21 minute read

3 UK data protection law post-Brexit

Next Article
2 Introduction

2 Introduction

In this section, we will describe where UK data protection law is now, and how it got there. This includes an overview description of the main piece of post-Brexit legislation, known as the UK GDPR, and the relevant points from the supporting law, the Data Protection Act 2018.

3.1 The situation before Brexit

Before describing the post-Brexit situation with data protection law in the UK, it is worth outlining some of the history so the current legislation can be put into context.

Prior to Brexit, the UK was a member state of the European Union and so was subject to its laws. In 1995 the EU created the Data Protection Directive which, rather than becoming law directly in all member states, instead provided what was effectively a specification for each member state to introduce their own law concerning data protection. Accordingly, the UK brought in the Data Protection Act in 1998 as its implementation of the Directive, and other EU countries enacted their equivalents. Many years passed and technology moved on relentlessly, blurring the lines of data protection as it went. To catch up (and to simplify the situation where each member state had slightly differing laws), the EU created the General Data Protection Regulation (GDPR) in 2016 and this became law within the EU on 25 May 2018. The GDPR, being a Regulation rather than a Directive, directly applied to all of the EU without needing a separate local law to be passed in each member state. However, the GDPR did allow for some variations within each country, such as the age of a child for data protection purposes (default 16, but this could be as low as 13). Partly to specify what these were in the UK, the government introduced an update to the Data Protection Act in 2018.

So, prior to Brexit, data protection law in the UK was defined mainly by a combination of the GDPR and the Data Protection Act 2018 (there are also laws called the PECR and NIS, but we will not be discussing these here). The combination of the GDPR and the changes to it introduced by the Data Protection Act 2018 are sometimes referred to as the “applied GDPR”.

3.2 The situation after Brexit

Once Brexit was decided upon, the UK started the preparations for the UK to leave the EU. From a data protection point of view, the main piece of legislation they passed was called “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019”. These regulations set out the changes that would be made to current UK laws to adapt them to the fact that the UK was leaving the EU. In basic terms, what they did was to create the “UK GDPR” (as distinct from the “EU GDPR”) and make changes to the DPA 2018. The intention is that UK data protection law remains the same as EU data

protection law, at least in the short term, so most of the changes are simply replacing references to the EU and its institutions with their UK equivalents.

So, after Brexit, data protection law in the UK is defined mainly by a combination of the UK GDPR and the (revised) Data Protection Act 2018.

3.3 What is changed as a result of Brexit

So what does this mean for organisations in the UK, the EU and elsewhere that need to comply with relevant data protection law?

The first thing to say is that the original EU GDPR is still very much alive and must still be complied with by all organisations that process the personal data of EU citizens, wherever they are based. The second point is that the situation is still evolving, and political changes may be made, sometimes at short notice, that affect what needs to be done to stay compliant with data protection law. We will try to present a simplified picture of how Brexit affects organisations needing to comply with UK data protection law, but the reality is that the situation may be more complicated than we can easily explain, and it may change, so the points we made earlier in this guide about the value of legal advice apply more strongly than ever.

The general guidance depends mainly on where your organisation is based, and the personal data it processes. For more information on international transfers, see the relevant section later in this guide.

3.3.1 UK-based organisations

If you are an organisation based in the UK, and you are processing the personal data of UK citizens only, then you will just need to comply with the UK GDPR and DPA 2018, and this toolkit can help you to do that. If you transfer the personal data of UK citizens outside the UK, including to the EU, then you will need to look at the basis used for the transfer. The good news is that the UK trusts the EU data protection regime, so transfers to the EU are covered by a UK adequacy decision, which means that little additional justification is required.

If you do process the personal data of EU citizens, then the EU GDPR will continue to apply to you in addition to UK law, and you may need to nominate a representative within the EU. In this case, you will also need to look at any transfers of EU personal data you perform to the UK. Under the treaty negotiated between the EU and the UK at the end of 2020, a sixmonth period was agreed during which personal data may flow freely from the EEA (The European Economic Area, which consists of the EU member states plus Norway, Iceland and Liechtenstein) to the UK, as before Brexit. After this period expires however, if there is no new EU adequacy decision in favour of the UK, you will need to look at how these transfers

will be legally covered. CertiKit has a separate GDPR Toolkit that addresses the requirements of the EU GDPR.

