Inside the United Kingdom’s Data Protection Laws

How every organization can prepare for the Data Protection Act 2018 and UK GDPR in a post-Brexit world

The UK’s official departure from the European Union in early 2020 created a significant wave of change in the country’s laws, including data protection. Although the EU’s GDPR would no longer apply, the UK acted quickly to codify its principles into national law by creating the UK GDPR. The UK GDPR now lives alongside the Data Protection Act 2018 (DPA 2018), which the UK previously introduced alongside the EU GDPR as a way to implement the law. The DPA 2018 still serves the same purpose, however now it works in conjunction with the UK GDPR.

Under these updates, many of the same principles from the EU GDPR still apply: Individuals have specific rights like opting in to data collection and the right to be forgotten, controllers that process personal data must comply with data protection principles and have a lawful basis for processing personal data, and non-compliance carries fines of up to 4% of annual worldwide turnover or £17.5 million (whichever is higher).

That said, the UK’s law is not an exact carbon copy of the EU’s, and in addition to the changes the UK has already made, more proposed changes are on the horizon. With that in mind, it’s important for every global organization that processes data on UK residents to understand the law and keep track of continued changes.

Who Must Adhere to Data Protection Laws in the UK

Much like with the EU’s GDPR, any organization that processes data on individuals located in the UK must adhere to the country’s privacy laws, regardless of where the organization is located. Specifically, the UK GDPR calls out processing activities related to offering goods and services to individuals located in the UK as well as monitoring the behavior of individuals located in the UK as areas in which the law’s extraterritorial scope applies.

Also like its EU counterpart, the UK GDPR clearly defines controllers (the party that determines the purposes and means of the processing of personal data) and processors (the party that processes personal data on behalf of the controller). Both controllers and processors must follow certain requirements under the DPA 2018 and UK GDPR. These requirements cover:

  • Personal data: Any information relating to an identified or identifiable natural person, including but not limited to name, ID number, phone number, and location data.
  • Special categories of personal data: More sensitive types of data, including data about race, religion, sexual life, health, genetics, biometrics, and criminal convictions and offences, are subject to tighter requirements.
  • Transferring data outside the UK: Controllers and processors can only transfer personal data to specific countries that have been deemed to have adequate controls in place or in situations where the organization creates the appropriate safeguards.

Finally, the UK GDPR outlines certain exemptions to compliance, which include:

  • Processing covered by the Law Enforcement Directive
  • Processing for national security purposes
  • Processing carried out by individuals purely for personal/household activities

Need help including privacy regulations in your incident response plan?

Leverage the BreachRx platform to make your plans actionable today!

How the UK Enforces the DPA 2018 and UK GDPR

The UK has established the Information Commissioner Officer (ICO) as the supervisory authority responsible for enforcing the country’s data protection laws and providing guidance on enforcement. The ICO has broad powers to investigate potential instances of non-compliance with data protection laws and to correct issues, for example by conducting data protection audits, issuing public warnings, and issuing orders for remediation activities.

The ICO can also impose monetary penalties for non-compliance. These penalties cover the following categories:

Fines of up to 4% of total worldwide turnover of the preceding year or £17.5 million (whichever is higher) in cases where organizations fail to comply with:

  • Basic principles for processing
  • Data subjects’ rights
  • International transfer restrictions
  • Obligations imposed by domestic law for special cases, such as processing employee data
  • Orders issued by a supervisory authority

Fines of up to 2% of total worldwide turnover of the preceding year or £8.7 million (whichever is the higher) in cases where organizations fail to comply with obligations that apply to:

  • Controllers and processors (e.g. security and data breach notification requirements)
  • Certification bodies
  • Monitoring bodies

Criminal penalties for two offenses, although there have only been financial penalties issued in these cases to date: 

  • Re-identifying de-identified personal data without the consent of the controller
  • Altering personal data to prevent disclosure following an access request from the data subject

Finally, individuals can also lodge a complaint with the ICO and bring private claims against controllers and processors in cases where they have suffered material or non-material (i.e. distress) damage following a data breach. 

Controller and Processor Obligations Under the DPA 2018 and UK GDPR

Controllers and processors are subject to several obligations relating to data protection under the DPA 2018 and UK GDPR. Some of the most notable obligations include:

  • Appointing a Data Protection Officer: Every controller or processor must appoint a Data Protection Officer (DPO) that has expert knowledge of data protection laws and practices. The DPO must directly report to the highest management level, can not be told what to do or penalized in any way for performing the tasks they deem necessary, and must be involved in all issues related to personal data protection. They should also be responsible for monitoring compliance with UK data protection laws and serving as the point of contact for the ICO.
  • Issuing notifications following a data breach: Any controller or processor that experiences a data breach must investigate the incident and issue certain notifications accordingly. The DPO is responsible for leading these efforts and assigning responsibilities within the organization for response efforts.

