United Kingdom: Data Protection & Cyber Security

An overview of the legal and regulatory framework governing data protection and privacy in the U.K.

The U.K. transposed the contents of the EU General Data Protection Regulation (EU GDPR) into domestic legislation following its exit from the EU, with some technical changes to make it work effectively in a U.K. context. The Data Protection Act 2018 (DPA 2018) sets out the legal framework that applies to the collection and use of personal data in the U.K. It sits alongside the UK General Data Protection Regulation (UK GDPR) and tailors and supplements the application of the UK GDPR within the country.

The DPA 2018 and UK GDPR are not sector-specific. Anyone processing “personal data”, other than for purely personal or household activities, will need to comply with the data protection regime. This includes most businesses and organisations, whatever their size.

Personal data is any information relating to a living individual (the “data subject”) who can be directly identified (for instance by their name and/and contact details) or indirectly identified (for instance by reference to an online identifier such as an IP address, cookie data and/or location data).

“Processing” is defined broadly under the DPA 2018 and the UK GDPR. It covers almost any use of data, including collection, recording, organisation, structuring or storage, adaptation or alteration, retrieval, consultation or use, erasure or destruction.

The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended (PECR), sit alongside the DPA 2018 and UK GDPR. PECR implements the European e-Privacy Directive 2002/58/EC in the U.K. and sets out specific rules on marketing calls, emails, texts and faxes and the use of cookies and similar technologies.

The Information Commissioner’s Office (ICO) is the regulatory authority for data protection in the U.K., including England and Wales. The ICO provides guidance and promotes good data protection practices. It also conducts audits and advisory visits, considers complaints and breach reports, monitors compliance and takes enforcement action where appropriate.

Guidance issued at the European level by the Article 29 Working Party and the European Data Protection Board is no longer directly relevant to the U.K. regime but, given that U.K. data protection legislation currently mirrors law in the EU, they are still considered to provide helpful guidance for compliance with the UK GDPR and DPA 2018.

Expected changes in 2022-2023

• Online Safety Bill

The Online Safety Bill was introduced in Parliament on 17 March 2022, and amongst other things will require social media platforms, search engines and other apps and websites allowing people to post their own content online to protect people from harmful content, tackle illegal activity and upload their stated terms and conditions. The Bill also includes a requirement for social media platforms to verify users, which will lead to the collection of vast quantities of personal data and further extend the scope of online service providers’ data protection compliance obligations.

• Trans-Atlantic Data Privacy Framework

On 25 March 2022, the EU and U.S. announced that they had reached an “agreement in principle” on a new transfer mechanism, which will enable transfers of personal data from the EU to the U.S. by way of an adequacy decision. To date a “Trans-Atlantic Data Privacy Framework” fact sheet has been published with more guidance to follow in 2022. It is anticipated that following the implementation of the new EU-U.S. transfer mechanism, the U.K. will also follow suit and pass its own U.K.-U.S. adequacy decision; however, this has not yet been confirmed.

• U.K. Data Protection Reform

On 10 September 2021, the Department for Digital, Culture Media & Sport published its consultation paper – Data: A New Direction. The purpose of this paper is to propose a reform to the U.K. data protection regime which would create a “pro-growth and proinnovation data regime” whilst maintaining “the UK’s world-leading data protection standards”. Please see below for further details.

Yes. Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that determine the purposes and means of the processing of personal data (known as “controllers”) need to pay a data protection fee to the ICO unless they are exempt. There is a three-tier system of fees, ranging from £40 to £2,900, calculated based on the organisation’s number of employees or turnover. Public authorities should categorise themselves according to staff numbers only and not turnover. A controller will be exempt from the requirement to pay fees if it only processes personal data for certain limited purposes, including “core” business purposes such as staff administration, advertising, marketing and public relations and accounts and records.

A fixed penalty regime (ranging from £400 to £4,000) applies where a controller should have notified and paid the appropriate fee to the ICO and has not. Aggravating factors (such as a failure to engage or cooperate with the ICO) may lead to an increase in the fine up to the statutory maximum of £4,350.

The DPA 2018 and the UK GDPR use the terms “personal data” and “special categories of personal data”. These concepts are not identical to the term “personally identifiable information” (PII).

Personal data means any information relating to a living individual who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, an identification number, location data or an online identifier), or one or more factors specific to that individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

When considering whether an individual is identifiable, the controller will need to take into account the information it is processing or to which it has access, together with all the means reasonably likely to be used to identify that individual. This can include, for instance, cross-referencing with information held by a third party.

“Identifying” an individual does not require the ability to name that individual—the ability to link records relating to an individual or draw inferences about an individual would be sufficient to make information “personal data” for the purposes of U.K. data protection law.

Completely anonymised information is not personal data. “Anonymisation” is not defined in the UK GDPR; however, given the broad definition of “personal data”, effective anonymisation would require mitigating the risk of re-identification so that, taking into account all relevant factors, it is sufficiently remote that the information could not reasonably be linked to an individual.

Even if an individual is identified or identifiable, directly or indirectly, from the data, it is not personal data unless it “relates to” the individual. Guidance from the ICO states that when considering whether information “relates to” an individual, the controller needs to take into account a range of factors, including the content of the information, the purpose or purposes of processing and the likely impact or effect of that processing on the individual.

“Special categories of personal data” are types of personal data which the data protection legislation identifies as requiring a higher level of protection. These are:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and • data concerning a person’s sexual orientation.

Additional rules also apply to the processing of personal data relating to criminal convictions and offences or related security measures.

Other key definitions include:

• “controller”: the person who determines the purposes and the means by which the personal data is processed;
• “processor”: the person who processes personal data on behalf of the controller; • “data subject”: the individual to whom the personal data relates.

