20 minute read
2 UK data protection law post Brexit
5
4.10
4.11
Step 10: Information security policies......................................................................... 26 Step 11: Further resources ......................................................................................... 27 Conclusion................................................................................................................ 29
1 Introduction
The purpose of this guide is to help you to ensure your non-public sector organisation is compliant with UK data protection laws post-Brexit using the CertiKit UKDP Toolkit. The reason we don’t include the UK public sector in this guide (or the toolkit) is because the issues involved for bodies such as councils, central government and the intelligence services are quite different (and more complicated) than those for a sole trader or limited company in the UK (or a non-UK company trading in the UK). There are many different ways to approach the process of ensuring that your organisation meets UK data protection requirements and the method described here is simply one alternative. The UK GDPR and the Data Protection Act 2018 are complex pieces of legislation with far-reaching implications and our aim in this guide is to present the main points (but we won’t be covering everything – both are long documents) in an easily-understood format so that you can get started as soon as possible.
1.1 The value of legal advice
What we present here (and in the Toolkit) is our understanding of what’s required for compliance, based on a lot of years in the IT and information security industry, analysis of the legislation itself and a variety of further inputs from conferences, books, webinars, presentations, discussions and examinations on the subject. But the main points we would make before you begin reading are that we aren’t lawyers, that there is no replacement for well-informed and qualified legal advice and that you should obtain this before taking key decisions and dedicating significant resources to specific tasks. And familiarising yourself with the source legislation isn’t a bad idea, too.
1.2 Data protection and information security
We probably also ought to mention the relationship between compliance with data protection legislation and the concept of an Information Security Management System, or ISMS. UK data protection law doesn’t mandate an ISMS (or Personal Information Management System, PIMS) such as that described by the international standard for information security, ISO/IEC 27001. But when it comes to satisfying the Information Commissioner’s Office (ICO) that you have taken the security of personal data seriously, having a recognised framework in place that ensures you set objectives, manage risk and review success, could go a long way. See the relevant section on our website for more details about our ISO/IEC 27001 Toolkit.
Several other ISO standards and cyber security schemes are also worth a mention:
ISO/IEC 27018 – recommendations for protecting personal data in the cloud ISO/IEC 27701 – an extension to the ISO/IEC 27001 standard which focusses specifically on privacy information management
2 UK data protection law post-Brexit
In this section, we’ll describe where UK data protection law is now, and how it got there. This includes an overview description of the main piece of post-Brexit legislation, known as the UK GDPR, and the relevant points from the supporting law, the Data Protection Act 2018.
2.1 The situation before Brexit
Before describing the post-Brexit situation with data protection law in the UK, it’s worth outlining some of the history so the current legislation can be put into context.
Prior to Brexit, the UK was a member state of the European Union and so was subject to its laws. In 1995 the EU created the Data Protection Directive which, rather than becoming law directly in all member states, instead provided what was effectively a specification for each member state to introduce their own law concerning data protection. Accordingly, the UK brought in the Data Protection Act in 1998 as its implementation of the Directive, and other EU countries enacted their equivalents. Many years passed and technology moved on relentlessly, blurring the lines of data protection as it went. To catch up (and to simplify the situation where each member state had slightly differing laws), the EU created the General Data Protection Regulation (GDPR) in 2016 and this became law within the EU on 25 May 2018. The GDPR, being a Regulation rather than a Directive, directly applied to all of the EU without needing a separate local law to be passed in each member state. However, the GDPR did allow for some variations within each country, such as the age of a child for data protection purposes (default 16, but this could be as low as 13). Partly to specify what these were in the UK, the government introduced an update to the Data Protection Act in 2018.
So, prior to Brexit, data protection law in the UK was defined mainly by a combination of the GDPR and the Data Protection Act 2018 (there are also laws called the PECR and NIS, but we won’t be discussing these here). The combination of the GDPR and the changes to it introduced by the Data Protection Act 2018 are sometimes referred to as the “applied GDPR”.
2.2 The situation after Brexit
Once Brexit was decided upon, the UK started the preparations for the UK to leave the EU. From a data protection point of view, the main piece of legislation they passed was called “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019”. These regulations set out the changes that would be made to current UK laws to adapt them to the fact that the UK was leaving the EU. In basic terms, what they did was to create the “UK GDPR” (as distinct from the “EU GDPR”) and make changes to the DPA 2018. The intention is that UK data protection law remains the same as EU data
protection law, at least in the short term, so most of the changes are simply replacing references to the EU and its institutions with their UK equivalents.
