GDPR Compliance

Health, genetic, and biometric data, religious beliefs, political opinions, racial or ethnic details, membership in a trade union, and sexual practices and orientation are considered special category data. Because of the sensitive nature of this data, the GDPR requires additional protection of this information.

Both the EU and UK GDPR have seven core data protection principles for the lawful processing of personal data.

1. Lawfulness, fairness and transparency – Information must be used in a manner that is lawful, fair, and transparent. When information is given, data subjects must be told why the data is collected and how it will be used. Additionally, a company must be able to provide details to individuals about what information they have collected about them when asked.
2. Purpose limitation – The purpose for collection must be identified at the point of collection and not subsequently changed unless it is compatible with the original purpose.
3. Data minimisation – Ensure personal data processed is adequate, relevant, and limited to what is necessary.
4. Accuracy – Keep personal data accurate and up to date.
5. Storage limitation – Keep personal data in an identifiable form only for as long as needed to fulfil its original collection purpose.
6. Appropriate security – Implement the Confidentiality, Integrity, Availability triad to ensure appropriate security measures protect the data. Organisations are charged with safeguarding personal information collected from their data subjects. They also must invest in a safety plan to protect this information from security breaches.
7. Accountability – Organisations must be able to demonstrate their compliance.

The Information Commissioner’s Office (“ICO”) is the UK’s independent regulatory office in charge of overseeing compliance with the UK GDPR. The ICO’s significant investigative, corrective and enforcement power include the ability to:

• order Controllers and Processors to prove their GDPR compliance;
• perform a data protection audit;
• stop an organization from processing personal data;
• access premises, issue warnings, and suspend data flows to third countries;
• impose financial penalties.

Organisations are required to use appropriate technical and organizational measures to ensure confidentiality, integrity and availability of systems and services and the personal data processed within them, test the effectiveness of such safety measures, and encrypt data and devices whenever possible.

Note, if data can be truly anonymized, then it is outside the scope of GDPR. If data cannot be anonymized, companies should consider pseudonymisation.

Those companies who violate the GDPR’s privacy and security standards face steep fines. Depending on the nature, gravity, and duration of the noncompliance, fines can be up to £17.5 million (€20 million in the EU) or 4% of annual global turnover – whichever is greater – for infringements.

In the digital era, cross-border data access, use, and exchange are needed to sustain and develop global commerce and share health and safety information. Manufacturing, retail, services, agriculture, and even medical research on COVID are all reliant on data and the global flow of that data.

Granted by the European Commission to countries outside the European Economic Area (EEA), and by the UK to areas outside of the UK and EEA, data adequacy is a status awarded to a country who has proven that it provides a level of personal data protection comparable to strict GDPR standards. Once a country has been awarded this, information is allowed to pass freely between it and the EEA or the UK without additional safeguards required.

Post-Brexit, the UK is working towards the adoption of an adequacy decision by the European Commission to allow for the free flow of personal data from the EU into the UK to continue past 30 June 2021, when the ‘adequacy’ bridge agreed in the 2020 Trade and Cooperation Agreement is set to expire.

When sending personal data outside of the UK to jurisdictions (like the United States) that are not considered “adequate”, appropriate safeguards must be put in place prior to transfer in order to protect personal data the same way as it would be in the UK.

At present, an ‘adequacy’ bridge agreed in the 2020 Trade and Cooperation Agreement allows for the free flow of personal data from the EU into the UK. It is set to expire on 30 June 2021.

Post-Brexit, the UK is working towards the adoption of an adequacy decision by the European Commission. In February, after nine months of assessing the UK’s domestic law and practice on personal data protection, the Commission determined that the UK does ensure essentially equivalent personal data protection to that provided under the General Data Protection Regulation (GDPR).

The next stage is for the European Data Protection Board to provide a non-binding opinion, and after taking the opinion into account, the Commission will then send the draft decision to EU Member States for formal approval: the European Commission may then adopt the decision.