3 minute read
3 The CertiKit UKDP Toolkit
The ISO/IEC 27701 standard is probably one of the first international schemes to be published that has a direct relationship with the UK GDPR. An organisation can become certified to this standard, but only if they first become certified to the ISO/IEC 27001 standard for information security management systems, so currently it’s more of an “addon” standard that a standalone one.
2.5.10 International transfers
Sending the personal data of UK citizens outside of the country raises questions over how well the data will be protected and the UK GDPR places restrictions on how this may be done. To be helpful, the Secretary of State regularly decides which countries it trusts to look after UK personal data and publishes a list of those deemed to be acceptable (called an “Adequacy Decision”). Currently, it’s a small list which is based on its EU equivalent so you may need to look at the other ways to meet the UK GDPR if you need to do international transfers.
Other ways to get approval are:
A legally binding agreement (public bodies only) Binding corporate rules Using standard clauses in your contract Signing up to an approved code of conduct or certification scheme
If you’re going to use binding corporate rules, be aware that they have to be approved by the Information Commissioner and that can take a while. There are some standard contractual clauses available currently, and new ones may be created and approved by the Secretary of State or the Information Commissioner.
There are a few get-outs (or “Derogations” as the UK GDPR calls them) for small, infrequent transfers so it may be worth checking the list in Article 49 to see if any apply.
2.5.11 UK representatives
If your organisation is outside the UK then, depending on the type of organisation and the processing you perform, you may need to appoint a representative within the UK to act as a focal point for communication with the Information Commissioner’s Office or data subjects. This needs to be done in writing and may be easily achieved through a service offered by third parties established in the UK, for a fee.
2.5.12 Remedies, liability and penalties
And so we come to the teeth of the UK GDPR; the fines that can be levied for noncompliance are certainly larger than those for the original Data Protection Act 1998 it replaces. The actual amounts demanded will depend upon a wide variety of factors, including the personal data involved, how hard the culprit organisation tried to protect the data, how much they co-operated with the investigation and, most importantly, the specific article(s) of the UK GDPR they are judged to have contravened.
Fines allowable are up to 2% of global turnover or £8,700,000 for lower-level infringements and up to 4% of global turnover or £17,500,000 for more serious cases.
Data subjects can lodge a complaint with the Information Commissioner’s Office directly themselves or may use the services of a not-for-profit body active in the field of data protection.
2.6 The data protection act 2018
The Data Protection Act 2018, as it is revised by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, adds a layer of additional clarification to various points stated in the UK GDPR. These largely revolve around the definition of terms such as “public body” or “public authority” in a UK context, how UK law applies to the articles, powers of the Secretary of State (including regarding international transfers), and various other specific issues. All of these points can be found in Part 2, Chapters 1 and 2 of the Act. The rest of the Act, which is lengthy (7 Parts in all, with a further twenty Schedules), largely covers areas not generally relevant to a non-public sector organisation looking to remain compliant, such as law enforcement processing, intelligence services processing, the Information Commissioner and enforcement.
2.7 Where to find more official guidance about UK data protection
As with any new piece of legislation, the UK GDPR has room for interpretation and is full of terms like “high risk” and “large scale” that might be considered relative at best. The main place to visit for more information is the Information Commissioner’s Office website (www.ico.org.uk) which has a wealth of guides and FAQs about UK data protection legislation, including a telephone helpline for those that have reached the stage that they really need to speak to a human.