Incident Response Measures Required by the UK’s Data Protection Laws

Any controller or processor that experiences a personal data breach must go into incident response mode by issuing certain notifications. 

What is a personal data breach?

The UK GDPR defines a personal data breach as any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. In short, it’s any incident that affects the confidentiality, integrity or availability of personal data.

What happens after a breach occurs?

Following a security incident, organizations must take steps to contain the breach and assess the potential risk for affected individuals based on the seriousness of the negative consequences that could occur and the likelihood of those consequences happening. The organization must then issue the appropriate data breach notifications based on this assessment.

What types of data breach notifications do organizations need to issue?

Organizations that experience a data breach must notify the ICO unless they can demonstrate that the breach is unlikely to result in a risk to rights or freedoms. The UK GDPR’s accountability principle requires organizations to document the reasoning for this decision, the facts of the breach, and any remedial action taken.

They must also notify affected individuals if the data breach is likely to result in a high risk to those individuals’ rights and freedoms. The ICO provides guidance on determining the level of risk, which includes assessing  (1) the severity of the potential or actual impact on affected individuals and (2) the likelihood of this impact occurring. Importantly, the ICO notes that one of the primary reasons for notifying individuals about high risk breaches is to help them protect themselves from the potential impact.

How to notify the ICO about a data breach

Organizations must report all qualifying breaches to the ICO without undue delay, no later than 72 hours after becoming aware of it. Any delays to this reporting must include a reason why. If the organization does not have all of the necessary information within 72 hours, they can submit the information in phases, but should not delay the initial notification or any follow-ups.

The ICO offers a self-assessment for organizations to determine whether or not they need to report a breach, found here, and an online form to officially notify the ICO about a qualifying breach, found here.

The notification to the ICO must include the following information:

  • A description of the personal data breach including (where possible), the categories and approximate number of individuals concerned and the categories and approximate number of personal data records concerned
  • Name and contact details of the Data Protection Officer or other contact point for more information
  • A description of the likely consequences of the personal data breach
  • A description of the measures already taken or planned to deal with the personal data breach and mitigate any possible adverse effects

How to notify affected individuals about a data breach

Organizations that experience a personal data breach that creates a high risk for individuals must also notify those individuals without undue delay (however the timing requirements here are not as specific as they are for notifications to the ICO).

The notification to individuals should use clear, plain language to describe the nature of breach and include:

  • Name and contact details of the Data Protection Officer or other contact point for more information
  • A description of the likely consequences of the personal data breach
  • A description of the measures already taken or planned to deal with the personal data breach and mitigate any possible adverse effects
  • Specific advice on steps individuals can take to protect themselves and what the organizations is doing to help (if possible), such as forcing a password reset, advising the use of strong, unique passwords, and warning individuals to look out for phishing emails or fraudulent activity

Need help with an incident response strategy?

Leverage the BreachRx platform to build an actionable incident response plan today!

What Can Trigger a Notification Under the UK’s Data Protection Laws?

Any breach of personal data can qualify as a notifiable incident under the UK’s data protection laws. Importantly, the definition of a breach includes more than just security incidents. Situations in which data gets lost or shared incorrectly can also qualify as a breach. Here are some common examples of situations that can trigger a notification in the UK:

Ransomware

In a ransomware attack, hackers use malware to steal data and hold it captive in exchange for a ransom payment. Regardless of whether or not the company can retrieve their data, if personal data was involved, these details were exposed and could create risk for the data subjects.

Mistakenly Exposed Data

If a company mistakenly exposes data, for example by sending personal data to the wrong person or sharing sensitive data over an insecure channel, they may create risk for the data subject. In these cases, companies will need to weigh the risk as well as their ability to correct the issue to determine if the incident requires a notification.

Password Attacks

In a password attack, a hacker gains unauthorized access to a legitimate user’s password (i.e. through a social engineering attack, password database, or guessing simple passwords) and can then access secure systems. Once unauthorized users have access to secure systems, personal data becomes vulnerable to exposure, which can trigger a notification.

What Do Companies Need to Prepare for the DPA 2018 and UK GDPR?

Like most other global privacy regulations, the UK’s data protection laws require companies to be proactive about securing individuals’ personal data and responding to any incidents that occur. Becoming proactive starts by gaining visibility into data, including practices for collecting, storing, and using it, and establishing clear security measures to protect that data. Another important element is assigning responsibility within the organization for who will own various elements of the incident response plan.

