What is UK GDPR?
The UK GDPR is the main data protection law in the United Kingdom, and, as the name suggests, is the UK’s version of the EU’s GDPR, following Brexit.
This law came into effect in January 2021 and it sets out the main rights, obligations and principles for processing of data in the UK, including exemptions of enforcement and intelligence agencies.
With the help of the DPA 2018, which sets out the framework for data privacy in the UK, this law helps you stay both informed and compliant if your business operates in a UK context, as well as a European one.
One key takeaway is that data controllers are obliged to register with the ICO, pass the self-assessment and also pay the fee which ranges between £40 and £2,900, depending on the tier you fall into.
What is Personal Information and what are other key definitions?
Just like with any other data privacy regulation, it is important to keep in mind the definition of key words.
The UK GDPR defines ‘personal data’ as “any information relating to an identified or identifiable living individual,” same as GDPR, and ‘identifiable living individual’ as “a living individual who can be identified, directly or indirectly, in particular by reference to:
- an identifier such as a name, an identification number, location data or an online identifier, or
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”
However, one thing that stands out with this privacy law is that it offers a more comprehensive definition of ‘processing,’ namely, “an operation or set of operations which is performed on information, or on sets of information, such as—
- collection, recording, organization, structuring or storage,
- adaptation or alteration,
- retrieval, consultation or use,
- disclosure by transmission, dissemination or otherwise making available,
- alignment or combination, or
- restriction, erasure or destruction.”
There are also special categories of data and personal data relating to criminal convictions and offenses for which processing is restricted to more limited circumstances.
Also, the UK GDPR offers a definition of ‘sensitive processing’, meaning
- “the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
- the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
- the processing of data concerning health;
- the processing of data concerning an individual's sex life or sexual orientation.”
Who has to comply with the UK GDPR?
If the GDPR applied to any controller or processor within the context of the EU, the UK GDPR applies the same way to controller and processors but within the context of the UK.
Who is excluded from UK GDPR compliance?
Same as the EU GDPR, the UK GDPR does not exclude businesses based on size, revenue or location, but it can exclude certain types of data such as:
- Data processed by a natural person “in the course of a purely personal or household activity”
- Anonymised information.
- Personal data of deceased persons.
- Data processing done in the context of national security or law enforcement.
- Data processing done in the context of journalism as it cannot suppress the free press.
- Data processing done in the context of education.
How can I keep my organization UK GDPR compliant?
Similar to the EU GDPR, the UK data privacy law sets out six key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These can be summarized in the following steps you can take:
- Processing of data has to be both lawful and fair. The lawful basis for data processing is defined here as “processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller's official authority” and it includes the processing of data that is necessary for the purposes of justice administration, for the exercising of an official function conferred by the governing authorities or by the law, or for the support and promotion of democratic engagement.
- Your website visitors have to be informed in a clear manner of the collection of their data and they have to give consent for this. A record of consent received has to be kept by yourself. In addition to this, you must limit the collection of data to the initial purpose for which it was collected.
- Make sure that the data you collect is adequate, relevant, and limited to what is necessary.
- The data you collect and/or process has to be accurate. In this regard, you are required to take all the reasonable steps to ensure accuracy, to keep the data updated and to consider any challenges that may arise against accuracy of data.
- Storage of data that you collected must not exceed the necessary retention period. To ensure this, you are required to set up a policy outlining retention periods and you should also consider periodical reviews of the data you hold as well as erasing or anonymising the data you no longer need.
- Any personal data you process must be processed in such a manner so as to ensure “appropriate security of the personal data, using appropriate technical or organizational measures (and, in this principle, “appropriate security” includes protection against unauthorized or unlawful processing and against accidental loss, destruction or damage).” In this, the UK and the EU GDPR are similar.
In addition to these 6 principles the text of the law suggests safeguards designed to protect the data you collected. Also, remember that as a data controller, you are required to register with the ICO and pay the data protection fee.
What data access rights does UK GDPR grant?
The UK GDPR confers the following access rights:
- The right to be informed - individuals have a right to know that their data is being collected and processed at the time of collection. This can be done via a privacy information section.
- The right of access - individuals have the right to access the data you hold about them in an easily accessible format, but which is disclosed in a secure manner.
- The right to rectification - individuals can request that the data you hold about them is rectified if said data is inaccurate.
- The right to erasure - unless the data must be kept for the purposes of evidence, individuals can request that their data be deleted. This is also known as the right to be forgotten.
- The right to restrict processing - individuals have the right to restrict the processing of their data under certain circumstances, such as if the data is inaccurate or they believe their data has been processed unlawfully.
- The right to data portability - same as with the EU GDPR, individuals have a right to receive the personal data you hold about them, which they have provided you with, “in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”
- The right to object - in certain circumstances, individuals can object to the processing of their data and can stop their data from being used for direct marketing purposes.
- Rights in relation to automated decision making and profiling - the EU GDPR grants individuals the right to not be subject to “to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
How to address data subject access requests under UK GDPR?
DSARs have to be replied within 1 month of receipt and can extend the period by a further two months, depending on the complexity of the request or the number of requests received.
Similarly to the EU GDPR, your company should have an appointed DPO if you are a public body, or if you carry out certain types of activities.
Before answering the request, you have to identify the individual.
Once the request has been authenticated, you have to reply to the request or inform the individual if you refuse to process the request,as well as the reason for this.
The individual has to be provided with the requested information in a format that is easy to access, if your answer to their request is a favorable one.
Enforcement and penalties
Compliance with the UK GDPR is monitored by the Information Commissioner’s Office (ICO), who can also enforce penalties for non-compliance.
There is an individual right of action against your company if the individual considers that their rights have been infringed, which they can lodge with the ICO.
Following a complaint lodged with them, the ICO will issue a notice of intent informing of the intent to issue a notice of penalty for non-compliance. The penalty will be imposed if the violation is not cured and it will depend on the individual circumstances of each case, but for severe violations the penalty can go up to £17,500,000 (around $20 million)or 4% of the annual worldwide turnover, whichever is higher.
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.