Data Privacy and Protection in UK Law (as of April 2020)
Happily beavering away at filling in a tough job application — I was asked, “What is your present understanding of privacy laws in the UK?”. Funnily enough, my answer didn’t fit in the word count box. Seemed a shame cutting short my research — so here’s my full answer! It might be useful.
I’ve been hankering to change my career since last fall. I have worked as a developer ever since graduating way back in 2005. I started off as a Flash Developer (I know right), then progressed into Web Tech. The last 2+ years I’ve shared my time as a developer, working freelance for the BBC as a Technologist for an internal technology insights team — BBC Blue Room. I’ve totally fallen in love working within this specialism. I’m giving every commitment to finding a job to progress me to the next level and within Government / Policy / Governance / Foreign Diplomacy with a focus on AI / ML / Algorithms / Cyber Security / Insight / Media Manipulation / Emerging Technology.
Now, I can’t reveal who this application was with. Though I can safely share the factual information which formed part of my answer to one of the questions. To my surprise whilst researching, I didn’t find a single resource which simply outlined laws and regulations as a list. So I thought it could make for a helpful tech insight article.
No more waffle from me. Here’s a list of current, and in force, UK Laws with regards to Data Privacy and Protection, including amendments in response to Brexit — of which new rules negotiated during the transition period take effect from 1st January 2021. Enjoy!
The EU’s General Data Protection Regulation (GDPR)
Effective from 23rd May 2018 — the UK Data Protection Act 2018 (DPA) is responsible for implementation of legislation set within GDPR into UK law. This UK 2018 Act supersedes the UK DPA 1998 Act. The legislation defines personal data as any information that can identify any one individual either directly or indirectly. GDPR uses seven principles:
- Fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality [‘security’] and Accountability
Failure to comply with these seven principles potentially carry heavy fines of either up to €20 million or 4% of total worldwide annual turnover — which ever is the highest amount.
GDPR also sets out the rights a ‘data subject’ (a single person) has over data stored about them:
- To be informed
- erasure [‘forgotten’]
- restrict processing
- to object and Rights in relation to automated individual decision-making and profiling
The Keeling Schedules
Brexit means amendments to the DPA 2018 are required. The Department for Digital, Culture, Media and Sport published the ‘Keeling Schedules’ on the 13th December 2018 — last updated on 23rd April 2019 — these documents act as guidance outlining the amendments planned and will sit alongside the DPA 2018. The intention of the UK Government is to produce ‘UK GDPR’ and write this into UK Law, whilst the EU’s GDPR will no longer apply to the UK after the Brexit transition period ends. Principles, obligations and rights look as though they will remain the same; predominant amendments seem to affect the rules of transfer of personal data between the UK and the EEA states. You can access the Keeling Schedules here.
The Privacy and Electronic Communications (EU Directive) Regulations 2003 (PECR)
Is applied alongside the EU’s GDPR albeit the soon-to-be UK GDPR. PECR derives from the ‘e-privacy Directive’ from European law and is set out in UK law. The latest version of PECR is from 29th March 2019. PECR regulates cookies used for tracking purposes but also covers marketing calls, texts and emails. Fines aren’t as high as GDPR with a maximum of £500,000.
A simplified difference between GDPR and PECR is that GDPR covers the general collection and processing of personal data, whereas PECR is more specific to the privacy and security of personal data in electronic communications.
The Security of Network and Information Systems Regulations (NIS)
Is part of the Government’s National Cyber Security Strategy which came into force on 10th May 2018. It comes from Department for Digital, Culture, Media & Sport. It looks to provide legal measures to boost the overall level of security (both cyber and physical resilience) of network and information systems that are used for digital services such as online marketplaces, online search engines, cloud computing for services such as transport, energy, water, health, and digital infrastructure. Essentially looking to form a standard of security for Network and Information systems — this also covers physical and environmental factors.
Wondering if you’re compliant?
The Information Commissioner’s Office (ICO) has created these helpful assessment toolkits which you can use to gain guidance on the how and what of data you collect, store, transfer and use:
- Small and Medium sized organisations from private, public and third sectors: https://ico.org.uk/for-organisations/data-protection-self-assessment/
- Small business owners and sole traders, like small membership organisations such as sports clubs: https://ico.org.uk/for-organisations/business/assessment-for-small-business-owners-and-sole-traders/
Each one of these sections have their own rabbit holes of legal wording and deeper explanation; my article merely scratches the surface. I’m by no means a lawyer and this article should not be used as legal advice. What I hope it does achieve is to have provided a helpful top-level understanding of the laws currently in place in the UK, from a central place.
Stay safe everyone! Stay home, protect lives, be kind where you can.
Want to work together? I’m always open to hearing about interesting opportunities: firstname.lastname@example.org