National laws

As of 1 January 2021, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR) no longer applies to UK organisations (unless they process EU personal data). Instead, the retained EU law version of the EU GDPR (UK GDPR) applies, along with the Data Protection Act 2018 (DPA 2018). However, at the time of this book’s publication, the UK is considering passing the DUA Bill, which envisages several significant changes to UK data protection law, as noted where relevant below.

Sector-specific laws

Personal data processing is also regulated by some sectoral laws, including:

• the Privacy and Electronic Communications (EC Directive) Regulations (2003/2426) (as amended) (PECR), which regulates the electronic communications sector. PECR implemented the EU e-Privacy Directive (Directive 2002/58/EC), as amended, and has been retained in UK law post-Brexit;
• the Freedom of Information Act 2000, which regulates access to information held by public authorities; 
• the Investigatory Powers Act 2016, which regulates access by warrant to data by the UK law enforcement and intelligence agencies; and
• the Investigatory Powers (Interception by Business etc. for Monitoring and Record-keeping Purposes) Regulations 2018, which regulates the interception of business communications. 

These sector-specific laws are outside of the scope of this chapter.

The UK GDPR applies to:

• controllers (i.e. the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) UK GDPR)); and 
• processors (i.e. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) UK GDPR)).

The UK regulator responsible for overseeing compliance with the UK GDPR and DPA 2018, the Information Commissioner’s Office (ICO), has issued guidance on the determination of status of controllers, joint controllers, processors and sub-processors. 

The DPA 2018 applies to the same entities, and supplements the definition of controller by clarifying that, when processing in order to comply with a legal obligation, it is the controller who must be subject to the legal obligation (section 6 DPA 2018). 

The UK GDPR applies to the processing of personal data carried out as part of the activities of:

• controllers and processors established in the UK (regardless of whether the processing occurs within the UK); and
• controllers and processors established outside the UK that process personal data about UK data subjects, where the processing relates to:
  • offering goods or services to UK data subjects (including for free); or 
  • monitoring the behaviour of data subjects that takes place in the UK (Article 3 UK GDPR and section 207(1A) DPA 2018). 

Controllers and processors considered “established in the UK” include UK-registered companies, UK-formed partnerships or other unincorporated associations, and any other organisation which maintains and carries on activities through an office, branch, agency or other stable arrangements (section 207(7) DPA 2018). 

The UK GDPR applies to the processing:

• of personal data wholly or partly by automated means; and
• other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system (Article 2(1) UK GDPR). 

“Filing system” is defined in Article 4(6) UK GDPR. 

Processing is defined as any operation or set of operations that is performed on personal data or sets of personal data, whether automated or not, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) UK GDPR). 

The UK GDPR does not apply to personal data processing carried out:

• by an individual in the course of a purely household or personal activity; 
• by a competent authority for law enforcement purposes (see instead Part 3 of the DPA 2018); or 
• for intelligence services processing (see instead Part 4 of the DPA 2018) (Article 2(2) UK GDPR).

The DPA 2018 includes a very similar definition of processing as the UK GDPR (section 3(4) DPA 2018) and provides for further rules for processing:

• for national security and defence purposes (Chapter 3 of the DPA 2018); 
• to disclose personal data contained in administrative and official documents (Chapter 3 of the DPA 2018); 
• for journalistic, academic, artistic or literary purposes (section 16 and Schedule 2 of the DPA 2018); and
• for archiving in the public interest, scientific or historical research, or statistical purposes (section 19 and Schedule 2 of the DPA 2018). 

The UK GDPR defines personal data as information relating to an identified or identifiable natural person (“data subject”), where an identifiable natural person is one who can be identified, directly or indirectly, by reference to identifiers including:

• name, telephone number and address; 
• date of birth; 
• job title; 
• location data; 
• online identifiers, including IP addresses, cookies, and radio frequency identification tags; 
• physical, physiological, genetic, mental, economic, cultural or social identity; or
• automated data (Article 4(1) and Recital 30 UK GDPR). 

ICO guidance states that assessment of whether an individual is identifiable requires consideration of whether online identifiers, on their own or in combination with other information that may be available to those processing the data, may be used to distinguish users from one another, possibly by the creation of profiles of the individuals to identify them. 

The DPA 2018 defines personal data in a substantially similar way. 

Pseudonymous data is considered personal data and is therefore within scope of the UK GDPR and DPA 2018 (Recital 26 UK GDPR and ICO guidance “ICO: Guide to the GDPR: Is pseudonymised data still personal data?”).