From there, organizations should think through three important phases of incident response preparation to ensure compliance with the DPA 2018 and UK GDPR:

Readiness

At a time when data breaches are inevitable, no organization can afford not to be ready for one to happen. In fact, proactively preparing incident response plans can reduce the costs of handling a breach and help return to business as usual faster. This readiness should include:

  • Reviewing the requirements outlined in regulations like the DPA 2018 and UK GDPR as well as in customer and partner contracts
  • Developing clear incident response plans based on those regulations and contracts

Response

Not only does the UK require organizations to respond to an incident by issuing the appropriate notifications within 72 hours, but the faster companies can respond, the better off they’ll be. That’s because a faster response can help stem the fallout and retain customer trust. Jumping in with a quick and confident response requires:

  • Identifying what happened, how it happened, who was affected, and potential consequences
  • Working across teams to issue the proper notifications based on applicable laws, like the DPA 2018 and UK GDPR
  • Taking action to remediate any issues where possible

Ongoing Management

Incident response planning must be an ongoing effort. This continued attention is important to capture changes to laws and contracts in incident response plans and to help return to business as usual following a breach. Key elements of these ongoing efforts include:

  • Introducing a centralized dashboard for reporting and monitoring on incident response plans and updates to regulations and contracts
  • Maintaining stakeholder alignment and awareness of responsibilities by providing access to the dashboard

Take the risk out of your breach response

Automate your incident response today

What Do Companies Need to Know About Data Protection Laws in the UK Post-Brexit?

The UK’s exit from the European Union in 2020 meant a change in data protection laws. Here’s a look at what has already changed in a post-Brexit world, as well as some more changes that are on the horizon.

What’s Already Changed: Data Protection in the UK Post-Brexit

The UK implemented the DPA 2018 alongside the introduction of the EU GDPR as a way to enforce the law in the country. This law stayed in tact after Brexit.

The big change came from the UK’s introduction of the UK GDPR, which essentially copied the EU GDPR for the UK. While the UK made some minor technical changes, on a whole the laws remain quite similar. 

However, this does not mean all is status quo or will continue to be so similar going forward. For example, the supervisory authority responsible for enforcing data protection changed. This means any company that experiences a notifiable privacy incident that affects both EU and UK residents must issue notifications to each supervisory authority.

Additionally, the UK is now a “third country” under the EU GDPR, rather than a “member country.” This has various implications, including the need to appoint an EU representative and the need to consider international data transfers. Currently, data transfers can continue to flow freely between the EU and the UK due to an adequacy decision made following Brexit; but this decision only holds for four years, at which point it will be revisited.

What Might Change Soon: New Updates on the Horizon

As time goes on, we can expect to see more differences between the EU GDPR and the UK GDPR. The first such changes may come sooner rather than later.

At the end of 2021, the UK proposed a slate of changes to the UK GDPR to resolve uncertainties in the current law and strengthen protections in some areas. These changes include:

  • Amending the provisions for data subjects’ access requests
  • Introducing privacy management programs as a compliance requirement
  • Removing the need for consent for analytics cookies and other “low risk” trackers
  • Extending the deadline for the ICO to issue penalty notices from six months to 12 months
  • Removing the requirement for a data protection officer in favor of any suitable individual to lead privacy management
  • Raising the threshold for data breach reporting to the ICO

The ICO also weighed in on many of these proposed changes. Most notable is the proposal to raise the threshold for data breach reporting. The ICO was in favor of this change, noting that more clarity in what qualifies as a notifiable breach would be helpful, as “organizations are sometimes unclear on when and whether they should report a personal data breach, and that this can result in over-reporting of low-risk incidents.” The ICO has its own detailed guidance on when and how to issue breach notifications, including examples, however given these sentiments and the proposed changes, we can expect even more to come on this front.

Staying Compliant Through Proactive Incident Response

The UK’s data protection laws may closely resemble those of the EU, but there are important differences to keep in mind – and these differences will only grow bigger over time. As a result, it’s important for every company that does business in the country to stay up to date with the DPA 2018 and UK GDPR in order to remain compliant.

One of the most important steps to take is to prioritize proactive incident response. This approach is not only important to meeting the UK’s requirement for responding to incidents within 72 hours of discovery, but it can also help reduce penalties, maintain customer trust, and accelerate the return to business as usual.

To achieve this proactive stance, organizations must keep up to date on changes to regulations and the introduction of new regulations (both of which we’ve seen in the UK in the past several years), establish specific incident response plans based on those regulations, assign responsibility for managing those response plans, and regularly revisit those efforts to capture ongoing changes.

Recent Posts

Categories