General processing of personal data must take place in accordance with the key principles. These state that personal data must be:

• processed lawfully, fairly and in a transparent manner in relation to individuals (“lawfulness, fairness and transparency”);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
• adequate, relevant and limited to what is necessary in relation to the purposes of the processing (“data minimisation”);
• accurate and, where necessary, kept up to date (“accuracy”);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

In addition, the data controller shall be responsible for, and must be able to demonstrate compliance with, the above principles (“accountability”).

A key element of “lawfulness, fairness and transparency” is the need to establish a valid ground for processing personal data. The six available grounds for processing are:

• The data subject has given consent to the processing of their personal data for one or more specific purposes.
• The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (for instance providing a quote).
• The processing is necessary for the data controller to comply with legal obligations (not including contractual obligations).
• The processing is necessary to protect the vital interests (i.e., the life) of the data subject or another person.
• The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The relevant task, function or authority must have a clear basis in law.
• The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This ground is likely to be most appropriate where the controller uses the subject’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

Most lawful bases require that processing is “necessary” for a specific purpose. If the controller could reasonably achieve the same purpose without the processing, they will not have a lawful basis for processing the data. The basis for processing needs to be determined before processing takes place, and it should be documented.

Processing of special categories of personal data is prohibited unless one of the additional conditions set out in Article 9(2) of the UK GDPR also applies (as set out in the response to question 7).

Consent is one of the lawful grounds for processing personal data. The UK GDPR sets a high standard for what constitutes valid consent (as further detailed in the following question). It is therefore not simple to establish valid consent as a ground for processing and the individual can withdraw their consent at any time. As a result, it is often preferable to rely on another lawful basis for processing, if one is available.

There are, however, certain types of processing which more commonly rely on consent as a lawful ground for processing and these generally relate to processing of special categories of personal data. Processing special categories of personal data requires the “explicit consent” of the individual unless one of the other exemptions under Article 9(2) UK GDPR applies (as further detailed in question 7). When assessing whether to rely on consent, there are a number of context-specific questions that should be considered. For example, the requirement for consent to be “freely given” (meaning that data subjects must have a genuine choice) may be difficult to satisfy in certain circumstances, for example, if:

• performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract; or
• there is a clear imbalance between the data subject and the controller; or the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment, such as in the context of an employment relationship.

Under the UK GDPR, the threshold for establishing valid consent is high. To be valid, the consent must be:

• Freely given – i.e., the consent is voluntary, and no detriment will be suffered if the data subject chooses not to consent. This also means that individuals must have an ongoing choice and control over how their personal data is used, including the right to withdraw consent at any time.
• Specific – i.e., separate consents are required for different purposes and different types of processing.
• Informed – i.e., the data subject must be provided with sufficient information detailing what they are consenting to. For consent to be “informed”, the data subject must be notified, as a minimum, of the controller’s identity, the purposes of processing and the types of processing activity.
• Unambiguous – i.e., there must be a clear affirmative action by the data subject such as ticking a box to consent. It is not sufficient to imply consent from an individual’s actions, using pre-ticked boxes or similar mechanisms.

Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.

Withdrawing consent will not affect the lawfulness of the processing preceding the withdrawal.

Records of consents obtained should be kept as to demonstrate compliance with the principles.

Additional considerations apply to the processing of “special categories of data” (as defined under question 3 above) and data related to criminal offences and/or convictions.

To process special category data lawfully, the controller must identify both a lawful basis and a separate condition for processing. The conditions for processing of special category data are set out in the UK GDPR, as tailored by the DPA 2018, and are:

• explicit consent;
• necessary for performing obligations or protecting rights in the field of employment, social security and social protection (if authorised by law);
• necessary to protect vital interests;
• processing carried out by not-for-profit bodies;
• data made public by the data subject;
• necessary to establish, exercise or defend legal claims or judicial acts;
• reasons of substantial public interest (with a basis in law);
• necessary for health or social care (with a basis in law);
• necessary for reasons of public health (with a basis in law); or • necessary for archiving, research and statistics (with a basis in law).

Where the additional conditions for processing special categories of personal data require a basis or authorisation in law, the DPA 2018 also sets out associated conditions and requirements.

Reliance on the substantial public interest condition would also require satisfying one of the specific substantial public interest conditions set out in the DPA 2018.

To process personal data about criminal convictions or offences, the controller must have a lawful basis and, in addition, either process the data in an official capacity or comply with the additional safeguards set out in the DPA 2018.

The DPA 2018 and UK GDPR recognise that children need particular protection when their personal data is being collected and processed, as they may be less aware of the risks involved or their rights.

As with adults, there needs to be a lawful basis for processing personal data. If relying upon consent as the lawful basis for processing, the controller needs to ensure that the child can understand what they are consenting to, otherwise the consent is not “informed” and therefore is invalid. Any information and communication about processing addressed to a child should be in clear and in plain language that the child can easily understand.

In relation to the offer of online services directly to a child (“information society services”), the data subject must be at least 13 years old (in the U.K.) to consent to processing of their personal data. Where the child is below 13 years old, processing shall be lawful only if consent is given or authorised by the person with parental responsibility over the child. This will not apply if the information society services offered to the child are preventative or counselling services. Other European countries have different (and higher) age limits, so online businesses need to know the location of the child to ensure the right rules can be applied.

Extra protections apply where businesses intend to use children’s personal data for marketing purposes, which includes both sending direct marketing messages to individual children and using personal data to display targeted adverts in an online context.

Children have the same individual rights as adults in relation to the processing of their data. The right to erasure of data is particularly relevant if they gave their consent to the processing when they were a child.

The ICO has published an Age-Appropriate Design Code (or “Children’s Code”) for providers of online services that may be accessed by children in the U.K. For the purposes of the Children’s Code, a child is anyone under the age of 18. The Children’s Code sets out 15 standards to ensure that online services appropriately safeguard children’s data and addresses how to design data protection safeguards into online services to ensure they are appropriate for use by, and meet the development needs of, children.