On the other hand, anonymous data is not considered personal data and is therefore not within scope of the UK GDPR or DPA 2018 (Recital 26 UK GDPR). Information is only considered anonymous if there are no reasonably available means by which to re-identify individuals. 

Special category data and criminal offence data

The UK GDPR and DPA 2018 provide for more stringent protection for:

• special categories of personal data (“special category data”); and
• personal data relating to criminal convictions and offences or related security measures, including alleged offences and information about proceedings connected to an offence or alleged offence (“criminal offence data”) (Articles 9 and 10 UK GDPR and section 11 DPA 2018). 

Special category data includes:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions, religious or philosophical beliefs, or trade union membership; 
• genetic data; 
• biometric data processed for the purpose of uniquely identifying an individual;
• data concerning health; and
• data concerning an individual’s sex life or sexual orientation (Article 9(1) UK GDPR). 

The DUA Bill enables additional classes of personal data to be classified as special category data under Article 9 UK GDPR by way of secondary legislation, so this list may become subject to expand. 

Children’s data

Children’s data is also considered as requiring additional protection under the UK data protection regime. For example:

• information, such as privacy notices, must be conveyed to children in clear and plain language so that they can easily understand it (Recital 58 UK GDPR); 
• online service providers offering services directly to children in the UK (referred to in UK GDPR as information society services) can only obtain valid consent for processing in relation to the service from children aged 13 and over; children younger than 13 must have a parent or guardian provide consent on their behalf (Article 8(1) and (2) UK GDPR); 
• a data subject’s right to erasure is particularly relevant if the data subject provided their consent (whether online or offline) when they were a child (Recital 65 UK GDPR); 
• organisations must not make decisions about children based solely on automated decision making if this will have a legal or similarly significant effect on the child (subject to exceptions) (Recital 71 UK GDPR); and
• organisations providing online services and products likely to be accessed by under-18s are subject to the ICO’s Age Appropriate Design Code of Practice (also called the Children’s Code). This contains 15 standards for designing and developing processes. 

The ICO considers a child to mean an individual under the age of 18.

Lawful basis

Processing of personal data requires the controller to satisfy one of the lawful bases under Article 6 UK GDPR as follows: 

• the data subject has provided consent to the processing; 
• necessity to enter into or perform a contract with the data subject, or to take pre-contractual steps at the request of the data subject; 
• necessity for the controller to comply with a legal obligation; 
• necessity to protect the vital interests of the data subject or another individual; 
• necessity to perform a task carried out in the public interest, or in the exercise of official authority vested in the controller; and 
• necessity to pursue the legitimate interests of the controller or a third party, unless these are outweighed by the data subject’s interests or fundamental rights and freedoms. 

The DUA Bill sets out several discrete recognised legitimate interests that controllers may rely on for processing without the need for a legitimate interest assessment, including safeguarding vulnerable individuals. It also solidifies examples of processing listed in Recitals 47 – 49 UK GDPR that may be considered necessary for the purposes of legitimate interest, including direct marketing and intra-group sharing of data for internal administrative purposes. 

Special category data 

Processing of special category data is only permitted where an exception under Article 9(2) UK GDPR applies, in addition to a lawful basis under Article 6 UK GDPR. The exceptions, as supplemented by additional requirements pursuant to sections 10 and 11 and Schedule 1 of the DPA 2018, are as follows:

• the data subject provides explicit consent to the processing (Article 9(2)(a) UK GDPR); 
• the processing is necessary for compliance with the controller’s obligations and exercising the rights of the controller or data subject in the field of employment law, social security and social protection (Article 9(2)(b) UK GDPR and section 10(2) and paragraph 1 of Schedule 1 of the DPA 2018); 
• the processing is necessary for protecting the vital interests of a data subject or another natural person and the data subject is physically or legally incapable of consenting (Article 9(2)(c) UK GDPR); 
• the processing relates to the legitimate activities of certain non-profit organisations, is based on appropriate safeguards, and relates to certain persons (Article 9(2)(d) UK GDPR); 
• the processing relates to personal data made public by the data subject (Article 9(2)(e) UK GDPR); 
• the processing is necessary for establishing, exercising or defending legal claims or whenever courts are acting in their judicial capacity (Article 9(2)(f) UK GDPR); 
• the processing is necessary for reasons of substantial public interest (Article 9(2)(g) UK GDPR and section 10(3) and Schedule 1 of the DPA 2018); 
• the processing is necessary for purposes of preventative or occupational medicine to assess a data subject’s working capacity, medical diagnosis, or for the provision of health or social care or treatment, the management of health or social care systems or services, or under a contract with a healthcare professional, subject to certain conditions and safeguards (Article 9(2)(h) UK GDPR and section 10(2) and paragraph 2 of Schedule 1 of the DPA 2018); 
• the processing is necessary for reasons of public interest in the area of public health (Article 9(2)(i) UK GDPR and section 10(2) and paragraph 3 of Schedule 1 of the DPA 2018); 
• the processing is necessary for archiving in the public interest (Article 9(2)(j) UK GDPR and sections 10(2) and 19 and paragraph 4 of Schedule 4 of the DPA 2018); and
• the processing is necessary for scientific or historical research, or statistical purposes (Article 9(2)(j) UK GDPR and paragraph 4 of Schedule 1 of the DPA 2018). 

