marketing material which is directed to particular individuals".

This covers all advertising or promotional material, including charity or political party campaigning for support or funds. For marketing to fall within this definition, the marketing must be directed to particular individuals and capture all relevant electronic messages (eg, calls, faxes, texts and emails) that are directed to someone.

This is differentiated from genuine business-to-business marketing, for which the rules are much simpler; but any marketing campaign must be carefully analysed to determine whether it is business to consumer or business to business.

Genuine market research does not count as direct marketing. However, if a survey includes promotional material or is collecting details to use in future marketing campaigns, the survey is for direct marketing purposes and therefore the rules apply.

Correspondence with customers to provide information that they need about a current contract or past purchase (eg, information about service interruptions, delivery arrangements, product safety, changes to terms and conditions, or tariffs) does not constitute direct marketing. However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services, or to renew contracts that are coming to an end, that message includes marketing material and the rules apply.

Consent: A person's consent will often be needed before sending him or her an electronics marketing message. If consent is being relied upon, in order for this to be valid it be must given freely, clearly and specifically as part of the individual providing consent. It must explain to the individual the organisation and the type of communication that will be used. This information must be accessible and easy to understand. In order for a person to consent, there must be a positive action to take in order to demonstrate consent (eg, clicking a box, sending an email).

The clearest, most unambiguous way to obtain consent is to ask the customer to tick an opt-in box confirming that he or she is happy to receive marketing calls, faxes, texts or emails. However, very often, approaching customers to obtain consent can itself be considered direct marketing and so must not be done without consent. There are various rules on this and a marketing campaign can be constructed in such a way so as not to breach these.

Organisations should keep clear records of what a person has consented to, and when and how this consent was obtained. This is helpful to demonstrate compliance. Organisations must bear in mind that consents do not last forever and must be renewed periodically.

Particular care should be taken when relying on consent obtained indirectly (ie, consent originally given to a third party). It is important to ensure that the consent is valid and specifically and clearly identifies the organisation that will be directly marketing. Generic consent covering any third party is not sufficient.

Consents must also be granular, ideally broken down by channel (eg, email, telephone, in person) and by purpose, with it being possible to accept all or none of the various options.

Customers are entitled to withdraw their consent at any time they wish. Individuals must be made aware of this right: it must be easy for them to withdraw consent and clear how they can do so.

Crucially, lists must be maintained of people who have objected to marketing – for example, by unsubscribing, as well as by withdrawing consents. Future marketing campaigns should then be screened against these suppression lists.

Difference between ‘opt in' and ‘opt out': ‘Opt in' means that a person must take a specific positive step (eg, ticking a box, sending an email or clicking a button) to confirm that he or she is happy to receive marketing. ‘Opt out' means that a person must take a positive step to refuse or unsubscribe from marketing.

Automatically pre-ticked opt-in boxes do not constitute genuine consent under the GDPR and so must be avoided. An ‘affirmative' method of getting consent must be used – for example, blank tick boxes.

PECR: If an organisation is carrying out marketing through channels such as telephone calls (both live and automated), faxes, emails, text messages and other forms of electronic messages, it must also consider the PECR rules, rather than just relying on compliance with the GDPR or the DPA 2018.

The PECR must be complied with by both the instigator and the marketer. If the ICO needs to take enforcement action, it will usually be against the instigator. In some cases, the ICO may also consider taking action against a specialist subcontractor if it deliberately or persistently ignores the rules. This means it is important for organisations to negotiate contracts correctly if using a third-party service provider to run its marketing campaign.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

The courts hear data privacy disputes that have not been resolved by the relevant organisations. The Information Commissioner's Office (ICO) receives complaints from individual data subjects and will give an opinion on whether data protection law may have been breached, which can be submitted as evidence; but the courts will make their own decision.

The ICO does not give legal assistance with claims, except for limited circumstances related to journalism.

Arbitration is an alternative dispute resolution mechanism which could be used instead of taking a case to court and may be lower cost.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Data privacy disputes can relate to the whole range of personal data issues, but typically focus on an individual's rights to privacy or exercise of his or her rights under data protection law. There is often a wider context of disputes unrelated to privacy, such as employment rights

12.3 Have there been any recent cases of note?

WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12: This was originally a High Court judgment against Morrisons which found that a company can be held vicariously liable in respect of data breaches caused by its employees "in the conduct of the employees' employment", even when the breach was caused by an employee with no wrongdoing having been committed on the part of the company. The original judgment described how an internal IT auditor deliberately leaked payroll data of almost 100,000 Morrisons employees, misusing security measures such as encrypted USB drives.

The Court of Appeal then rejected Morrisons' claim that satisfying the old Data Protection Act 1998 (DPA 1998) on data breaches means that vicarious liability for rogue actions under the common law will not apply. The court rejected the argument that, in enacting the DPA 1998, Parliament had intended to exclude common law actions that conflicted with the analysis under that statute.

More recently, the Supreme Court decided against the previous two courts, holding that as the rogue employee was not "acting in the ordinary course of his employment" and was instead "pursuing a personal vendetta seeking vengeance for the disciplinary proceedings some months earlier", Morrisons was not held vicariously liable for his actions. The mere fact that that an employee's employment gave him or her the opportunity to commit the wrongful act would not be sufficient to warrant of vicarious liability.