A service provider’s conformance with the Children’s Code will be taken into account by the ICO or a court when assessing whether that provider has complied with their obligations under the DPA 2018, the UK GDPR and PECR. Although failure to comply with the Children’s Code would therefore not itself be a breach of U.K. data protection law, a service provider is unlikely to be able to satisfy the ICO or a court that they comply with the DPA 2018, the UK GDPR or PECR if they have not followed the standards in the Children’s Code.

The DPA 2018 and UK GDPR set out exemptions from some rights and obligations under the data protection regime. Controllers should not routinely rely on exemptions but instead should consider them on a case-by-case basis. If a controller relies on an exemption, it should justify and document its reasons for doing so.

Various exemptions are detailed in Schedules 2 to 4 of the DPA 2018. These exemptions can relieve a controller of some of its obligations, for instance in relation to the right to be informed, the right of access, dealing with other individuals’ rights and complying with the data protection principles. How the exemptions are applied, and the extent of the exemption, will differ depending on the purpose for which a controller is processing the personal data.

Types of purposes that may rely on an exemption in the DPA 2018 include:

• for the prevention and detection of crime, apprehension and prosecution of offenders and assessment or collection of a tax or duty;
• information required to be disclosed by law or in connection with legal proceedings;
• discharging functions designed to protect the public;
• discharging a regulatory function conferred under specific legislation;
• processing for journalistic, academic, artistic or literary purposes; and
• processing for scientific or historical research purposes or for statistical purposes.

There are also exemptions relating to the processing of health and social work data in certain circumstances.

Some exemptions only apply to the extent that compliance with the DPA 2018 would prejudice the purpose for which a controller is using the data or where it would prevent or seriously impair the controller from necessary processing of personal data for its purpose. If this is not the case, then a controller must comply with the DPA 2018 as normal. Some exemptions have additional provisions that must be met before the exemption can be relied upon.

Processing of personal data for purely personal or household activity, with no connection to a professional or commercial activity, is outside the scope of the DPA 2018 and UK GDPR.

Yes, controllers have a legal requirement under Article 25 of the UK GDPR as well as under the DPA 2018 to consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle (“data protection by design”) and only process the data that is necessary to achieve their specific purpose (“data protection by default”).

How controllers meet these requirements will depend on their circumstances. However, the ICO recommends that controllers should take an organisational approach that ensures that:

• data protection issues are considered as part of the design and implementation of systems, services, products and business practices which includes the deployment of adequate cybersecurity measures proportionate to the organisation’s risk exposure and activities;
• data protection is an essential component of the core functionality of processing systems and services;
• processing is limited to the personal data that the controller needs in relation to its purposes(s), and data is only used for those purposes;
• personal data is automatically protected in any IT system, service, product, and/or business practice;
• the identity and contact information of those responsible for data protection are available both within the organisation and to individuals;
• there is a “plain language” policy for any public documents relating to personal data; individuals have the tools to determine how the controller is using their personal data; and
• controllers offer strong privacy defaults, user-friendly options and controls, and respect user preferences.

Organisations with 250 or more employees must maintain a record of all processing activities, whether they are controllers or processors. Organisations with fewer than 250 employees need only maintain a record of processing activities that are likely to result in a risk to the rights and freedoms of data subjects, are not occasional, or include special categories of data or data related to criminal convictions or offences. Organisations may need to make their records available to the ICO on request.

Records of processing must contain:

• the name and contact details of the organisation (and where applicable, of other controllers, the organisation representative and their data protection officer);
• the purposes of the processing;
• a description of the categories of individuals and categories of personal data;
• the categories of recipients of personal data;
• details of any transfers to third countries including documenting the transfer mechanism safeguards in place;
• retention periods; and
• a description of any technical and organisational security measures.

Controllers must also document the lawful basis relied on for processing of personal data and any additional conditions relied on for processing special categories of personal data or data relating to criminal convictions.

A controller should more generally document its policies and processes so that it may comply with the “accountability” principle and meet its data protection by design/default obligations. A controller should also have a range of policies tailored to its business such as a data protection policy, retention and disposal policy, data breach policy, marketing policy, consent records, data maps, training materials and processes to comply with the data protection principles and to enable individuals to exercise their rights.

One of the fundamental principles of the UK GDPR is that of storage limitation, as set out under Article 5(1)(e). This stipulates that personal data cannot be kept for longer than necessary for the purpose for which it was collected for.

The UK GDPR does not specify a time limit, rather companies need to assess how long they require the data for their specified purpose(s).

When setting retention periods companies should consider whether:
the stated purpose(s) for processing the personal data are still applicable;

• a record of a relationship with the individual is needed once the relationship ends;
• the information is required to defend possible future legal claims;
• there are any legal or regulatory requirements that require the retention of records (e.g., for income tax or audit purposes); and
• there are any industry standards or guidelines that can be used (although note that industry standards do not guarantee compliance).

Any personal data that is no longer needed should be erased or anonymised.

The only exceptions to the above rule are where processing is carried out for (i) archiving purposes in the public interest, (ii) scientific or historical research purposes or (iii) statistical purposes.

A controller must carry out a data protection impact assessment (DPIA) if the processing is likely to result in a high risk to individuals. If the DPIA identifies a high risk that the controller cannot mitigate or reduce, they must consult with the ICO prior to commencing the processing. When consulting the ICO, a controller shall provide details of:

• where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
• the purposes and means of the intended processing;
• the measures and safeguards provided to protect the rights and freedoms of data subjects;
• where applicable, the contact details of the data protection officer;
• the DPIA; and
• any other information requested by the ICO.

The ICO will respond within eight weeks of the request for consultation and provide written advice to the controller. This may be extended by six weeks in complex cases. The ICO will provide a written response advising whether the risks are acceptable, or whether it is necessary to take further action. Where appropriate the ICO can issue a formal warning not to process the personal data.

Yes, a DPIA should be carried out where the intended processing is “likely to result in high risks” to data subjects.