3.3.2 EU-based organisations

For organisations based in the EU, and processing the personal data of EU citizens only, largely nothing changes. The EU GDPR still applies; the main aspect such organisations may need to review is in the situation where they transfer personal data to the UK, perhaps for processing. If this will continue then they will need to look at the basis that covers the transfer. Previously the UK was part of the EU, so it was not a problem. After Brexit however, a number of situations may arise, once the previously stated six-month grace period for transfers has expired. The simplest of these is that the EU grants an adequacy decision in favour of the UK which means that it considers UK data protection law to be “good enough”, and transfers can continue. If this does not happen, then appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) may be appropriate (see later in this guide), or an organisation may be able to apply an exception to the transfer. Each of these options will need to be looked at, with their relevant pros and cons.

If your organisation not only processes the personal data of EU citizens, but also of UK citizens, then you will need to comply not only with the EU GDPR, but also with UK data protection laws. The main one of these is the UK GDPR which, as the name suggests, is (deliberately) very heavily based on the EU GDPR. You may need to appoint a representative in the UK who will act for you in interfacing with the UK Information Commissioner’s Office (ICO) which was not needed previously.

3.3.3 Organisations based outside the EU and UK

If your organisation is neither in the EU or the UK then the main change will be that you will need to start to consider the two as separate entities, potentially appointing representatives in both (assuming you process the personal data of both UK and EU citizens). If you do not operate in the UK, then there will be little change, unless you transfer EU data to a processor in the UK perhaps (in which case you may need to cover that transfer with appropriate safeguards, such as SCCs, or an exception). Similarly, if your organisation targets customers only in the UK then you will need to keep track of any divergence between UK and EU data protection law as time goes by (initially they may be considered to be the same).

3.4 Changes affecting transfers to the USA

The data protection laws in the USA are not currently seen by the EU or the UK as adequate and, up until recently, a special scheme called the EU-US Privacy Shield was in place to allow the transfer of personal data to the USA.

However, in July 2020 the Court of Justice of the European Union (CJEU) made a judgement on a case brought by an Austrian privacy activist called Schrems that meant that the EU-US Privacy Shield scheme was no longer available to US organisations wishing to accept transfers of EU personal data. As a result, organisations making transfers to the US under the scheme must find an alternative way to make such transfers legal under both the EU and (post Brexit) the UK GDPR. The most common way to do this is using standard contractual clauses, although this approach must be accompanied with a risk assessment to show that the level of protection provided by the SCCs is adequate.

Within the UK it is possible that the EU-US Privacy Shield may be replaced with a revised mechanism at some point, subject to negotiations between the UK and the US government. However, the reason that this case is referred to as “Schrems II” is because Maximillian Schrems also had a hand in the demise of the Privacy Shield’s predecessor which was called “Safe Harbor”, so any new schemes are likely to have a similarly uncertain and controversial future.

3.5 The UK GDPR

The first thing to say about the UK GDPR is that it does not actually exist as a separate document that is published by the UK government. This may seem strange, but it is due to the way that such amendments work in the UK legal system; laws remain in their original form and must be considered in conjunction with changes to them until they are “consolidated”. According to published guidance, at the moment there are no plans to consolidate either the UK GDPR or the Data Protection Act. To see the contents of the UK GDPR, it is necessary to start with the EU GDPR and then look at the changes made to it by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These regulations give instructions to “cross this bit out”, “insert this text here” or “replace this text with that”. There is a document called a “Keeling Schedule” which is published by the Department for Digital, Culture, Media and Sport and shows the changes marked up, but because it is heavily annotated, you may not find it that easy to read. To make referencing the UK GDPR easier, CertiKit has produced a more readable version that shows the revised document, with the changes incorporated but not marked up, and this is included in the Toolkit (along with the originals).

The original EU GDPR 2016 document is eighty-eight pages long and consists of two main parts:

• Recitals – 173 numbered paragraphs that lay out the principles and intentions of the

Regulation; if you like, the background.

• Articles – the 99 sections that set out the detail of the Regulation

In comparison, the UK GDPR does without the recitals completely and removes many of the articles that deal with the workings of the EU data protection mechanisms, so it is much shorter, with a total of thirty-two articles removed for just one added, making a total of sixty-eight. For a fuller understanding, the UK GDPR does need to be read in conjunction with the revised Data Protection Act 2018, particularly Part 2, Chapter 2 – “The UK GDPR”. The revised text of the DPA 2018 Part 1 and 2 (chapters 1 and 2) is included in the CertiKit Toolkit.