Criminal offence data

Processing of criminal offence data is only permitted if it is either carried out under the control of an official authority (such as the police), or if the processing is authorised in UK law and UK law provides for appropriate safeguards for data subjects’ rights and freedoms (Article 10 UK GDPR). 

Processing criminal offence data is only permitted where a lawful basis under Article 6 and 10 UK GDPR apply. The DPA 2018 specifies that organisations may only process criminal offence data if one of the grounds in Parts 1-3 of Schedule 1 of the DPA 2018 apply, unless the organisation is processing the personal data in an “official capacity” (section 10 DPA 2018). 

Consent

Consent to personal data processing must be freely given, specific, informed, unambiguous and provided by clear affirmative action, including in writing, by electronic means (e.g. ticking a box on a website or choosing a technical setting), or orally. Silence, pre-ticked boxes or inactivity are insufficient to constitute valid consent. Requests for consent must be separate to other terms and conditions, and should be provided separately in respect of each processing purpose. Consent must also be revokable at any time, as easily as consent was granted (Articles 4(11) and 7(2) and (3) and Recital 32 UK GDPR). 

Recital 43 UK GDPR also states that consent must not be made a condition of using a service if the processing is not necessary for that service. 

Exemptions

The main exemptions from specific provisions of the UK GDPR apply in respect of processing for specific purposes (sections 15 and 26 and Schedules 2-4 of the DPA 2018). These include:

• the prevention or detection of crime; 
• the collection and assessment of tax; 
• disclosure of personal data required by law, or in connection with legal proceedings or the procurement of legal advice; 
• research, statistical and historical purposes; 
• journalism, literary and artistic purposes; and
• national security and defence (Article 86A UK GDPR). 

However, these will not be absolute exemptions, but only apply to the extent compliance with the specified provisions would prejudice the purpose of the exemption. 

Data protection principles 

Personal data processing must be carried out in compliance with the six data protection principles under Article 5(1) UK GDPR:

• controllers must process personal data lawfully, fairly and in a transparent manner in relation to the data subject; 
• controllers must only process personal data for specified, explicit and legitimate purposes, and not for additional, incompatible purposes (purpose limitation); 
• controllers must only process personal data that is adequate, relevant and limited to what is necessary for the purposes of the processing (data minimisation); 
• personal data must be accurate and up to date, and controllers must take reasonable steps to erase or rectify inaccurate data without delay (accuracy); 
• controllers should not store personal data in a form that permits identification of data subjects for longer than is necessary for the purposes of the processing (personal data processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes may be stored for longer periods, where appropriate technical and organisational measures to safeguard data subjects’ rights and freedoms are in place) (storage limitation) (Article 89(1) UK GDPR); and 
• controllers must process personal data in a manner that ensures appropriate security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing or accidental loss, destruction or damage (integrity and confidentiality).

Controllers must demonstrate compliance with these principles (Article 5(2) UK GDPR). This is referred to as “accountability”.

Other obligations

Controllers must also: 

• facilitate the exercise of data subjects’ rights and provide clear and accessible information to data subjects about the processing (including with regards to who the personal data has been shared with/received from); 
• keep records of processing activities;
• satisfy certain requirements when engaging processors; 
• conduct data protection impact assessments (DPIA) in respect of “high risk” processing; 
• record all personal data breaches, and report them to the ICO and data subjects where they meet the requisite risk thresholds;
• register with the ICO; and
• designate a data protection officer (DPO) in certain circumstances. 