It will be necessary to carry out a DPIA if the controller plans to:

• use systematic and extensive profiling with significant effects;
• process special category or criminal offence data on a large scale; or • systematically monitor publicly accessible places on a large scale.

The current ICO guidance also indicates a DPIA should be conducted if the controller will:

• use innovative technology;
• use profiling or special category data to decide on access to services;
• profile individuals on a large scale;
• process biometric data;
• process genetic data;
• match data or combine datasets from different sources;
• collect personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”);
• track individuals’ location or behaviour;
• profile children or target marketing or online services at them; or
• process data that might endanger the individual’s physical health or safety in the event of a security breach.

The ICO also recommends that controllers should carefully consider carrying out a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals, or for any major new project involving use of personal data.

The assessment should be carried out prior to any processing and contain at least:

• a description of the proposed processing, its purposes and the legitimate interest pursued by the controller;
• an assessment of the necessity and proportionality of the processing operations; • an assessment of the risks to the rights and freedoms of data subjects; and • the measures envisaged to address the risks.

The controller should also seek the advice of the data protection officer (if it has one) when carrying out the above assessment. When appropriate, the controller should seek the views of the data subjects (or their representatives) on the intended processing. If the DPIA indicates the processing will result in a high risk due to the absence of available measures to mitigate the risk, the controller should consult with the ICO as detailed under question 13 above.

A person must appoint a data protection officer (DPO) if:

• it is a public authority or body (except for courts acting in their judicial capacity);
• its core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• its core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

This requirement applies to both controllers and processors. A group of undertakings can select a single DPO providing that the DPO is easily accessible from each establishment. A single DPO may also be designated for several public bodies/authorities. The DPO does not have direct personal liability under the DPA 2018 and the UK GDPR.

If a decision is made to appoint a DPO voluntarily the business should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

The DPO’s tasks are:

• to inform and advise on data protection laws;
• to monitor compliance with data protection laws, and with the business’ data protection polices, including training staff and conducting internal audits;
• to advise on, and to monitor, DPIAs;
• to cooperate with the ICO and other supervisory authorities; and
• to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

It should also be noted that if a company is a U.K.-based controller or processor with no offices, branches or other establishments in the EEA but offers goods or services or monitors the behaviour of individuals in the EEA, it will need to appoint a representative in the EEA pursuant to the EU GDPR. The representative needs to be set up in an EEA state where individuals are located whose personal data is being processed.

The ICO makes clear in its guidance that it has an expectation that organisations will implement an all-staff data protection and information governance training programme. It provides the following recommendations for meeting its expectations:

• providing staff with comprehensive training on key areas of data protection such as handling data subject requests, data sharing, information security, personal data breaches and records management;
• a data protection governance structure is implemented whereby certain individuals are assigned specific responsibilities for managing and delivering data protection employee training;
• regular, accurate and targeted training is provided to employees;
• maintaining and updating training records and materials; and
• carrying our regular awareness of data protection policies, procedures and materials.

Individuals have the right to be informed about the collection and use of their personal data.

At the time personal data is obtained from a data subject, a controller must provide the data subject with all of the following privacy information:

• the identity and the contact details of the controller and, where applicable, of the controller’s representative;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing as well as the legal basis for the processing;
•  the legitimate interests pursued by the controller or by a third party where the “legitimate interests” lawful basis is being used;
• the recipients or categories of recipients of the personal data, if any;
• the source of the data;
• the retention periods;
• details of the individual’s rights, including the right to withdraw consent;
• the right to lodge a complaint with a supervisory authority;
• if there is a statutory or contractual obligation to provide certain details and the consequences of not providing these;
• if automated decision making or profiling is being conducted with meaningful information about the logic used and the intended consequences of the processing; and
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the mechanism that is being relied upon to allow the transfer and where relevant how to obtain a copy.

When personal data is obtained from a source other than the individual it relates to, the individual needs to be provided with the above privacy information:

• within a reasonable period of obtaining the personal data and no later than one month;
• if the data are used to communicate with the individual, at the latest when the first communication takes place; or
• if it is envisaged that the data will be disclosed to someone else, at the latest when the data is disclosed.

The controller must actively provide privacy information to individuals. They can meet this requirement by putting the information on their website, but they must make individuals aware of it and give them an easy way to access it, including at the point of collection of their data. For all audiences, information must be concise, transparent, intelligible, easily accessible and in clear and plain language.

When providing the information to individuals, it is permissible to use a combination of techniques such as a layered approach to presenting the information, privacy dashboards, just in time notices and icons. A controller must regularly review, and where necessary, update its privacy information, and bring any new uses of an individual’s personal data to their attention before starting processing.

The law distinguishes between “controllers” and “processors”. A controller is the main decision-maker who exercises control over how and why personal data is collected and the use of the data. The controller has the highest level of responsibility when it comes to complying with the DPA 2018 and the UK GDPR. They must make sure that the processing of that data complies with data protection law. U.K. controllers are also required to pay a data protection fee to the ICO unless exempt (see question 2 above).

A processor is the person who processes data on behalf of the controller and in accordance with their instructions. Processors do not have to pay the data protection fee. However, they have some statutory legal obligations in their own right under the UK GDPR and DPA 2018, although these are more limited than the controller’s obligations. These include obligations in relation to processing contracts, security measures, security breach notifications, data protection officers and record-keeping.

Processors may also be:

• subject to investigation by their supervisory authority (such as the ICO);
• fined for breaches of their direct obligations under the DPA 2018 and the UK GDPR;
• contractually liable to the controller for breach of contract;
• subject to a claim in the courts for damage caused by their processing (including nonmaterial damage such as distress). However, they will only be liable insofar as they have failed to comply with the provisions specifically relating to processors; or they have acted without the controller’s lawful instructions or against those instructions.