Clear actions arising from this case that companies should take into account include the following:

Ensure that security policies are appropriate to cover issues such as mobile working, use of USB sticks and exports of data, and that all business units are trained on them, especially internal audit;
Ensure that promises regarding the security of personal data in employee-facing notices and handbooks are reinforced by validated security measures; and
Check insurance policies to ensure that liability from the actions of rogue employees is covered (typically, cover will be on the conditions that the preceding points are satisfied)

Lloyd v Google LLC [2019] EWCA Civ 1599: This data protection class action against Google sets a precedent for representative opt-out style class actions for data protection breaches under UK law. The Court of Appeal held that damages are, in principle, capable of being awarded for loss of control of data under Section 13 of the old DPA 1998, even if there is no pecuniary loss and no distress. Although this case relates to the old DPA regime, as the events pre-date the entry into force of the GDPR and the Data Protection Act 2018, these new laws are likely to be interpreted in the same way.

While the claimants' use of the representative action procedure under the Civil Procedure Rules to bring an opt-out-style class action is ‘unusual', it is permissible. The claimants all had their browser generated information taken by Google using the Apple Safari Workaround to set cookies on their devices without their consent, in the same circumstances and during the same period.

An application for permission to appeal to the Supreme Court is pending. This has the potential to increase the risk for organisations following a personal data breach or other breach of data protection laws.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Brexit: At the time of writing, it is not clear how much divergence the UK General Data Protection Regulation (GDPR) will have from the GDPR over time, but companies will need to monitor and comply with both regimes.

International data transfers: Even without the added complication of Brexit, the situation regarding international data transfers is uncertain. Companies must navigate the recent Schrems II decision and related FAQs by the European data protection regulators carefully, while striving to reconcile the now outdated standard contractual clauses with modern technology and non-linear data flows.

Adtech: The Information Commissioner's Office (ICO) postponed the investigatory work it announced in 2019 on adtech once the COVID-19 pandemic took hold in Spring 2020. However, it is anticipated that this work will resume within the next 12 months.

The work conducted by the European Commissioner for Competition in respect of the dominance of technology companies and their use of personal data has been mirrored by the UK Competition and Markets Authority (CMA). In July 2020 the CMA published a significant report on online platforms and digital marketing, concluding that competition is not working well in these markets –in part due to the control that the major players have over the collection and use of personal data. It is therefore anticipated that the next 12 months will see closer collaboration between competition regulators and data protection authorities.

COVID-19: Like other European data protection authorities, the ICO has published guidance on processing personal data during the COVID-19 pandemic.

This has meant that organisations have revisited their privacy notices to ensure that these cover any additional health data they may be processing in order to support the safety and health of employees and visitors, as well as conducting data protection impact assessments where appropriate. Meanwhile, the launch of contact tracing apps within offices has meant that organisations have had to develop innovative contracting and transparency techniques.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Regulators are stretched and have limited resources. Principle-based data protection laws therefore seek to shift much of the obligation to monitor compliance from the regulators to the regulated. This means that it is vital for organisations to document their compliance efforts in a pragmatic and flexible way, while ensuring that such documentation remains up to date and reflects operational realities. Regulators are unlikely to challenge a risk-based decision taken by appropriately authorised internal staff such as a data protection officer or a data protection committee on proportional commercial grounds, as long as there is a contemporaneous document of the decision. This emphasises the importance to have key data protection compliance documents – such as the record of processing, data protection impact assessments and privacy notices – which should all interlock and reflect each other.

Organisations should also be aware that the Information Commissioner's Office (ICO), like many regulators in Europe, regards spam/nuisance marketing as an infringement that should be taken seriously. The UK population has a high awareness of data protection rules and the rules against unsolicited marketing, and the ICO treats complaints from the public with seriousness.

Since the advent of the General Data Protection Regulation (GDPR), there is greater awareness about consent and transparency rules. Organisations should pay close attention to their public-facing privacy notices and policies; these are not only easily viewable by members of the public, but can also be seen by the regulators, and regulators have historically conducted automated sweeps of such public documents for compliance assessment.

Less within the control of organisations are interactions with third parties in relation to personal data. Third-party service providers that are engaged for personal data processing – whether for cloud software, data hosting or marketing purposes – should be subject to appropriate due diligence and a compliant contract should be negotiated with them which covers data protection. Where it is not possible to satisfy the requirements of the GDPR with regard to the contractual requirements, an audit trail should be maintained to evidence the attempt to do so. The most effective way to achieve this is to engage with business stakeholders early and often, to ensure that there is an awareness of new suppliers and a deep understanding of the nature and detail of the data flows.

Raising awareness of data protection and training staff sensitively and appropriately is the key defence to data protection issues. Tailored training and cultural awareness activities should be developed which are customised for the organisation to support its compliance with its own policies and procedures, rather than generic data protection training which is of limited value. In this way, staff can be encouraged to recognise and report data subject requests, potential data breaches and data transfers before they can develop into issues which could cause the organisation regulatory or reputational problems.

Jessica Khan and Najiba Sultana contributed to this Guide.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

UK: Data Privacy Comparative Guide