So, after Brexit, data protection law in the UK is defined mainly by a combination of the UK GDPR and the (revised) Data Protection Act 2018.
2.3 What’s changed as a result of Brexit
So what does this mean for organisations in the UK, the EU and elsewhere that need to comply with relevant data protection law?
The first thing to say is that the original EU GDPR is still very much alive and must still be complied with by all organisations that process the personal data of EU citizens, wherever they are based. The second point is that the situation is still evolving, and political changes may be made, sometimes at short notice, that affect what needs to be done to stay compliant with data protection law. We will try to present a simplified picture of how Brexit affects organisations needing to comply with UK data protection law, but the reality is that the situation may be more complicated than we can easily explain, and it may change, so the points we made earlier in this guide about the value of legal advice apply more strongly than ever.
The general guidance depends mainly on where your organisation is based, and the personal data it processes. For more information on international transfers, see the relevant section later in this guide.
2.3.1 UK-based organisations
If you’re an organisation based in the UK, and you’re processing the personal data of UK citizens only, then you will just need to comply with the UK GDPR and DPA 2018, and this toolkit can help you to do that. If you transfer the personal data of UK citizens outside the UK, including to the EU, then you will need to look at the basis used for the transfer. The good news is that the UK trusts the EU data protection regime, so transfers to the EU are covered by a UK adequacy decision, which means that little additional justification is required.
If you do process the personal data of EU citizens, then the EU GDPR will continue to apply to you in addition to UK law, and you may need to nominate a representative within the EU. In this case, you will also need to look at any transfers of EU personal data you perform to the UK. Under the treaty negotiated between the EU and the UK at the end of 2020, a sixmonth period was agreed during which personal data may flow freely from the EEA (The European Economic Area, which consists of the EU member states plus Norway, Iceland and Liechtenstein) to the UK, as before Brexit. After this period expires however, if there is no new EU adequacy decision in favour of the UK, you will need to look at how these transfers
will be legally covered. CertiKit has a separate GDPR Toolkit that addresses the requirements of the EU GDPR.
2.3.2 EU-based organisations
For organisations based in the EU, and processing the personal data of EU citizens only, largely nothing changes. The EU GDPR still applies; the main aspect such organisations may need to review is in the situation where they transfer personal data to the UK, perhaps for processing. If this will continue then they will need to look at the basis that covers the transfer. Previously the UK was part of the EU, so it wasn’t a problem. After Brexit however, a number of situations may arise, once the previously-stated six-month grace period for transfers has expired. The simplest of these is that the EU grants an adequacy decision in favour of the UK which means that it considers UK data protection law to be “good enough”, and transfers can continue. If this doesn’t happen, then appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) may be appropriate (see later in this guide), or an organisation may be able to apply an exception to the transfer. Each of these options will need to be looked at, with their relevant pros and cons.
If your organisation not only processes the personal data of EU citizens, but also of UK citizens, then you will need to comply not only with the EU GDPR, but also with UK data protection laws. The main one of these is the UK GDPR which, as the name suggests, is (deliberately) very heavily based on the EU GDPR. You may need to appoint a representative in the UK who will act for you in interfacing with the UK Information Commissioner’s Office (ICO) which wasn’t needed previously.
2.3.3 Organisations based outside the EU and UK
If your organisation is neither in the EU or the UK then the main change will be that you will need to start to consider the two as separate entities, potentially appointing representatives in both (assuming you process the personal data of both UK and EU citizens). If you don’t operate in the UK, then there will be little change, unless you transfer EU data to a processor in the UK perhaps (in which case you may need to cover that transfer with appropriate safeguards, such as SCCs, or an exception). Similarly, if your organisation targets customers only in the UK then you will need to keep track of any divergence between UK and EU data protection law as time goes by (initially they may be considered to be the same).
2.4 Changes affecting transfers to the USA
The data protection laws in the USA are not currently seen by the EU or the UK as adequate and, up until recently, a special scheme called the EU-US Privacy Shield was in place to allow the transfer of personal data to the USA.