Yes, the UK GDPR specifies minimum contractual provisions that any contract between a controller and a processor must contain. These include:

• a requirement that the processor may only process personal data in line with the contractor’s documented instructions;
• a restriction on appointing sub-processors without the controller’s prior specific or general written authorisation. If a sub-processor is to be engaged under a general authorisation, then proposed changes must be notified in advance to give controllers a chance to object;
• a requirement to “flow-down” obligations under the contract between the controller and processor to any agreement with a sub-processor, so that the sub-processor contract
  must offer an equivalent level of protection for the personal data;
• requirements for processors to assist with many of the obligations imposed on controllers (such as controllers’ obligations to respond to the exercise of data subject rights, data security and other governance obligations);
• a direct statutory “policing” obligation, to “immediately inform” the controller if, in the processor’s opinion, an instruction infringes relevant data protection laws; and
• “end-of-contract” provisions requiring the processor to delete or return all personal data at the end of the contract term.

Failing to include mandatory contractual provisions is itself a breach of the UK GDPR.

Where a sub-processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub processor’s obligations.

The controller may only use processors who provide sufficient guarantees that processing will meet the relevant data protection requirements and protect data subjects’ rights. A controller will therefore need to conduct due diligence on a proposed processor to enable it to show how it has sought to comply with the data protection principles, including the security measures that the processor has in place, such as cybersecurity provisions proportionate to the processor’s level of risk exposure and profile of the processor’s and the controller’s business. In this context it is important to ensure that the processor is compliant with Article 28 UK GDPR, which sets out the various obligations for processors.

Where a processor is located outside of the U.K. or the EU, the controller must ensure that contractual provisions adequately govern the transfer of the data flow between controller and processor (please see question 25 below for further information on international data transfers).

Importantly, processors are required to notify controllers of data breaches regardless of the harm threshold. In effect this means that processors must notify controllers of any security breach involving the controller’s personal data. It is then for the controller to undertake any required risk of harm analysis and to decide the next steps.

If data is being shared between two independent controllers, an appropriate data sharing agreement should be entered into by the parties as a matter of good practice but is not mandatory.

Automated decision-making is the making of a decision, about an individual, based solely on automated means without any human involvement.

The UK GDPR defines “profiling” as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

Controllers may generally engage in automated decision-making and profiling if they have a lawful basis for processing the personal data, comply with their transparency obligations and abide by the data subject’s right to object. However, data subjects have the right not to be subject to a decision when it is based solely on automated processing (including profiling) if the decision produces legal effects or similarly significantly affects them. Such a process can only be carried out by an organisation if the decision is:

• necessary for entering into or performance of a contract between the organisation and the individual;
• authorised by law (for example, for the purposes of fraud or tax evasion); or • based on the individual’s explicit consent.

Where the processing is carried out for contractual purposes or is based on the data subject’s consent, the controller must implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

In addition, if special category personal data is involved the controller can only carry out such processing if it takes suitable measures to safeguard the data subject’s rights and:

• if it has the individual’s explicit consent; or
• if the processing is necessary for reasons of substantial public interest and is provided for by law and must include measures to protect the interests of the individuals.

Automated decision-making in respect of children is generally prohibited, although the guidelines issued at the European level on automated decision-making and profiling indicate that there are narrow exemptions to this.

The PECR set out rules on the use of “cookies”. A business must tell people if it uses cookies, and clearly explain what the cookies do and why. Cookies and similar technologies which are used to store or gain access to information on a device can only be used with the consent of the individual. As under the UK GDPR and DPA 2018 (and further explained at question 6 above), consent must be freely given, specific and informed, and must be provided by way of a clear positive action. There is an exception for cookies that are essential to provide an online service at someone’s request. Cookie data may also be data which allows an individual to be identified, therefore falling within the rules on personal data in the DPA 2018 and UK GDPR

U.K. data protection law does not define nor set out any specific rules with regards to cross-contextual behavioural advertising. However, any processing of personal data in the context of cross-contextual behavioural advertising would need to comply with the UK GDPR and PECR, including:

• rules relating to the use of cookies and similar tracking technologies (such as pixels and mobile SDKs);
• information and transparency requirements; and
• obligations relating to the validity of consent (namely ensuring such consent is sufficiently specific, freely given and informed, including with respect to potential recipients of the personal data).

“Sale” does not have a specific meaning in the context of the UK GDPR or DPA 2018. Selling personal data in the ordinary sense is not prohibited under U.K. data protection law. However, there is still an overarching obligation for organisations to comply with their general obligations under the UK GDPR. For example, organisations must have established a legal basis for the processing of the personal data it intends to sell and must comply with its transparency obligations (i.e., by providing clear details of the data sharing to the data subject at the point of collection of the personal data).

Marketing activities using personal data have to comply with the DPA 2018, UK GDPR and PECR.

Where personal data is processed for the purposes of direct marketing, the data subject has an absolute right to object to the processing. This right should be explicitly brought to the attention of the data subject at the time their data is collected and presented clearly and separately from any other information.

Where the data subject objects to processing for direct marketing purposes, the business should not continue to process the data for such purposes (including any profiling relating to such direct marketing).

In addition, the PECR prohibit the sending of unsolicited electronic marketing messages unless the recipient has given their consent. “Electronic” messages cover email and text message, as well as any other message stored electronically (such as messages sent via social media). “Consent” in this context must be of a GDPR standard, namely specific, informed and freely given. When relying on consent to market a business should therefore specify the different methods they want to use (e.g., by email, by text, by fax, by phone or by recorded call.) In addition, it must ask for specific consent if it wants to pass details to other companies, and it must name or describe those companies in detail.

A business should also keep clear records of consent and keep a “do not contact” list of anyone who objects, opts out or withdraws their consent.

A limited exception to the consent requirement, known as “soft-opt”, may apply where contact details are collected in the context of a sale or a negotiation for a sale, and:

• the marketing relates to the same/similar goods/services as those purchased or negotiated;
• the customer is given the opportunity to opt-out of receiving marketing communications at the time of the purchase or negotiation and in every communication thereafter; and
• the marketing comes directly from the contracting entity/controller who has sold or is negotiating for the sale of the goods/services. The marketing must relate to similar products or services.

