Winston Churchill famously described Russian foreign policy as, ‘a riddle wrapped in a mystery inside an enigma.’
I’m sure those entrusted with data protection for their organisation may harbour similar thoughts about GDPR! Especially small-to-medium sized businesses and start-ups.
As a piece of legislation, UK GDPR has lots of moving parts. As a consultant dedicated to helping organisations understand data protection, here’s my round up of things we at DPN find most commonly misconstrued.
UK GDPR & Data Protection Act 2018
The UK GDPR and the Data Protection Act 2018 are not the same thing.
UK GDPR was implemented in 2020 and largely mirrors its EU namesake. Post-Brexit, the UK flavour of GDPR was created to make it fit for purpose in a UK-specific context. For example, removing all the bits which referenced ‘member state law’.
The Data Protection Act 2018 supplements UK GDPR. For example, it provides more detailed provisions in relation to special category data, child consent, the public interest lawful basis and individual privacy rights exemptions.
The DPA 2018 also includes distinct provisions for processing by law enforcement and intelligence services.
The Privacy and Electronic Communications Regulations (PECR)
It’s PECR not UK GDPR which sets out the rules for direct marketing by electronic means, and for cookies and similar technologies.
PECR has been around since 2003, and is derived from the ePrivacy EU Directive 2002. In 2011 there was a significant update to this piece of legislation with the so called ‘cookie law’.
UK GDPR and PECR sit alongside each other. Organisations need to comply with both when personal data is collected and used for electronic marketing purposes, or collected and used via the deployment of cookies and similar technologies. UK GDPR, marketing & cookies
There’s further interplay, for example, when consent is required under PECR, the consent collected needs to meet the UK GDPR standard for valid consent. This means, to give one example, the required consent for non-essential cookies must be ‘freely given, specific, informed and unambiguous’ and must be given by a ‘clear affirmative action by the data subject’. Getting consent right
Controller and processor
UK GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.
For example, a sole trader, a charity, a limited company, a PLC or a local authority can be a controller. An individual within an organisation such as a CEO or Data Protection Officer (more on DPOs in a bit) is not a controller – a point some companies get wrong in their privacy notice and internal data protection policies.
A controller decides how personal data is collected and used, and the organisation’s senior management is accountable. Furthermore the controller decides which service providers (aka ‘suppliers’ / ‘vendors’) to use. Which brings me onto….
A processor – which means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
Routinely processors will be companies which provide a service, and in providing this service handle their clients’ data. The key is the processor won’t use this client data for their own business purposes.
To give some common examples of processors – outsourced payroll provider, external cloud services, marketing platforms, communications providers, website hosts, IT support services, software and application providers, and so much more.
Some organisations which primarily act as a processor (service provider) may also act as a controller for certain activities. For example, to handle their own employee’s personal data. Controller or Processor – what are we?
Controller, processor and ‘sub processor’ contracts
A key change ushered in by GDPR was the concept of processor liability flowing right down the data supply chain. The law decrees there must be a contractual agreement between a controller and a processor, and gives very specific requirements for what this should cover. These are often found in a Data Processing Agreement (DPA), which may be an appendix or addendum to an existing or new contract.
The law aims to make sure individuals’ rights are protected at all times as data flows down and back up the supply chain. As well as a contract between a controller and processor, the processor should have similar contractual terms flowing down to other processors they engage to deliver their services – commonly known as sub-processors. For example, the obligation to keep the controller’s personal data secure at all times. A point which can often get overlooked. Supplier contracts
International data transfers include granting ‘access to’ personal data
(aka ‘restricted transfers’ or ‘cross border transfers’)
An international data transfer refers to the act of sending or transferring personal data from one country to another. Crucially this includes when an organisation makes personal data available or accessible to another entity (‘third party’) located in another country. In other words, the personal data can be accessed from overseas.
To give a couple of examples;
⚑ your UK-based organisation engages a website hosting service based in the United States, which also provides support services. Employees of this service provider can access your customer data on the back end of your website.
⚑ Your UK-based organisation provides a payroll service to clients, to provide this service you use a sub-contractor based in India. The sub-contractor can view your clients’ employee payment records.