However, in July 2020 the Court of Justice of the European Union (CJEU) made a judgement on a case brought by an Austrian privacy activist called Schrems that meant that the EU-US Privacy Shield scheme was no longer available to US organisations wishing to accept transfers of EU personal data. As a result, organisations making transfers to the US under the scheme must find an alternative way to make such transfers legal under both the EU and (post Brexit) the UK GDPR. The most common way to do this is using standard contractual clauses, although this approach must be accompanied with a risk assessment to show that the level of protection provided by the SCCs is adequate.
Within the UK it’s possible that the EU-US Privacy Shield may be replaced with a revised mechanism at some point, subject to negotiations between the UK and the US government. However, the reason that this case is referred to as “Schrems II” is because Maximillian Schrems also had a hand in the demise of the Privacy Shield’s predecessor which was called “Safe Harbor”, so any new schemes are likely to have a similarly uncertain and controversial future.
2.5 The UK GDPR
The first thing to say about the UK GDPR is that it doesn’t actually exist as a separate document that is published by the UK government. This may seem strange, but it’s due to the way that such amendments work in the UK legal system; laws remain in their original form and must be considered in conjunction with changes to them until they are “consolidated”. According to published guidance, at the moment there are no plans to consolidate either the UK GDPR or the Data Protection Act. To see the contents of the UK GDPR, it is necessary to start with the EU GDPR and then look at the changes made to it by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These regulations give instructions to “cross this bit out”, “insert this text here” or “replace this text with that”. There is a document called a “Keeling Schedule” which is published by the Department for Digital, Culture, Media and Sport and shows the changes marked up, but because it is heavily annotated, you may not find it that easy to read. To make referencing the UK GDPR easier, CertiKit has produced a more readable version that shows the revised document, with the changes incorporated but not marked up, and this is included in the Toolkit (along with the originals).
The original EU GDPR 2016 document is eighty-eight pages long and consists of two main parts:
Recitals – 173 numbered paragraphs that lay out the principles and intentions of the Regulation; if you like, the background. Articles – the 99 sections that set out the detail of the Regulation
In comparison, the UK GDPR does without the recitals completely and removes many of the articles that deal with the workings of the EU data protection mechanisms, so it’s much shorter, with a total of thirty-two articles removed for just one added, making a total of sixty-eight. For a fuller understanding, the UK GDPR does need to be read in conjunction
with the revised Data Protection Act 2018, particularly Part 2, Chapter 2 – “The UK GDPR”. The revised text of the DPA 2018 Part 1 and 2 (chapters 1 and 2) is included in the CertiKit Toolkit.
2.5.1 Definitions
The UK GDPR provides a definition of twenty-eight of the relevant terms, including the following (Article 4 – Definitions):
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; (but see section 6 of the 2018 Act);
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
2.5.2 Principles
The UK GDPR establishes several principles that underpin the legislation and are outlined using the following terms (with our quick summary given after each):
1.
2. 3. 4. 5. Lawfulness, fairness and transparency – keep it legal and fair; say what you’re going to do with the data in clear terms Purpose limitation – don’t do more with the data than you said you would Data minimisation – don’t collect more data than you need Accuracy – keep it up to date and deal with inaccuracies as soon as possible Storage limitation – don’t keep the data for longer than necessary
6. 7. Integrity and confidentiality – keep the data safe while you have them Accountability – be able to show that you’re complying with the principles above
If you always keep these principles in mind, you’re unlikely to fall foul of the UK GDPR.
2.5.3 Lawfulness
For the processing of personal data to be lawful, it must meet at least one of several criteria, and an important first step in considering your processing activities is to clearly establish which of the criteria applies in any given situation.
In essence, the criteria to choose from with regard to the lawfulness of the processing are as follows:
1. 2.
3. 4. 5. 6. The data subject has consented to it It’s needed to perform a contract between your organisation and the data subject, or to see whether a contract can happen You legally must do it You’re protecting the vital interests of the data subject It’s in the public interest It’s for your legitimate interests – as long as it doesn’t affect the data subject’s rights and freedoms
So, whilst consent is an important aspect of the UK GDPR, it’s not the only way in which collecting and processing personal data can be lawful. In fact, you may find that a significant proportion of the personal data your organisation holds and processes doesn’t require consent; instead it is required for lawful purposes such as providing support to customers (contractual), paying employees (contractual/legal) or dealing with the tax authority (legal). The process of obtaining and maintaining consent may involve changes to business processes and systems so it is a good idea to make sure there is no other lawful basis on which processing can take place first.
