UK GDPR Quick Guides

Why are our GDPR quick guides so useful?

Data protection hands holding lockThe General Data Protection Regulation (“GDPR”) has been in force since May 2018. However, data protection is a fluid compliance area with an ever changing landscape. In the UK, the Data Protection Act 2018 (“DPA18”) rules and guidelines set out how the GDPR is implemented. It goes hand-in-hand with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations ensure that the GDPR works within the UK’s data protection framework since its departure from the EU.

The Regulations and legislation named above are collectively referred to as the “UK GDPR”. They are mandatory for any person or business with data processor and/or data controller obligations. Whether you are reviewing, managing or just starting out, these GDPR quick guides can answer some of your questions.

GDPR Quick Guide Topics

Overview

Policy checklist clipboard

Information protected under the UK GDPR is known as personal data. The Regulation defines this as: –
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”.

Relevant Articles, Recitals & Legislation

  • All GDPR Articles – All Articles relate to the scope and processing of personal data under the GDPR.
  • GDPR Article 9 – Processing of special categories of personal data.
  • All GDPR Recitals – All Recitals relate to the scope and processing of personal data under the GDPR.
  • GDPR Recital 46 – Vital Interests of the Data Subject.
  • GDPR Recital 51 – Protecting Sensitive Personal Data.
  • GDPR Recital 52 – Exceptions to the Prohibition on Processing Special Categories of Personal Data.
  • DPA18 Schedule 1, Parts 1, 2 & 3 – Specific conditions when special category personal data can be processed.

Examples of Personal Data

Personal data can be generic or specific. For example: –

  • A full name and town may not be considered personal data by itself if the details are John Smith in London. However, Nazir Bolovoski in Crickhowell could easily identify an individual.
  • Passport and National Insurance numbers are unique and so can identify people on their own, making them personal data with or without any additional information.

Special Categories of Personal Data

Special category data is is information that might be seen as more sensitive than standard personal data. It warrants additional protection under the GDPR as it can have a significant impact on an individual’s fundamental rights and freedoms. Previously referred to as ‘sensitive personal information’, this is data that carries the assumption it could be used in a negative or discriminatory way and is often of a sensitive and personal nature to the individual it relates to.

The UK GDPR singles out certain types of personal data and defines them as ‘special catergory’, affording them extra protection. These are: –

  • Personal data revealing racial or ethnic origin.
  • Personal data revealing political opinions.
  • Personal data revealing religious or philosophical beliefs.
  • Personal data revealing trade union membership.
  • Genetic data.
  • Biometric data (where used for identification purposes).
  • Data concerning health.
  • Data concerning a person’s sex life.
  • Data concerning a person’s sexual orientation.

Schedule 1, Parts 1, 2 & 3 of The Data Protection Act 2018 provide specific conditions and circumstances when special category personal data can be processed and details the requirements that organisations are obligated to meet when processing such data.

Additional Resources

Policy Templates & Controls to Buy

tools and cogs representing a toolkitOur exclusive 38-page GDPR Data Protection Policy Template can help you to comply with the basic controller and processor obligations under the UK GDPR. If you also need to implement the many other mandatory policies and controls required by the UK GDPR and DPA18, visit our GDPR Toolkit section for market leading GDPR document toolkits.

If you unsure of which GDPR requirement apply to your business, our highly recommended GDPR Gap Analysis Checklist Tool provides an easy to use Excel document with 140+ assessment questions. The tool also includes each related Article and Recital for cross-referencing with the Regulation.

Overview

Policy checklist clipboardThe UK GDPR applies to ‘controllers’ and ‘processors’, with the definitions being: –

  • Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

An organisation cannot be both data controller and processor for the same data processing activity. For example, if you collect employee personal data and process it, your are just a data controller. A processor is a person or entity carrying out the processing on behalf of a controller. However, it is possible to be both controller and processor for different processing activities.

Relevant UK GDPR Articles & Recitals

  • Article 5(2) – The controller shall be responsible for and demonstrate compliance with, the GDPR principles for processing.
  • Articles 24-31 – Responsibilities, joint controllers, representatives and records of processing.
  • Recital 74 – Responsibilities of the controller.
  • Recital 79 – Allocating joint responsibilities.
  • Recital 80 – Choosing a representative.
  • Recital 81 – Suitability of processors.
  • Recital 82 – Maintain records of processing activities.

What Obligations Do Processors and Controllers Have?

Processors are required to maintain records of personal data and processing activities and have liabilities and expectations if there are data breaches for which they are responsible.

Controllers have obligations in ensuring that any processor they use is suitable and adequate. The controller is responsible for ensuring that appropriate technical and organisational measures are implemented to ensure that processing is carried out in accordance with the requirements of the UK GDPR.

The ‘Accountability Principle’ is an addition to the GDPR that was not present in previous data protection legislation. Article 5(2) of the UK GDPR states that a controller shall be responsible for, and be able to demonstrate compliance with, the GDPR principles for processing (‘accountability’).