The marketing rules set out in PECR apply not only to the person sending the marketing messages but also to the person “instigating” those messages. A person using third party contractors to send messages or relying on viral marketing would therefore still be responsible for compliance with PECR in relation to those marketing messages.

There are also rules relating to telephone marketing which prohibit live unsolicited calls to:

• anyone who has already objected to the calls; or
• any number registered with the Telephone Preference Service, unless the recipient has specifically consented to receive the call.

Enforcement action relating to non-compliance with email, text and phone marketing rules in the U.K. has been frequented in the last few years, and the majority of fines issued by the ICO relate to nuisance phone calls and emails.

Under Article 4(14) of the UK GDPR, biometric data is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.

Biometric data will also be special category data if it is processed “for the purpose of uniquely identifying a natural person”. This means that there will be additional requirements affecting processing, including the need for any consent to be “explicit” if consent is relied on as the lawful ground for processing.

Large-scale use of biometric data is likely to trigger the need for a DPIA, on the basis that the processing is likely to result in a high risk to the rights and freedoms of natural persons.

Transfers of personal data to countries outside the U.K. (outside of the U.K. includes Crown dependencies or U.K. overseas territories, including Gibraltar) are restricted and subject to limited exceptions. These restrictions apply to all transfers, no matter the size of transfer or how often they are carried out.

The most commonly applied exceptions to the prohibition on international transfers are:

The transfer is it is to a country, territory or international organisation in respect of which there is an adequacy regulation in place

At the time of writing the U.K.’s adequacy regulations cover the same jurisdictions, territories and international organisations considered adequate by the European Commission for transfers from the European Union, as well as all Member States in the European Economic Area.

Transfers of personal data from the EEA to the U.K. are subject to an adequacy decision adopted on 28 June 2021. The decision, however, is only valid for four years after it entered into force and is subject to ongoing monitoring by the European Commission to determine whether the standard of protection for personal data in the U.K. deviates at any point from the level of protection currently in place.

Following the decision by the Court of Justice of the European Union in the Schrems II case in July 2020, the Privacy Shield framework is no longer valid for transfers from the U.K. to the U.S.

On 25 March 2022 the European Union and U.S. announced plans to introduce a new data transfer mechanism to enable transfers of personal data from the European Union to the U.S. by way of an adequacy decision. The terms of this mechanism are yet to be finalised and it is unclear whether the U.K. will reach a similar agreement with the U.S. However, it is anticipated that the U.K. will also follow suit and pass its own U.K.-U.S. adequacy decision.

There are appropriate safeguards in place (for example Standard Contractual Clauses or the U.K.-specific international data transfer agreement)

The new EU Standard Contractual Clauses (published on 4 June 2021) can be used for transfers of personal data from the U.K. subject to an addendum that adapts the EU approved text for transfers made under the UK GDPR. The U.K. Secretary of State has issued an approved addendum which can be used to supplement EU Standard Contractual Clauses for transfers that involve personal data subject to the UK GDPR.

The U.K. has also approved its own standalone international data transfer agreement (IDTA) for transfers of personal data under the UK GDPR.

A company uses approved binding corporate rules (“BCRs”)

BCRs can be used to legitimise a restricted transfer within an international organisation if both the entity making the transfer and the recipient have signed up to approved BCRs. They are intended for use by multinational corporate groups, groups of undertakings or groups of enterprises engaged in joint economic activity, such as franchises, joint ventures or professional partnerships.

One of the limited derogations under Article 49 UK GDPR can be met

Article 49 of the UK GDPR sets out certain limited derogations from the prohibition on international transfers, including:

• explicit consent of the data subject;
• the transfer is necessary for the performance of a contract between the data subject and the controller;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest; o the transfer is necessary for the establishment, exercise or defence of legal claims; and
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

Derogations are limited in scope and generally require that the transfer is only occasional and other than where the transferor relies on consent, necessary for the relevant purpose stated in the derogation. They are therefore not suitable for regular transfers (although the restricted transfer may happen more than once).

It should be noted that for transfers where no adequacy regulation is in place or in respect of which a derogation does not apply, the U.K. takes the same approach as the European Union in requiring a transfer impact assessment to ensure that data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the U.K. data protection regime. The risk assessment should take into account the protections contained in the appropriate safeguard relied on for the transfer (such as the Standard Contractual Clauses or the U.K.’s IDTA) and the legal framework of the destination country, including laws governing public authority access to personal data. If the assessment concludes that the transfer mechanism does not provide the required level of protection, the data exporter should include additional measures.

With regards to notification, international transfers of personal data do not generally require notification to the ICO. However, where data exporters cannot rely on any derogations, adequacy decisions or other transfer mechanisms, the UK GDPR allows organisations to make a one-off restricted transfer where it is in the organisation’s compelling legitimate interests, and those interests outweigh the rights and freedoms of individuals. The ICO gives the example of a transfer of personal data to protect a company’s IT systems from serious immediate harm.

Where such a one-off restricted transfer is made, the transferor would need to assess the circumstances surrounding the transfer and provide suitable safeguards to protect the personal data, such as strict confidentiality agreements, a requirement for data to be deleted soon after transfer, technical controls to prevent the use of the data for other purposes or sending pseudonymised or encrypted data.

When making a transfer based on this exception, the transferring organisation must inform the individual, explaining its compelling legitimate interest to them, and the ICO. The ICO will ask to see full details of the assessment taken by the organisation in determining whether it can rely on this exemption.

Both the controller and processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data, which includes adequate cybersecurity measures proportionate to the risk exposure of the organisation. The parties should consider factors such as the state of the art, implementation costs and the context of processing. Such measures could include pseudonymisation, encryption of personal data and a process for regularly testing the effectiveness of such measures. The legislation does not specify the level of security required, since it needs to be proportionate to the risks presented by the processing carried out.