Data subjects have rights in relation to their personal data including with respect to:

• information about the processing at the point of data collection, the specific information required is dependent on whether the data is collected from the data subject or a third party (Articles 12-14 UK GDPR); 
• access, correction and receipt of a copy of the personal data (Articles 12, 15 and 20 UK GDPR); 
• objecting to or restricting the processing (Articles 18 and 21 UK GDPR); 
• erasing the personal data or transferring it to another controller (Articles 17 and 20 UK GDPR); and
• not being subject to automated decision-making, including profiling (Article 22 UK GDPR). 

These rights are subject to certain exemptions. 

Data subjects have the right to object to the processing of their personal data for direct marketing purposes (Article 21(3) UK GDPR). 

Electronic communications

Requirements for sending unsolicited electronic commercial communications (e.g. SMS, email, instant messaging) are governed by PECR. 

Organisations may only send electronic marketing communications without consent in reliance on the “soft opt-in”, where the following conditions are met:

• the recipient’s contact details were obtained by the sender in the context of a sale (or negotiation of a sale) of a product or service to the recipient;
• the marketing communication solely relates to the sender’s own products or services, which must be similar to those previously sold to the recipient; and
• the recipient has the opportunity to opt-out of their information being used for direct marketing, both when their details were first collected and in every subsequent communication (Regulation 22 PECR). 

The PECR rules do not apply to electronic marketing sent to “corporate subscribers”, which is therefore likely to exempt most business-to-business marketing. 

Telemarketing

Organisations must not carry out telemarketing to individuals or corporate subscribers who have registered with the Telephone Preference Service, Corporate Telephone Service or have previously opted out (Regulation 21 PECR). Automated calling systems can only be used with the recipient’s prior consent (Regulation 19 PECR). 

Personal data transfers are permitted to a country outside the UK subject to:

• an adequacy regulation in respect of the recipient country (Article 45 UK GDPR and sections 17A-3 and Part of Schedule 21 of the DPA 2018); 
• appropriate safeguards, such as standard contractual clauses or UK binding corporate rules (Article 46 UK GDPR and sections 17C and 119A of the DPA 2018); or
• an applicable derogation or the transfer being non-repetitive (Article 49 UK GDPR). 

The UK has adequacy regulations for the European Economic Area countries, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, and partial findings for Canada, Japan and the United States. 

Note that the DUA Bill provides for a new test for determining adequacy status, in the form of considering whether the standard of protection in the recipient country is materially lower than under UK law (as opposed to “essentially equivalent” under GDPR).

In order to rely on a safeguard under Article 46 UK GDPR, the controller should carry out a transfer risk assessment (TRA) to determine that the safeguard provides sufficient protection. The ICO has issued guidance on carrying out TRAs, including its own tool, and organisations are also permitted to use the EDPB’s methodologies. 

As part of the safeguards, the ICO has issued two sets of standard clauses — the International Data Transfer Agreement, and the International Data Transfer Addendum — to the EU standard contractual clauses issued by the European Commission on 4 June 2021. The Addendum permits use of the EU SCCs for transfers under the UK GDPR. 

Data transfer agreements based on UK Binding Corporate Rules must be approved by the ICO.

The ICO has the power to issue assessment, information, enforcement and penalty notices; to enter and inspect premises; to conduct consensual audits of processing activities; and to prosecute controllers who commit offences under the DPA 2018 (sections 129, 142-158 and 170-173 and Schedules 15 and 16 of the DPA 2018). The ICO also has powers specified in Article 58 UK GDPR. 

The ICO can issue fines of up to GBP 17.5m or 4% of global turnover, or GBP 7.5m or 2% of global turnover, depending on the specific provisions infringed of the UK GDPR and DPA 2018 respectively (section 157 DPA 2018). Under the DUA Bill, equivalent enforcement powers will apply to ePrivacy breaches, raising the stakes as compared to the existing cap under PECR. 

Data subjects can complain to the ICO if they consider that their personal data has been processed unlawfully, and can seek judicial recourse if they consider that their data subject rights have been breached. Data subjects can also claim compensation or material or non-material damage, including distress, caused by infringement of the UK GDPR (Articles 57 and 82 UK GDPR and sections 165-169 DPA 2018). 

Under the DPA 2018, it is a criminal offence to obtain personal data unlawfully, re-identify (and process) de-identified personal data, or alter personal data in order to prevent disclosure to the data subject (sections 170-173 DPA 2018).