Additional Resources

Policy Templates & Controls to Buy

tools and cogs representing a toolkitOur exclusive 38-page GDPR Data Protection Policy Template can help you to comply with the basic controller and processor obligations under the UK GDPR. If you also need to implement the many other mandatory policies and controls required by the UK GDPR and DPA18, visit our GDPR Toolkit section for market leading GDPR document toolkits.

If you unsure of which GDPR requirement apply to your business, our highly recommended GDPR Gap Analysis Checklist Tool provides an easy to use Excel document with 140+ assessment questions. The tool also includes each related Article and Recital for cross-referencing with the Regulation.

Overview

Policy checklist clipboard“Do we need to appoint a Data Protection Officer (DPO)?”

This is one of the most commonly asked questions of those with GDPR obligations. UK GDPR Articles 37-39 provide details of the rules and requirements relating to the appointment of a DPO. The Articles set out the controller and/or processors obligations, requirements and responsibilities alongside the specific duties required of the data protection officer themselves.

Relevant UK GDPR Articles & Recitals

  • Articles 37-39 – Sets out the general designation, position and tasks of the data protection officer.
  • Recital 97 – Additional guidance on the appointment and requirements of a DPO.

When to Appoint a DPO

A Data Protection Officer (DPO) must be appointed Company where: –

  • the processing is carried out by a public authority or body (except for courts acting in their judicial capacity).
  • the core activities of the controller/processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
  • the core activities of the controller/processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Communicate DPO Details

Once a DPO has been chosen and appointed, their contact details must be published and communicated to the Commissioner. Article 37 states that the DPO must be appointed based on their professional qualities. This includes an expert knowledge of data protection law and practices as well as having the resources and ability to fulfil the below duties.

DPO Tasks & Duties

  • Inform and advise the organisation and employees of their obligations pursuant to the UK GDPR. They must also impart and advise upon the Commissioners’ guidelines and any additional data protection provisions.
  • Monitor and audit UK GDPR compliance within the organisation, including policies and controls related to the protection of personal data and processing activities.
  • Assign responsibilities, raise GDPR awareness and source, implement and review employee training.
  • Cooperate with the Commissioner (Supervisory Authority) where required.
  • Act as the point of contact for the Commissioner on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
  • Provide advice where requested with regard to any data protection impact assessment and monitor its performance.
  • Have due regard to, and be aware of, the risks associated with processing operations, considering the nature, scope, context and purposes of processing.

Additional Resources

Policy Templates to Buy

tools and cogs representing a toolkitOur standalone DPO Responsibilities Template is just £10 (+vat). It provides organisations with a customisable template for understanding and setting out the mandatory data protection officer obligations, requirements and duties. Suitable for any industry or business type, more than 10,000 businesses already use our documents.

If you are looking to implement the DPO responsibilities alongside other mandatory data protection policies and controls, visit our GDPR Toolkit section for market leading GDPR document toolkits.

Overview

Policy checklist clipboardA Data Protection Impact Assessment (DPIA) is an assessment tool used to identify and review the risks associated with processing personal data. It also assesses the risks posed to data subjects in relation to their personal data. It enables a pre-emptive approach to assess the risks and enables a business to apply corrective and mitigating actions to reduce the risks and impact. .

Relevant Articles & Recitals

  • GDPR Article 35 – Sets out types of processing requiring a data protection impact assessment and the scope of the DPIA.
  • GDPR Recital 84 – Risk Evaluation and Impact Assessment.
  • GDPR Recital 90 – Data Protection Impact Assessement.
  • GDPR Recital 91 – Necessity of a Data Protection Impact Assessment.
  • GDPR Recital 92 – Broader Data Protection Impact Assessment.
  • GDPR Recital 93 – Data Protection Impact Assessment at Authorities.

When to Carry Out a DPIA

Where a type of processing is likely to result in a high risk to the rights and freedoms of an individual, a DPIA must be carried our prior to the processing taking place. The GDPR notes that it is a particular requirement where new technologies are being used. A controller must consider the nature, scope, context and purposes of the processing when deciding if an impact assessment is required.

Pursuant to Article 35(3) and Recitals 84, 89-96, processing likely to result in a high risk include: –

  • Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person(s).
  • Processing on a large scale of special categories of data.
  • Processing on a large scale of personal data relating to criminal convictions and offences.
  • Systematic monitoring of a publicly accessible area on a large scale (i.e. CCTV).
  • Where a processing operation is likely to result in a high risk to the rights and freedoms of an individual.
  • Those activities or processing operations  involving the use of new technologies.
  • New processing activities not previously used.
  • Processing considerable amounts of personal data at regional, national or supranational level, which could affect many data subjects.
  • Processing activities making it difficult for the data subject(s) to exercise their rights.

Additional Resources

DPIA Templates and Procedures to Buy

tools and cogs representing a toolkitOur standalone Data Protection Impact Assessment Procedures & Template is just £28 (+vat). Provided in both Excel and Word formats, our DPIA tool is used by thousands of organisations to meet their mandatory data protection obligations.

Assess and evidence all processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. Suitable for any industry or business type, join more than 10,000 businesses already using our documents.

If you are looking for a full suite of GDPR data protection policies, checklists and templates, visit our GDPR Toolkit section for market leading GDPR document toolkits.