Measures should be put in place following an evaluation of the risks in order to prevent unauthorised or accidental processing and to ensure it is possible to establish the precise details of any processing that takes place. The measures must ensure the confidentiality, integrity and availability of the systems and services that process personal data, and the data itself. Such measures should enable the controller to restore the personal data in a timely manner in the event of a physical or technical incident. In recent years we have seen companies take cyber security increasingly seriously, for example in the financial services sector with the bi-annual Quantum Dawn cyber stress testing. This is a way to test cyber security systems and processes, whilst working with players across the industry and wither government to improve those systems and processes.

The U.K.’s National Centre on Cyber Security (NCSC) acts as an important first port of call for organisations to ensure they are complying with their cybersecurity obligations. The NCSC’s Cyber Essentials and “10 Steps to Cyber Security” form sets out important starting points for companies to measure and enhance their compliance with relevant legislation and regulation.

For organisations with a high risk profile, the NCSC Cyber Assessment Framework (NCSC CAF) is an important starting point. While the NCSC CAF was originally designed for organisations responsible for vitally important services and activities, such as organisations within the UK Critical National Infrastructure (CNI), organisations subject to the NIS Regulations (see question 28 below) or organisations managing cyber-related risks to public safety, it is also a key resource for any business managing its cybersecurity risk.

Yes. Under the UK GDPR, a “personal data breach” is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.

A business should ensure it has robust breach detection, investigation and internal reporting procedures in place to help it determine whether it needs to notify the personal data breach to the relevant supervisory authority (e.g., the ICO) and the affected individuals. A business must keep a record of any personal data breaches, regardless of whether it is required to notify the breach.

Certain providers may also have separate security or reporting obligations under the PECR, eIDAS Regulation 2014 (electronic identification and trust services) and NIS Regulation 2018 (certain digital services).

Different types of organisations and businesses are subject to disparate cybersecurity obligations in the U.K. For example, under the Security of Network & Information Systems Regulations (NIS Regulations), digital service providers (DSPs) and operators of essential services (OESs) must comply with more stringent cybersecurity measures and notification requirements in the event of a cyber incident, including a personal data breach. This is because of their increased risk profiles and the large-scale reliance on their services, which means that a cyber incident or service outage involving such entities would have a highly disruptive impact across the U.K.

DSPs are regulated by the ICO and include three types of businesses: (i) online search engines, (ii) online marketplaces and (iii) cloud computing services. The ICO does not designate companies as DSPs and organisations are required to determine their potential status as a DSP themselves and consequently register with the ICO.

OESs relate to organisations across five sectors: energy, transport, health, drinking water supply and distribution and digital infrastructure. Each of these sectors has a separate designated competent authority responsible for the issuance of guidance and further regulations to govern their activities, responsibilities and obligations vis-à-vis the NIS Regulations. Even though the U.K. has now left the EU, the European Union Agency for Cybersecurity offers useful and concrete sector-specific guidance for OESs, including industry standard and best practice documents.

In January 2022, the U.K. announced a review of the U.K. cyber security regime under the current NIS Regulations. As part of this review, the U.K. is proposing to extend the application of the NIS Regulations to also cover a range of outsourced service providers in respect of cyber security requirements. Meanwhile, the EU is considering the introduction of a revised Directive on Security of Network Information Systems (NIS2) with a focus on greater capabilities, cooperation and cybersecurity risk management while adopting a new approach to the sectors covered by it.

All organisations have a duty to report certain types of personal data breach to the relevant supervisory authority (i.e., the ICO). Controllers must report a breach without undue delay and where feasible within 72 hours of having become aware of it unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification must contain certain information specified in the UK GDPR. Where it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Any delay in making a notification must be accompanied by reasons for the delay. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, those individuals must be informed without delay.

Industry-specific notification requirements also apply under sectorial legislation to public electronic communications network providers and public electronic communications service providers. Further, qualified and non-qualified trust service providers are subject to notification requirements under the retained EU law version of the Electronic Identification Regulation (EU/910/2014). Pursuant to the NIS Regulations, DSPs and operators of essential services OESs must also notify incidents which have a significant impact on the continuity of their services.

While U.K. law enforcement does not encourage, endorse or condone ransom payments in ransomware attacks, the payment of a ransom is not of itself an offence. However, an offence may be committed where a payment is made to a sanctioned entity designated by the U.K. Government and/or where the payment will be used for terrorist purposes.

The United Kingdom does not have a separate cybersecurity regulator. However, the NCSC plays an important role in this field by providing organisations with cybersecurity advice and support (see www.ncsc.gov.uk). The NCSC oversees the implementation of the NIS Regulations in respect of organisations subject to it (see questions 26 and 28 above for more detail).

The ICO is otherwise responsible for cybersecurity aspects of data protection and privacy.

Individuals have the right to be provided with certain information about the collection and use of their personal data, including the purpose for processing, the retention period and who it will be shared with, as set out in response to question 17.

There are certain exceptions, including when the data subject already has the information, or where providing the information would prejudice the prevention, investigation, detection or prosecution of criminal offences. Additional limited exemptions apply where personal data is obtained from a source other than the data subject, including where providing the information proves impossible or would involve a disproportionate effort.

Individuals also have the following rights:

• the right to access their personal data;
• the right to have inaccurate personal data rectified, or completed if it is incomplete;
• the right to have personal data erased (also known as the “right to be forgotten”). The right is not absolute, and the request may be declined on various grounds, including where the deletion is not compatible with the right of freedom of expression and information, where processing is necessary to comply with a legal obligation, or necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
• the right to restrict processing of personal data (so that it may only be stored and not used). This is not an absolute right and only applies in certain circumstances;
• the right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. The right only applies to information an individual has provided to a controller;
• the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies a controller may be able to continue processing if it can show that it has a compelling reason for doing so. Controllers must tell individuals about their right to object; and
• other rights in relation to automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual) as set out in response to question 20.