In many cases it may be prudent to go for legitimate interest as the lawful basis for processing; if you choose to go down this route you will need to carry out a legitimate interest assessment which shows that you have considered all the angles.
2.5.4 Consent
If you believe that your processing is lawful because you have the data subject’s consent, then you must be able to prove it. You can’t hide the consent wording in amongst other contractual ramblings and expect to get away with it either. It must be in an “intelligible and easily-accessible form, in clear and plain language” (UK GDPR Article 7, paragraph 2) otherwise the consent doesn’t count, and your processing could be judged to be unlawful.
Once given, the consent can be withdrawn at any time by the data subject and this must be as easy to do as it was to give it in the first place. A child must be at least thirteen years of age to be able to give consent (this was reduced from the EU GDPR default of sixteen) otherwise parental consent must be obtained.
2.5.5 Rights of the data subject
The UK GDPR establishes a set of rights that the data subject can exercise and which the controller holding their personal data must react and respond to, generally within a month.
1.
2.
3.
4.
5.
6.
7. 8. The right to be informed: Being told what data will be collected, why, by whom, for what purpose and where the data will go The right of access: Being able to see personal data that are being held about the data subject The right to rectification: Getting the data corrected if they are wrong or inaccurate The right to erasure: Having personal data removed when they are no longer necessary The right to restrict processing: Pausing the processing of the data if there are grounds to do so The right to data portability: Obtaining the data in a transportable form and moving it to an alternative processor The right to object: Stopping the data from being processed Automated decision making and profiling: Having a human involved in important decisions
These rights follow on from the principles that we discussed earlier and are aimed at ensuring that personal data are processed fairly and transparently, and that the data subject can do something about it if this doesn’t happen.
The data subject must be informed of their rights, along with a variety of other information about what their information will be used for and why, when the personal data are collected (or within a month if the data come from another source). This increased granularity of information means that a layered approach to privacy notices, with the relevant information being displayed “just in time” when the personal data are collected, may be preferable to the more traditional single privacy policy seen on many websites.
2.5.6 Data protection officer
Depending on your organisation and what it does with personal data, you may or may not need a data protection officer. You will have to designate one if:
You’re a public authority or body You monitor data subjects on a large scale
Large volumes of special category data are involved
Data protection officers may be part-time, may be shared across organisations and may be external resources or services. They must remain independent and their contact details must be freely available, especially to data subjects. The data protection officer is the main contact with the Information Commissioner and is likely to get involved when key issues of data privacy and protection are addressed within the organisation, such as during data protection impact assessments. The data protection officer will need to know a reasonable amount about data protection law in order to fulfil the role (but there’s no “official” qualification that is required).
2.5.7 Contracts between controller and processor
The UK GDPR is very specific that it wants to see a contract in place between data controllers and processors that protects personal data and it defines the areas that this should cover. Basically, this involves detailing the purpose and duration of the processing, the personal data categories involved, and the data subjects it affects. The processor must contractually commit to a set of minimum terms related to data protection and existing contracts will need to be changed to include them.
What we’re seeing from the big players such as Google, Amazon Web Services and Microsoft is that they will make a pre-signed Data Processing Addendum to their current terms and conditions available to their customers, which in principle may save everyone a lot of time.
2.5.8 Privacy by design and data protection impact assessments
In order to establish a culture where data privacy is “baked in” to new processes and systems, rather than added as an after-thought, the UK GDPR requires that data protection impact assessments (also called privacy impact assessments) be carried out where the risks involved to data subjects are reasonably felt to be high. This process involves understanding the personal data involved and addressing likely risks using appropriate controls, so that proactivity, rather than reactivity, is the order of the day.
2.5.9 Codes of conduct and certification
The regulation makes provision for industry bodies and other organisations to create relevant codes of conduct and certification schemes that can be used to encourage and demonstrate compliance. It’s early days for such schemes, but they are likely to increase in popularity and availability as time goes by, so it’s well worth keeping an eye on what’s happening in your industry.