3.5.1 Definitions

The UK GDPR provides a definition of twenty-eight of the relevant terms, including the following (Article 4 – Definitions):

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; (but see section 6 of the 2018 Act);

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

3.5.2 Principles

The UK GDPR establishes several principles that underpin the legislation and are outlined using the following terms (with our quick summary given after each):

1. Lawfulness, fairness and transparency – keep it legal and fair; say what you are going to do with the data in clear terms 2. Purpose limitation – do not do more with the data than you said you would 3. Data minimisation – do not collect more data than you need 4. Accuracy – keep it up to date and deal with inaccuracies as soon as possible 5. Storage limitation – do not keep the data for longer than necessary 6. Integrity and confidentiality – keep the data safe while you have them 7. Accountability – be able to show that you are complying with the principles above

If you always keep these principles in mind, you are unlikely to fall foul of the UK GDPR.

3.5.3 Lawfulness

For the processing of personal data to be lawful, it must meet at least one of several criteria, and an important first step in considering your processing activities is to clearly establish which of the criteria applies in any given situation.

In essence, the criteria to choose from with regard to the lawfulness of the processing are as follows:

1. The data subject has consented to it 2. It is needed to perform a contract between your organisation and the data subject, or to see whether a contract can happen 3. You legally must do it 4. You are protecting the vital interests of the data subject 5. It is in the public interest 6. It is for your legitimate interests – as long as it does not affect the data subject’s rights and freedoms

So, whilst consent is an important aspect of the UK GDPR, it is not the only way in which collecting and processing personal data can be lawful. In fact, you may find that a significant proportion of the personal data your organisation holds and processes does not require consent; instead, it is required for lawful purposes such as providing support to customers (contractual), paying employees (contractual/legal) or dealing with the tax authority (legal). The process of obtaining and maintaining consent may involve changes to business processes and systems so it is a good idea to make sure there is no other lawful basis on which processing can take place first.

In many cases it may be prudent to go for legitimate interest as the lawful basis for processing; if you choose to go down this route you will need to carry out a legitimate interest assessment which shows that you have considered all the angles.

3.5.4 Consent

If you believe that your processing is lawful because you have the data subject’s consent, then you must be able to prove it. You cannot hide the consent wording in amongst other contractual ramblings and expect to get away with it either. It must be in an “intelligible and easily-accessible form, in clear and plain language” (UK GDPR Article 7, paragraph 2) otherwise the consent does not count, and your processing could be judged to be unlawful.

Once given, the consent can be withdrawn at any time by the data subject and this must be as easy to do as it was to give it in the first place. A child must be at least thirteen years of age to be able to give consent (this was reduced from the EU GDPR default of sixteen) otherwise parental consent must be obtained.

3.5.5 Rights of the data subject

The UK GDPR establishes a set of rights that the data subject can exercise and which the controller holding their personal data must react and respond to, generally within a month.

1. The right to be informed: Being told what data will be collected, why, by whom, for what purpose and where the data will go 2. The right of access: Being able to see personal data that are being held about the data subject 3. The right to rectification: Getting the data corrected if they are wrong or inaccurate 4. The right to erasure: Having personal data removed when they are no longer necessary 5. The right to restrict processing: Pausing the processing of the data if there are grounds to do so 6. The right to data portability: Obtaining the data in a transportable form and moving it to an alternative processor 7. The right to object: Stopping the data from being processed 8. Automated decision making and profiling: Having a human involved in important decisions

These rights follow on from the principles that we discussed earlier and are aimed at ensuring that personal data are processed fairly and transparently, and that the data subject can do something about it if this does not happen.

The data subject must be informed of their rights, along with a variety of other information about what their information will be used for and why, when the personal data are collected (or within a month if the data come from another source). This increased granularity of information means that a layered approach to privacy notices, with the relevant information being displayed “just in time” when the personal data are collected, may be preferable to the more traditional single privacy policy seen on many websites.

3.5.6 Data protection officer

Depending on your organisation and what it does with personal data, you may or may not need a data protection officer. You will have to designate one if:

• You are a public authority or body • You monitor data subjects on a large scale • Large volumes of special category data are involved

Data protection officers may be part-time, may be shared across organisations and may be external resources or services. They must remain independent and their contact details must be freely available, especially to data subjects. The data protection officer is the main contact with the Information Commissioner and is likely to get involved when key issues of data privacy and protection are addressed within the organisation, such as during data protection impact assessments. The data protection officer will need to know a reasonable amount about data protection law in order to fulfil the role (but there’s no “official” qualification that is required).