In both of the above situations an international data transfer is taking place, and the law tells us specific safeguards are necessary. These rules exist because in the above two cases, customers and employees risk losing control of their personal data when it is ‘transferred’ outside the UK.
For more detail see our International Data Transfers Guide and the ICO International Data Transfer Guidance
Consent should not be your default lawful basis
(aka ‘legal grounds’)
Under UK GDPR there are six lawful bases for processing personal data. No single lawful basis is ’better’ or more important than the other and you must determine your lawful basis for each processing activity. Pick whichever one of the six is most appropriate to the activity.
Sometimes consent will be the most appropriate basis to rely on, but certainly not always and consent should only be used when you can give people a genuine choice. Quick guide to lawful bases
A privacy notice is simply a notification, not something people have to agree to
(aka ‘privacy policy’)
People have a fundamental right to be informed and one of the main ways organisations can meet this is by publishing a privacy notice. All businesses need an external facing privacy notice if they’re collecting and handling people’s personal information. And despite a common misconception, this doesn’t just relate to data gathered via a website.
A privacy notice is a notification about ALL the different ways in which you’ll handle people’s personal details (your processing of ‘personal data’). It’s a method of providing necessary and legally mandated information. Although often still referred to as a ‘privacy policy’ it isn’t really policy (it’s a notification only) and isn’t something people should have to confirm they agree to. Privacy Notices Quick Guide & ICO Right to be Informed Guidance
Not every organisation must have a Data Protection Officer
Many small organisations, and many medium-sized business don’t fall under the mandatory requirement to appoint a DPO. It’s only mandatory if your activities meet certain criteria;
✓ you’re a public authority or body (except for courts acting in their judicial capacity); or
✓ your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
✓ your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
It can sometimes be difficult to assess whether your organisation falls under the mandatory requirement or not. And of course it’s perfectly acceptable to voluntarily appoint one – a good DPO can be a huge benefit. But if you don’t appoint a DPO you’ll still need someone (or a team) who have responsibility for data protection.
It is worth bearing in mind the role of a Data Protection Officer is clearly defined in law. UK GDPR sets out the position of a DPO, specific tasks they’re responsible for, and how the organisation has a duty to support the DPO to fulfil their responsibilities. DPO Myth Buster
Not all Personal Data Breaches need to be reported
You’ve accidentally sent an email to the wrong person. This included limited personal information about someone else. You’ve apologised. The person you accidentally sent it to is a trusted person and has confirmed it’s been deleted. It’s unlikely this type of minor breach needs to be reported to the ICO.
When a personal data breach has occurred (or is suspected), it’s important to quickly establish the likelihood and severity of risk and potential harms to those affected. You only need to report a breach to ICO if you assess the breach represents a risk to them. It can prove invaluable to have a clear methodology for assessing the risk posed. Data Breach Guide
The right of access (aka DSAR or SAR) is not a right to documentation
People have the right to submit a request to a controller asking for a copy of their personal data – a Data Subject Access Request. They can ask for ALL the personal data you hold about them. But this doesn’t mean the organisation is obliged to provide complete documents just because the individual’s name is referenced at some point. The same applies to emails. Requestees are not entitled to receive the full content of every email their name or email address appears in (unless all of the email content is personal data relating to them). DSAR Guide
Sensitive vs special category data
Certain types of personal data require higher levels of protection. Under the previous DPA 1998 the term ‘sensitive data’ was used, but under GDPR the revised term for this is ‘special categories of personal data’ commonly referred to as Special Category Data.
This includes (but isn’t limited to) racial or ethnic origin, biometrics, political opinions, sexual orientation and data concerning health or sex life. This doesn’t mean other types of data aren’t ‘sensitive’, and shouldn’t be handled securely – such as bank details, national insurance numbers, date of birth and so on.
It can be helpful to remember the root of special category data lies in human rights and data protection principles which emerged in Europe after World War Two – a war in which individuals were persecuted for their ethnic background, religious beliefs or indeed sexual orientation. Understanding and handling special category data
I’m going to finish off with another, but very different, quote. As Douglas Adams wrote in The Hitchhiker’s Guide to the Galaxy, ‘DON’T PANIC!’ There’s plenty of help available (this article, for starters 😉 ) and the ICO has published plenty of guidance, including a dedicated SME Hub.