The individual may make a request in relation to the above rights either verbally or in writing. There is a period of one month in which to respond. Note that a large percentage of complaints received by the ICO relates to the exercise of data subject rights, and the ICO has increasingly been focusing on compliance with subject access requests.

Companies should be aware that when dealing with subject access requests it is not possible in most circumstances to charge a fee for complying. However, in some cases a company can refuse to comply with a subject access request, usually where: (i) a relevant exemption applies; (ii) the request is manifestly unfounded; or (iii) the request is excessive. Reasons need to be given for refusal and the data subject needs to be informed of their right to make a complaint to the ICO or to enforce the right judicially.

The ICO has the power to take action against controllers and processors. Individuals can complain to the ICO if they believe their rights have been infringed.

Individuals can also seek remedies through the courts and can bring claims for compensation and damages against both controllers and processors.

Any person who has suffered as a result of an infringement of the DPA 2018 and/or UK GDPR has the right to bring a claim for compensation against a controller or processor for the damage suffered. They can also complain to the ICO and relevant supervisory authorities.

Individuals do not need to show actual material damage or monetary loss in order to bring a claim, as the UK GDPR and DPA 2018 provide for a right to compensation for nonmaterial damage, including distress.

Representative actions, comparable to U.S.-style class action suits, have previously been used in privacy and data protection claims against organisations. However, a recent decision in Lloyd v Google LLC [2021] UKSC 50 has cast some doubt on the extent to which representative actions in the U.K. can be used in a similar way to class actions in the U.S. Representatives opt-out actions can effectively be used to establish liability for infringements, but not necessarily to establish the quantum of damages. The latter would most likely need to be pursued through an opt-in group litigation order.

It is unclear whether the split process will be economically viable for litigation funders (who fund a sizeable proportion of these types of claims), as the expense of pursuing an optout claim to establish liability may not be recoverable through a subsequent opt-in procedure on quantum unless a sufficiently large number of claimants signs up.

The Lloyd v Google case was also determined under the old statutory regime predating the DPA 2018 and the UK GDPR, and so it is unclear whether the same decision would have been reached under current legislation.

Yes, individuals are entitled to monetary damages. Damage may be material or nonmaterial (including distress).

The ICO has a range of powers it can exercise, including restricting or stopping the processing of personal data.

In addition, the ICO can issue fines on a controller or a processor for its breach of the obligations that apply to it.

The ICO can issue an:

• information notice to require any person to provide information they reasonably require for the purposes of carrying out its functions or investigating suspected failures or offences. It is an offence to fail to comply with an information notice, whether intentionally or recklessly and the court can make an order to compel the person to comply with the information notice;
• assessment notice to permit the ICO to carry out an assessment of a business to identify if it has complied with, or is complying with, data protection legislation. This can be done through means such as allowing the ICO access to specified premises, technology and directing the ICO to certain documents, and explaining such documents; and
• enforcement notice which requires a person to take steps specified in the notice, or refrain from taking steps specified in the notice, or both. The notice must include details of what the person has failed, or is failing, to do and the ICO’s reasons for reaching that opinion.

There is a two-tier system of fines reflecting the seriousness with which a breach of specified obligation is viewed. For example, breaches of the principles, conditions applicable to consent, lawful basis, individual’s rights and restricted transfers provisions are subject to the higher tier of up to £17.5 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Breaches of obligations such as maintaining the record of processing activities, conducting a DPIA, a processor’s obligations, privacy by design and appointing a data protection officer (amongst others) are subject to a lower standard tier where the maximum fine is £8.7 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The ICO in issuing a fine will take account of: the nature, gravity and duration of the infringement, any mitigating action taken, previous infringements and the intentional or negligent character of the infringement.

At the time of writing, to date the highest fine issued by the ICO was in respect of a personal data breach suffered by British Airways, which was fined £20 million (revised down from £183 million). The ICO found that British Airways had not implemented sufficient security measures, both to prevent the cyber-attack and to detect it.

The ICO recently launched a consultation into its draft “Regulatory Action Policy; statutory guidance on our regulatory action; and statutory guidance on our PECR powers” policies. The consultation closed on 24 March 2022, and we await final guidance.

Whilst only in draft from the ICO guidance provides an insight into its approach to the calculation of fines in its draft statutory guidance on its regulatory action. The ICO states that they will follow the below nine steps before making a recommendation on the amount of an administrative penalty:

1. Assessment of seriousness (considering the relevant factors under section 155 DPA 2018)
2. Assessment of degree of culpability of the organisation concerned
3. Determination of turnover
4. Calculation of an appropriate starting point (using the penalty starting point table drafted by the ICO)
5. Consideration of relevant aggravating and mitigating features
6. Consideration of financial means
7. Assessment of economic impact
8. Assessment of effectiveness, proportionality, and dissuasiveness 9. Early payment reduction

An organisation can appeal an ICO decision to the First-tier Tribunal. Individuals can also appeal to the First-tier Tribunal if they have filed a complaint with the ICO and have not received a response within three months.

Data subjects can also apply to court for a compliance order requiring an organisation to take steps to remedy non-compliance with the data protection legislation.

On 10 September 2021, the Department for Digital, Culture, Media & Sport published its consultation paper “Data: A New Direction”. The purpose of this paper is to discuss the creation of a new “pro-growth and pro-innovation data regime” whilst maintaining “the UK’s world-leading data protection standards”. As part of this the U.K. is planning to launch an International Data Transfers Expert Council to provide independent and expert advice to the government. The main areas of focus of this paper are the following:

• Accountability and governance
• Adequacy decisions and international data transfers
• Data breach reporting
• Data subject access requests
• Legitimate interests
• Cookie consent requirements

Suggestions have been put forward as to potential developments in these areas; however, it is not yet clear what any developments will look like in practice or when they might take effect.