3.5.7 Contracts between controller and processor

The UK GDPR is very specific that it wants to see a contract in place between data controllers and processors that protects personal data, and it defines the areas that this should cover. Basically, this involves detailing the purpose and duration of the processing, the personal data categories involved, and the data subjects it affects. The processor must contractually commit to a set of minimum terms related to data protection and existing contracts will need to be changed to include them.

What we are seeing from the big players such as Google, Amazon Web Services and Microsoft is that they will make a pre-signed Data Processing Addendum to their current terms and conditions available to their customers, which in principle may save everyone a lot of time.

3.5.8 Privacy by design and data protection impact assessments

In order to establish a culture where data privacy is “baked in” to new processes and systems, rather than added as an after-thought, the UK GDPR requires that data protection impact assessments (also called privacy impact assessments) be carried out where the risks involved to data subjects are reasonably felt to be high. This process involves understanding the personal data involved and addressing likely risks using appropriate controls, so that proactivity, rather than reactivity, is the order of the day.

3.5.9 Codes of conduct and certification

The regulation makes provision for industry bodies and other organisations to create relevant codes of conduct and certification schemes that can be used to encourage and demonstrate compliance. It is early days for such schemes, but they are likely to increase in popularity and availability as time goes by, so it is well worth keeping an eye on what is happening in your industry.

The ISO/IEC 27701 standard is probably one of the first international schemes to be published that has a direct relationship with the UK GDPR. An organisation can become certified to this standard, but only if they first become certified to the ISO/IEC 27001 standard for information security management systems, so currently it is more of an “addon” standard that a standalone one.

3.5.10 International transfers

Sending the personal data of UK citizens outside of the country raises questions over how well the data will be protected and the UK GDPR places restrictions on how this may be done. To be helpful, the Secretary of State regularly decides which countries it trusts to look after UK personal data and publishes a list of those deemed to be acceptable (called an “Adequacy Decision”). Currently, it is a small list which is based on its EU equivalent so you may need to look at the other ways to meet the UK GDPR if you need to do international transfers.

Other ways to get approval are:

• A legally binding agreement (public bodies only) • Binding corporate rules • Using standard clauses in your contract • Signing up to an approved code of conduct or certification scheme

If you are going to use binding corporate rules, be aware that they have to be approved by the Information Commissioner and that can take a while. There are some standard contractual clauses available currently, and new ones may be created and approved by the Secretary of State or the Information Commissioner.

There are a few get-outs (or “Derogations” as the UK GDPR calls them) for small, infrequent transfers so it may be worth checking the list in Article 49 to see if any apply.

3.5.11 UK representatives

If your organisation is outside the UK then, depending on the type of organisation and the processing you perform, you may need to appoint a representative within the UK to act as a focal point for communication with the Information Commissioner’s Office or data subjects. This needs to be done in writing and may be easily achieved through a service offered by third parties established in the UK, for a fee.

3.5.12 Remedies, liability and penalties

And so we come to the teeth of the UK GDPR; the fines that can be levied for noncompliance are certainly larger than those for the original Data Protection Act 1998 it replaces. The actual amounts demanded will depend upon a wide variety of factors, including the personal data involved, how hard the culprit organisation tried to protect the data, how much they co-operated with the investigation and, most importantly, the specific article(s) of the UK GDPR they are judged to have contravened.

Fines allowable are up to 2% of global turnover or £8,700,000 for lower-level infringements and up to 4% of global turnover or £17,500,000 for more serious cases.

Data subjects can lodge a complaint with the Information Commissioner’s Office directly themselves or may use the services of a not-for-profit body active in the field of data protection.

3.6 The data protection act 2018

The Data Protection Act 2018, as it is revised by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, adds a layer of additional clarification to various points stated in the UK GDPR. These largely revolve around the definition of terms such as “public body” or “public authority” in a UK context, how UK law applies to the articles, powers of the Secretary of State (including regarding international transfers), and various other specific issues. All of these points can be found in Part 2, Chapters 1 and 2 of the Act. The rest of the Act, which is lengthy (7 Parts in all, with a further twenty Schedules), largely covers areas not generally relevant to a non-public sector organisation looking to remain compliant, such as law enforcement processing, intelligence services processing, the Information Commissioner and enforcement.

3.7 Where to find more official guidance about UK data protection

As with any new piece of legislation, the UK GDPR has room for interpretation and is full of terms like “high risk” and “large scale” that might be considered relative at best. The main place to visit for more information is the Information Commissioner’s Office website (www.ico.org.uk) which has a wealth of guides and FAQs about UK data protection legislation, including a telephone helpline for those that have reached the stage that they really need to speak to a human.

This article is from: