Data protection and privacy

The UK transposed the contents of the EU General Data Protection Regulation (EU GDPR) into domestic legislation following its exit from the EU on 31 January 2020, with some technical changes to make it work effectively in a UK context. This transposed and adapted version, known as the “UK GDPR”, sits alongside the Data Protection Act 2018 (DPA 2018), which UK tailors and supplements the application of the UK GDPR within the country.

The DPA 2018 and UK GDPR are not sector-specific. Anyone who falls within the material and territorial scope of the UK GDPR and processes “personal data” will need to comply with the data protection regime. This includes most businesses and organisations, whatever their size. Purely personal or household activities are not caught by the scope of the UK GDPR. Personal data is any information relating to a living individual (the “data subject”) who can be directly identified (for instance by their name and/and contact details) or indirectly identified (for instance by reference to an online identifier such as an IP address, cookie data and/or location data).

“Processing” is defined broadly under the DPA 2018 and the UK GDPR. It covers almost any use of data, including collection, recording, organisation, structuring or storage, adaptation or alteration, retrieval, consultation or use, erasure or destruction.

The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended (PECR), sit alongside the DPA 2018 and UK GDPR. PECR implements the European e-Privacy Directive 2002/58/EC in the UK and sets out specific rules on marketing calls, emails, texts and faxes and the use of cookies and similar technologies, as well as cybersecurity requirements for public electronic communications services (PECS) providers.

Cybersecurity

Currently, there is no stand-alone cybersecurity legislation in the UK General (i.e. non sector- specific) data security requirements concerning the processing of personal data and notification obligations in the event of a breach of network security are imposed by the UK GDPR and DPA 2018.

Further sector-specific legislation sets out additional notification requirements. While some of these laws also apply to incidents impacting personal data (e.g., PECR), some apply to incidents that impact service operation and/or delivery (e.g., the Communications Act 2003, the Network and Information Systems Regulations 2018 (NIS)), and others apply both to personal data and service operation and/or delivery where an incident has a ‘significant impact’ (e.g., the Electronic Identification Regulation (EU/910/2014) (eIDAS)).

Broadly speaking, sector-specific laws setting out cybersecurity requirements focus on key sectors such as telecoms, communications and internet service providers (PECR and the Communications Act 2003), operators of essential services in the energy (electricity, oil and gas), transport (air, water, rail and road), health, drinking water (supply and distribution) and digital infrastructure sectors and digital service providers (including online marketplaces, online search engines and cloud computing services) (NIS).

Regulatory authorities

The Information Commissioner’s Office (ICO) is the regulatory authority for data protection in the UK. The ICO provides guidance and promotes good data protection practices. It also conducts audits and advisory visits, considers complaints and breach reports, monitors compliance and takes enforcement action where appropriate.

The ICO is the relevant body to whom cybersecurity incidents impacting personal data are reported (i.e., notifications mandated under the UK GDPR and PECR). Legislation also sets out other UK sector-specific regulators that are the competent authorities to receive notifications. For example, Ofcom, the UK’s communications regulator, is the competent authority to receive notifications under the Communications Act 2003. For notifications made under NIS, the competent authority will depend on the sector of the notifying entity, and a list of such competent authorities is scheduled to the legislation.

Guidance issued at the European level by the Article 29 Working Party and the European Data Protection Board is no longer directly relevant to the UK regime but, given that UK data protection legislation currently mirrors law in the EU, they are still considered to provide helpful guidance for compliance with the UK GDPR and DPA 2018.

Expected changes in 2023-2024

• A number of draft laws are currently proposed, both to update the UK’s existing data protection, privacy and cybersecurity laws and to introduce new legislation, including:
  • The Online Safety Bill;
  • Data Protection and Digital Information (No.2) Bill; and
  • a proposal to expand the scope of the UK NIS (see question 43)

Trans-Atlantic Data Privacy Framework

On 25 March 2022, the EU and U.S. announced that they had reached an “agreement in principle” on a new transfer mechanism, which will enable transfers of personal data from the EU to the U.S. by way of an adequacy decision. A “Trans-Atlantic Data Privacy Framework” fact sheet has been published with more guidance to follow . Despite the Framework progressing toward implementation (President Biden signed an Executive Order to implement the framework in October 2022, and a draft adequacy decision was produced by the European Commission in December 2022), the Framework has already drawn criticism that it does not sufficiently protect the rights and freedoms of European data subjects. It is anticipated that, should the new EU-U.S. transfer mechanism be implemented, the UK would also follow suit and pass its own UK-U.S. adequacy decision; however, this has not yet been confirmed.

Yes. Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that determine the purposes and means of the processing of personal data (known as “controllers”) need to pay a data protection fee to the ICO unless they are exempt. There is a three-tier system of fees, ranging from £40 to £2,900, calculated based on the organisation’s number of employees or turnover. Public authorities should categorise themselves according to staff numbers only and not turnover. A controller will be exempt from the requirement to pay fees if it only processes personal data for certain limited purposes, including “core” business purposes such as staff administration, advertising, marketing and public relations and accounts and records.

A fixed penalty regime (ranging from £400 to £4,000) applies where a controller should have notified and paid the appropriate fee to the ICO and has not. Aggravating factors (such as a failure to engage or cooperate with the ICO) may lead to an increase in the fine up to the statutory maximum of £4,350.

The DPA 2018 and the UK GDPR use the terms “personal data” and “special categories of personal data”. These concepts are not identical to the term “personally identifiable information” (PII).

Personal data means any information relating to a living individual who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, an identification number, location data or an online identifier), or one or more factors specific to that individual’s physical, physiological, genetic, mental, economic, cultural or social identity. When considering whether an individual is identifiable, the controller will need to take into account the information it is processing or to which it has access, together with all the means reasonably likely to be used to identify that individual. This can include, for instance, cross- referencing with information held by a third party.

“Identifying” an individual does not require the ability to name that individual—the ability to link records relating to an individual or draw inferences about an individual would be sufficient to make information “personal data” for the purposes of UK data protection law. Completely anonymised information is not personal data. “Anonymisation” is not defined in the UK GDPR; however, given the broad definition of “personal data”, effective anonymisation would require mitigating the risk of re-identification so that, taking into account all relevant factors, it is sufficiently remote that the information could not reasonably be linked to an individual.

Even if an individual is identified or identifiable, directly or indirectly, from the data, it is not personal data unless it “relates to” the individual. Guidance from the ICO states that when considering whether information “relates to” an individual, the controller needs to take into account a range of factors, including the content of the information, the purpose or purposes of processing and the likely impact or effect of that processing on the individual.

“Special categories of personal data” are types of personal data which the data protection legislation identifies as requiring a higher level of protection. These are:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual

Additional rules also apply to the processing of personal data relating to criminal convictions and offences or related security measures.

Other key definitions include:

• “controller”: the person who determines the purposes and the means by which the personal data is processed;
• “processor”: the person who processes personal data on behalf of the controller;
• “data subject”: the individual to whom the personal data

General processing of personal data must take place in accordance with the key principles. These state that personal data must be:

• processed lawfully, fairly and in a transparent manner in relation to individuals (“lawfulness, fairness and transparency”);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
• adequate, relevant and limited to what is necessary in relation to the purposes of the processing (“data minimisation”);
• accurate and, where necessary, kept up to date (“accuracy”);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”); and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

In addition, the data controller shall be responsible for, and must be able to demonstrate compliance with, the above principles (“accountability”).

A key element of “lawfulness, fairness and transparency” is the need to establish a valid ground for processing personal data. The six available grounds for processing are:

• The data subject has given consent to the processing of their personal data for one or more specific purposes.
• The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (for instance providing a quote).
• The processing is necessary for the data controller to comply with legal obligations (not including contractual obligations).
• The processing is necessary to protect the vital interests (i.e., the life) of the data subject or another person.
• The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The relevant task, function or authority must have a clear basis in law.
• The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This ground is likely to be most appropriate where the controller uses the subject’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the

Most lawful bases require that processing is “necessary” for a specific purpose. If the controller could reasonably achieve the same purpose without the processing, they will not have a lawful basis for processing the data. The basis for processing needs to be determined before processing takes place, and it should be documented.

Processing of special categories of personal data is prohibited unless one of the additional conditions set out in Article 9(2) of the UK GDPR also applies (as set out in the response to question 8).

Consent is one of the lawful grounds for processing personal data. The UK GDPR sets a high standard for what constitutes valid consent (as further detailed in the following question). It is therefore not simple to establish valid consent as a ground for processing and the individual can withdraw their consent at any time. As a result, it is often preferable to rely on another lawful basis for processing, if one is available.

There are, however, certain types of processing where consent is the only valid lawful basis available to the controller. In particular, processing of personal data collected through non- essential cookies and similar trackers or the processing of contact details for the sending of unsolicited electronic marketing messages should be based on consent. Each of these activities require consent under PECR, and the ICO takes the view that processing of personal data in connection with these activities cannot be based on a lawful basis other than consent.

Processing special categories of personal data also requires the “explicit consent” of the individual unless one of the other exemptions under Article 9(2) UK GDPR applies (as further detailed in question 8). When assessing whether to rely on consent, there are a number of context-specific questions that should be considered. For example, the requirement for consent to be “freely given” (meaning that data subjects must have a genuine choice) may be difficult to satisfy in certain circumstances, for example, if:

• performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract; or
• there is a clear imbalance between the data subject and the controller; or the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment, such as in the context of an employment relationship.

Consent is one of the lawful grounds for processing personal data. The UK GDPR sets a high standard for what constitutes valid consent (as further detailed in the following question). It is therefore not simple to establish valid consent as a ground for processing and the individual can withdraw their consent at any time. As a result, it is often preferable to rely on another lawful basis for processing, if one is available.

There are, however, certain types of processing where consent is the only valid lawful basis available to the controller. In particular, processing of personal data collected through non- essential cookies and similar trackers or the processing of contact details for the sending of unsolicited electronic marketing messages should be based on consent. Each of these activities require consent under PECR, and the ICO takes the view that processing of personal data in connection with these activities cannot be based on a lawful basis other than consent.

Processing special categories of personal data also requires the “explicit consent” of the individual unless one of the other exemptions under Article 9(2) UK GDPR applies (as further detailed in question 8). When assessing whether to rely on consent, there are a number of context-specific questions that should be considered. For example, the requirement for consent to be “freely given” (meaning that data subjects must have a genuine choice) may be difficult to satisfy in certain circumstances, for example, if:

• performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract; or
• there is a clear imbalance between the data subject and the controller; or the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment, such as in the context of an employment relationship.

Additional considerations apply to the processing of “special categories of data” (as defined under question 4 above) and data related to criminal offences and/or convictions.

To process special category data lawfully, the controller must identify both a lawful basis and a separate condition for processing. The conditions for processing of special category data are set out in the UK GDPR, as tailored by the DPA 2018, and are:

• explicit consent;
• necessary for performing obligations or protecting rights in the field of employment, social security and social protection (if authorised by law);
• necessary to protect vital interests;
• processing carried out by not-for-profit bodies;
• data made public by the data subject;
• necessary to establish, exercise or defend legal claims or judicial acts;
• reasons of substantial public interest (with a basis in law);
• necessary for health or social care (with a basis in law);
• necessary for reasons of public health (with a basis in law); or
• necessary for archiving, research and statistics (with a basis in law).

Where the additional conditions for processing special categories of personal data require a basis or authorisation in law, the DPA 2018 also sets out associated conditions and requirements.

Reliance on the substantial public interest condition would also require satisfying one of the specific substantial public interest conditions set out in the DPA 2018.

To process personal data about criminal convictions or offences, the controller must have a lawful basis and, in addition, either process the data in an official capacity or comply with the additional safeguards set out in the DPA 2018.

The DPA 2018 and UK GDPR recognise that children need particular protection when their personal data is being collected and processed, as they may be less aware of the risks involved or their rights.

As with adults, there needs to be a lawful basis for processing personal data. If relying upon consent as the lawful basis for processing, the controller needs to ensure that the child can understand what they are consenting to, otherwise the consent is not “informed” and therefore is invalid. Any information and communication about processing addressed to a child should be in clear and in plain language that the child can easily understand.

In relation to the offer of online services directly to a child (“information society services”), the data subject must be at least 13 years old (in the UK) to consent to processing of their personal data. Where the child is below 13 years old, processing shall be lawful only if consent is given or authorised by the person with parental responsibility over the child. This will not apply if the information society services offered to the child are preventative or counselling

services. Other European countries have different (and higher) age limits, so online businesses need to know the location of the child to ensure the right rules can be applied.

Extra protections apply where businesses intend to use children’s personal data for marketing purposes, which includes both sending direct marketing messages to individual children and using personal data to display targeted adverts in an online context.

Children have the same individual rights as adults in relation to the processing of their data. The right to erasure of data is particularly relevant if they gave their consent to the processing when they were a child.

The ICO has published an Age-Appropriate Design Code (or “Children’s Code”) for providers of online services that may be accessed by children in the UK For the purposes of the Children’s Code, a child is anyone under the age of 18. The Children’s Code sets out 15 standards to ensure that online services appropriately safeguard children’s data and addresses how to design data protection safeguards into online services to ensure they are appropriate for use by, and meet the development needs of, children.

A service provider’s conformance with the Children’s Code will be taken into account by the ICO or a court when assessing whether that provider has complied with their obligations under the DPA 2018, the UK GDPR and PECR. Although failure to comply with the Children’s Code would therefore not itself be a breach of UK data protection law, a service provider is unlikely to be able to satisfy the ICO or a court that they comply with the DPA 2018, the UK GDPR or PECR if they have not followed the standards in the Children’s Code.

Health data comes under the definition of special category data (see question 4 above). As such, there is no specific legislation that applies to health data outside of the provisions of the UK GDPR and DPA 2018.

However, there are certain special exemptions to the disclosure of health data in relation to a data subject access request or third party request, as set out in the DPA 2018. These exemptions allow controllers to refuse to comply with a request for disclosure of health data in certain circumstances where:

• it would go against the wishes and expectations of the data subject (usually relevant to requests made by someone with parental responsibility over a minor or to requests for disclosure made by a court to manage the affairs of an individual who has been deemed as incapable of managing their own affairs); or
• it would be likely to cause serious harm to the physical or mental health of any

The DPA 2018 and UK GDPR set out exemptions from some rights and obligations under the data protection regime. Controllers should not routinely rely on exemptions but instead should consider them on a case-by-case basis. If a controller relies on an exemption, it should justify and document its reasons for doing so.

Various exemptions are detailed in Schedules 2 to 4 of the DPA 2018. These exemptions can relieve a controller of some of its obligations, for instance in relation to the right to be informed, the right of access, dealing with other individuals’ rights and complying with the data protection principles. How the exemptions are applied, and the extent of the exemption, will differ depending on the purpose for which a controller is processing the personal data. Types of purposes that may rely on an exemption in the DPA 2018 include:

• for the prevention and detection of crime, apprehension and prosecution of offenders and assessment or collection of a tax or duty;
• information required to be disclosed by law or in connection with legal proceedings;
• discharging functions designed to protect the public;
• discharging a regulatory function conferred under specific legislation;
• processing for journalistic, academic, artistic or literary purposes; and
• processing for scientific or historical research purposes or for statistical purposes. There are also exemptions relating to the processing of health (as detailed in part at question 10 above) and social work data in certain circumstances.

Some exemptions only apply to the extent that compliance with the DPA 2018 would prejudice the purpose for which a controller is using the data or where it would prevent or seriously impair the controller from necessary processing of personal data for its purpose. If this is not the case, then a controller must comply with the DPA 2018 as normal. Some exemptions have additional provisions that must be met before the exemption can be relied upon.

Processing of personal data for purely personal or household activity, with no connection to a professional or commercial activity, is outside the scope of the DPA 2018 and UK GDPR.

Yes, controllers have a legal requirement under Article 25 of the UK GDPR as well as under the DPA 2018 to consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle (“data protection by design”) and only process the data that is necessary to achieve their specific purpose (“data protection by default”).

How controllers meet these requirements will depend on their circumstances. However, the ICO recommends that controllers should take an organisational approach that ensures that:

• data protection issues are considered as part of the design and implementation of systems, services, products and business practices which includes the deployment of adequate cybersecurity measures proportionate to the organisation’s risk exposure and activities;
• data protection is an essential component of the core functionality of processing systems and services;
• processing is limited to the personal data that the controller needs in relation to its purposes(s), and data is only used for those purposes;
• personal data is automatically protected in any IT system, service, product, and/or business practice;
• the identity and contact information of those responsible for data protection are available both within the organisation and to individuals;
• there is a “plain language” policy for any public documents relating to personal data;
• individuals have the tools to determine how the controller is using their personal data; and
• controllers offer strong privacy defaults, user-friendly options and controls, and respect user preferences.

Organisations with 250 or more employees must maintain a record of all processing activities, whether they are controllers or processors. Organisations with fewer than 250 employees need only maintain a record of processing activities that are likely to result in a risk to the rights and freedoms of data subjects, are not occasional, or include special categories of data or data related to criminal convictions or offences. Organisations may need to make their records available to the ICO on request.

Records of processing must contain:

• the name and contact details of the organisation (and where applicable, of other controllers, the organisation representative and their data protection officer);
• the purposes of the processing;
• a description of the categories of individuals and categories of personal data;
• the categories of recipients of personal data;
• details of any transfers to third countries including documenting the transfer mechanism safeguards in place;
• retention periods; and
• a description of any technical and organisational security

Controllers must also document the lawful basis relied on for processing of personal data and any additional conditions relied on for processing special categories of personal data or data relating to criminal convictions.

A controller should more generally document its policies and processes so that it may comply with the “accountability” principle and meet its data protection by design/default obligations. A controller should also have a range of policies tailored to its business such as a data protection policy, retention and disposal policy, data breach policy, marketing policy, consent records, data maps, training materials and processes to comply with the data protection principles and to enable individuals to exercise their rights.

One of the fundamental principles of the UK GDPR is that of storage limitation, as set out under Article 5(1)(e). This stipulates that personal data cannot be kept for longer than necessary for the purpose for which it was collected for.

The UK GDPR does not specify a time limit, rather companies need to assess how long they require the data for their specified purpose(s).

When setting retention periods companies should consider whether:

• the stated purpose(s) for processing the personal data are still applicable;
• a record of a relationship with the individual is needed once the relationship ends;
• the information is required to defend possible future legal claims;
• there are any legal or regulatory requirements that require the retention of records (e.g., for income tax or audit purposes); and
• there are any industry standards or guidelines that can be used (although note that industry standards do not guarantee compliance).

Any personal data that is no longer needed should be erased or anonymised (see question 4 above).

A controller must carry out a data protection impact assessment (DPIA) if the processing is likely to result in a high risk to individuals. If the DPIA identifies a high risk that the controller cannot mitigate or reduce, they must consult with the ICO prior to commencing the processing. When consulting the ICO, a controller shall provide details of:

• where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
• the purposes and means of the intended processing;
• the measures and safeguards provided to protect the rights and freedoms of data subjects;
• where applicable, the contact details of the data protection officer;
• the DPIA; and
• any other information requested by the

The ICO will respond within eight weeks of the request for consultation and provide written advice to the controller. This may be extended by six weeks in complex cases. The ICO will provide a written response advising whether the risks are acceptable, or whether it is necessary to take further action. Where appropriate the ICO can issue a formal warning not to process the personal data.

Yes, a DPIA should be carried out where the intended processing is “likely to result in high risks” to data subjects.

It will be necessary to carry out a DPIA if the controller plans to:

• use systematic and extensive profiling with significant effects;
• process special category or criminal offence data on a large scale; or
• systematically monitor publicly accessible places on a large

The current ICO guidance also indicates a DPIA should be conducted if the controller will:

• use innovative technology;
• use profiling or special category data to decide on access to services;
• profile individuals on a large scale;
• process biometric data;
• process genetic data;
• match data or combine datasets from different sources;
• collect personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”);
• track individuals’ location or behaviour;
• profile children or target marketing or online services at them; or
• process data that might endanger the individual’s physical health or safety in the event of a security breach.

The ICO also recommends that controllers should carefully consider carrying out a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals, or for any major new project involving use of personal data.

The assessment should be carried out prior to any processing and contain at least:

• a description of the proposed processing, including its nature, scope, context and purposes;
• an assessment of the necessity and proportionality of the processing operations;
• an assessment of the risks to the rights and freedoms of data subjects; and
• the measures envisaged to address the

The controller should also seek the advice of the data protection officer (if it has one) when carrying out the above assessment. When appropriate, the controller should seek the views of the data subjects (or their representatives) on the intended processing. If the DPIA indicates the processing will result in a high risk due to the absence of available measures to mitigate the risk, the controller should consult with the ICO as detailed under question 15 above.

A person must appoint a data protection officer (DPO) if:

• it is a public authority or body (except for courts acting in their judicial capacity);
• its core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• its core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

This requirement applies to both controllers and processors. A group of undertakings can select a single DPO provided that the DPO is easily accessible from each establishment. A single DPO may also be designated for several public bodies/authorities. The DPO does not have direct personal liability under the DPA 2018 and the UK GDPR.

If a decision is made to appoint a DPO voluntarily the business should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

The DPO’s tasks are:

• to inform and advise on data protection laws;
• to monitor compliance with data protection laws, and with the business’ data protection polices, including training staff and conducting internal audits;
• to advise on, and to monitor, DPIAs;
• to cooperate with the ICO and other supervisory authorities; and
• to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Where an organization is caught by the UK GDPR but has no offices, branches or other establishments in the UK, it will need to appoint a UK representative. The UK representative acts primarily as a local contact point for correspondence and enquiries from individuals and the ICO. Note that this is a separate obligation to the equivalent requirement under the EU GDPR to appoint an EEA-based representative.

The ICO makes clear in its guidance that it has an expectation that organisations will implement an all-staff data protection and information governance training programme. It provides the following recommendations for meeting its expectations:

• providing staff with comprehensive training on key areas of data protection such as handling data subject requests, data sharing, information security, personal data breaches and records management;
• a data protection governance structure is implemented whereby certain individuals are assigned specific responsibilities for managing and delivering data protection employee training;
• regular, accurate and targeted training is provided to employees;
• maintaining and updating training records and materials; and
• carrying our regular awareness of data protection policies, procedures and

Individuals have the right to be informed about the collection and use of their personal data.

At the time personal data is obtained from a data subject, a controller must provide the data subject with all of the following privacy information:

• the identity and the contact details of the controller and, where applicable, of the controller’s representative;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing as well as the legal basis for the processing;
• the legitimate interests pursued by the controller or by a third party where the “legitimate interests” lawful basis is being used;
• the recipients or categories of recipients of the personal data, if any;
• the source of the data;
• the retention periods;
• details of the individual’s rights, including the right to withdraw consent;
• the right to lodge a complaint with a supervisory authority;
• if there is a statutory or contractual obligation to provide certain details and the consequences of not providing these;
• if automated decision making or profiling is being conducted with meaningful information about the logic used and the intended consequences of the processing; and
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the mechanism that is being relied upon to allow the transfer and where relevant how to obtain a copy.
• When personal data is obtained from a source other than the individual it relates to, the individual needs to be provided with the above privacy information:
• within a reasonable period of obtaining the personal data and no later than one month;
• if the data are used to communicate with the individual, at the latest when the first communication takes place; or
• if it is envisaged that the data will be disclosed to someone else, at the latest when the data is disclosed.

The controller must actively provide privacy information to individuals. They can meet this requirement by putting the information on their website, but they must make individuals aware of it and give them an easy way to access it, including at the point of collection of their data. For all audiences, information must be concise, transparent, intelligible, easily accessible and in clear and plain language.

When providing the information to individuals, it is permissible to use a combination of techniques such as a layered approach to presenting the information, privacy dashboards, just in time notices and icons. A controller must regularly review, and where necessary, update its privacy information, and bring any new uses of an individual’s personal data to their attention before starting processing.

The law distinguishes between “controllers” and “processors”. A controller is the main decision-maker who exercises control over how and why personal data is collected and the use of the data. The controller has the highest level of responsibility when it comes to complying with the DPA 2018 and the UK GDPR. They must make sure that the processing of that data complies with data protection law. UK controllers are also required to pay a data protection fee to the ICO unless exempt (see question 3 above).

A processor is the person who processes data on behalf of the controller and in accordance with their instructions. Processors do not have to pay the data protection fee. However, they have some statutory legal obligations in their own right under the UK GDPR and DPA 2018, although these are more limited than the controller’s obligations. These include obligations in relation to processing contracts, security measures, security breach notifications, data protection officers and record-keeping.

Processors may also be:

• subject to investigation by their supervisory authority (such as the ICO);
• fined for breaches of their direct obligations under the DPA 2018 and the UK GDPR;
• contractually liable to the controller for breach of contract; and/or
• subject to a claim in the courts for damage caused by their processing (including non- material damage such as distress). However, they will only be liable insofar as they have failed to comply with the provisions specifically relating to processors, or they have acted without the controller’s lawful instructions or against those instructions.

Yes, the UK GDPR specifies minimum contractual provisions that any contract between a controller and a processor must contain. These include:

• a requirement that the processor may only process personal data in line with the contractor’s documented instructions;
• a restriction on appointing sub-processors without the controller’s prior specific or general written authorisation. If a sub-processor is to be engaged under a general authorisation, then proposed changes must be notified in advance to give controllers a chance to object;
• a requirement to “flow-down” obligations under the contract between the controller and processor to any agreement with a sub-processor, so that the sub-processor contract must offer an equivalent level of protection for the personal data;
• requirements for processors to assist with many of the obligations imposed on controllers (such as controllers’ obligations to respond to the exercise of data subject rights, data security and other governance obligations);
• a direct statutory “policing” obligation, to “immediately inform” the controller if, in the processor’s opinion, an instruction infringes relevant data protection laws; and
• “end-of-contract” provisions requiring the processor to delete or return all personal data at the end of the contract term.

Failing to include mandatory contractual provisions is itself a breach of the UK GDPR.

Where a sub-processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub processor’s obligations. The controller may only use processors who provide sufficient guarantees that processing will meet the relevant data protection requirements and protect data subjects’ rights. A controller will therefore need to conduct due diligence on a proposed processor to enable it to show how it has sought to comply with the data protection principles, including the security measures that the processor has in place, such as cybersecurity provisions proportionate to the processor’s level of risk exposure and profile of the processor’s and the controller’s business.

Where a processor is located outside of the UK or the EU, the controller must ensure that contractual provisions adequately govern the transfer of the data flow between controller and processor (please see question 27 below for further information on international data transfers).

Importantly, processors are required to notify controllers of data breaches regardless of the harm threshold. In effect this means that processors must notify controllers of any security breach involving the controller’s personal data. It is then for the controller to undertake any required risk of harm analysis and to decide the next steps.

If data is being shared between two independent controllers, an appropriate data sharing agreement should be entered into by the parties as a matter of good practice but is not mandatory.

Automated decision-making is the making of a decision, about an individual, based solely on automated means without any human involvement.

The UK GDPR defines “profiling” as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

Controllers may generally engage in automated decision-making and profiling if they have a lawful basis for processing the personal data, comply with their transparency obligations and abide by the data subject’s right to object. However, data subjects have the right not to be subject to a decision when it is based solely on automated processing (including profiling) if the decision produces legal effects or similarly significantly affects them. Such a process can only be carried out by an organisation if the decision is:

• necessary for entering into or performance of a contract between the organisation and the individual;
• authorised by law (for example, for the purposes of fraud or tax evasion); or
• based on the individual’s explicit

Where the processing is carried out for contractual purposes or is based on the data subject’s consent, the controller must implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

In addition, if special category personal data is involved the controller can only carry out such processing if it takes suitable measures to safeguard the data subject’s rights and:

• if it has the individual’s explicit consent; or
• if the processing is necessary for reasons of substantial public interest and is provided for by law and must include measures to protect the interests of the individuals.

Automated decision-making in respect of children is generally prohibited, although the guidelines issued at the European level on automated decision-making and profiling indicate that there are narrow exemptions to this.

The PECR set out rules on the use of “cookies”. A business must tell people if it uses cookies, and clearly explain what the cookies do and why. Cookies and similar technologies which are used to store or gain access to information on a device can only be used with the consent of the individual. As under the UK GDPR and DPA 2018 (and further explained at question 7 above), consent must be freely given, specific and informed, and must be provided by way of a clear positive action. There is an exception for cookies that are essential to provide an online service at someone’s request. Under the DPDI, the UK government is proposing to extend this exception to cookies that collect statistical information to make improvements, enable the appearance or function of a website to reflect user preferences, install necessary security updates to software on a device and identify the individual’s geolocation in an emergency.

Cookie data may also be data which allows an individual to be identified, therefore falling within the rules on personal data in the DPA 2018 and UK GDPR.

UK data protection law does not define nor set out any specific rules with regards to cross- contextual behavioural advertising. However, any processing of personal data in the context of cross-contextual behavioural advertising would need to comply with the UK GDPR and PECR, including:

• rules relating to the use of cookies and similar tracking technologies (such as pixels and mobile SDKs);
• information and transparency requirements; and
• obligations relating to the validity of consent (namely ensuring such consent is sufficiently specific, freely given and informed, including with respect to potential recipients of the personal data).

“Sale” does not have a specific meaning in the context of the UK GDPR or DPA 2018. Selling personal data in the ordinary sense is not prohibited under UK data protection law. However, there is still an overarching obligation for organisations to comply with their general obligations under the UK GDPR. For example, organisations must have established a legal basis for the processing of the personal data it intends to sell and must comply with its transparency obligations (i.e., by providing clear details of the data sharing to the data subject at the point of collection of the personal data) and the purpose limitation principle (i.e. ensuring that data is not used for purposes incompatible with the purposes for which the data was originally collected).

Marketing activities using personal data have to comply with the DPA 2018, UK GDPR and PECR.

Where personal data is processed for the purposes of direct marketing, the data subject has an absolute right to object to the processing. This right should be explicitly brought to the attention of the data subject at the time their data is collected and presented clearly and separately from any other information.

Where the data subject objects to processing for direct marketing purposes, the business should not continue to process the data for such purposes (including any profiling relating to such direct marketing).

In addition, the PECR prohibit the sending of unsolicited electronic marketing messages unless the recipient has given their consent. “Electronic” messages cover email and text message, as well as any other message stored electronically (such as messages sent via social media). The rules also apply to automated voice calls (but not live voice calls).

“Consent” in this context must be of a GDPR standard, namely specific, informed and freely given. When relying on consent to market a business should therefore specify the different methods they want to use (e.g., by email, by text, by fax, by phone or by recorded call). In addition, it must ask for specific consent if it wants to pass details to other companies, and it must name or describe those companies in detail.

A business should also keep clear records of consent and keep a “do not contact” list of anyone who objects, opts out or withdraws their consent.

A limited exception to the consent requirement, known as “soft-opt”, may apply where contact details are collected in the context of a sale or a negotiation for a sale, and:

• the marketing relates to the same/similar goods/services as those purchased or negotiated;
• the customer is given the opportunity to opt-out of receiving marketing communications at the time of the purchase or negotiation and in every communication thereafter; and
• the marketing comes directly from the contracting entity/controller who has sold or is negotiating for the sale of the goods/services. The marketing must relate to similar products or services.

The marketing rules set out in PECR apply not only to the person sending the marketing messages but also to the person “instigating” those messages. A person using third party contractors to send messages or relying on viral marketing would therefore still be responsible for compliance with PECR in relation to those marketing messages.

There are also rules relating to telephone marketing which prohibit live unsolicited calls to:

• anyone who has already objected to the calls; or
• any number registered with the Telephone Preference Service, unless the recipient has specifically consented to receive the call.

Enforcement action relating to non-compliance with email, text and phone marketing rules in the UK has been frequent in the last few years, and the majority of fines issued by the ICO relate to nuisance phone calls and emails. Such fines can be large: in December 2022 the ICO fined five businesses a total of £435,000 for making nearly half a million unlawful marketing calls.

Under Article 4(14) of the UK GDPR, biometric data is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.

Biometric data will also be special category data if it is processed “for the purpose of uniquely identifying a natural person”. This means that there will be additional requirements affecting processing, including the need for any consent to be “explicit” if consent is relied on as the lawful ground for processing.

Large-scale use of biometric data is likely to trigger the need for a DPIA, on the basis that the processing is likely to result in a high risk to the rights and freedoms of natural persons.

Transfers of personal data to countries outside the UK (including to Crown dependencies or UK overseas territories, including Gibraltar) are restricted and subject to limited exceptions. These restrictions apply to all transfers, no matter the size of transfer or how often they are carried out.

The most commonly applied exceptions to the prohibition on international transfers are:

• The transfer is it is to a country, territory or international organisation in respect of which there is an adequacy regulation in place

At the time of writing the UK’s adequacy regulations cover the same jurisdictions, territories and international organisations considered adequate by the European Commission for transfers from the European Union, as well as all Member States in the European Economic Area. As part of its plans to reform data protection law in the UK, the UK Government is working in partnership with a number of priority destinations which may be the subject of adequacy regulations in the future, including Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, Singapore and the United States of America.

Transfers of personal data from the EEA to the UK are subject to an adequacy decision by the European Commission adopted on 28 June 2021. The decision, however, is only valid for four years after it entered into force and is subject to ongoing monitoring by the European Commission to determine whether the standard of protection for personal data in the UK deviates at any point from the level of protection currently in place.

The decision by the Court of Justice of the European Union in the Schrems II case in July 2020, which invalidated the Privacy Shield framework, was made prior to the end of the Brexit transition period, and so also applied to transfers from the UK to the U.S.

On 25 March 2022 the European Union and U.S. announced plans to introduce a new data transfer mechanism to enable transfers of personal data from the European Union to the U.S. by way of an adequacy decision. It is unclear whether the UK will reach a similar agreement with the U.S. (see question 2 above). However, it is anticipated that the UK will also follow suit and pass its own UK-U.S. adequacy decision.

• There are appropriate safeguards in place (for example Standard Contractual Clauses or the UK-specific international data transfer agreement)

The new EU Standard Contractual Clauses (published on 4 June 2021) can be used for transfers of personal data from the UK subject to an addendum that adapts the EU approved text for transfers made under the UK GDPR. The UK Secretary of State has issued an approved addendum which can be used to supplement EU Standard Contractual Clauses for transfers that involve personal data subject to the UK GDPR.

The UK has also approved its own standalone international data transfer agreement (IDTA) for transfers of personal data under the UK GDPR.

• A company uses approved binding corporate rules (BCRs)

BCRs can be used to legitimise a restricted transfer within an international organisation if both the entity making the transfer and the recipient have signed up to approved BCRs. They are intended for use by multinational corporate groups, groups of undertakings or groups of enterprises engaged in joint economic activity, such as franchises, joint ventures or professional partnerships. BCRs approved for international transfers under the EU GDPR require separate approval for transfers under the UK GDPR.

• One of the limited derogations under Article 49 UK GDPR can be met

Article 49 of the UK GDPR sets out certain limited derogations from the prohibition on international transfers, including:

• explicit consent of the data subject;
• the transfer is necessary for the performance of a contract between the data subject and the controller;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims; and
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving

Derogations are limited in scope and generally require that the transfer is only occasional and other than where the transferor relies on consent, necessary for the relevant purpose stated in the derogation. They are therefore not suitable for regular transfers (although the restricted transfer may happen more than once).

It should be noted that for transfers where no adequacy regulation is in place or in respect of which a derogation does not apply, the UK takes the same approach as the European Union in requiring a transfer impact assessment to ensure that data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime. The risk assessment should take into account the protections contained in the appropriate safeguard relied on for the transfer (such as the Standard Contractual Clauses or the UK’s IDTA) and the legal framework of the destination country, including laws governing public authority access to personal data. If the assessment concludes that the transfer mechanism does not provide the required level of protection, the data exporter should include additional measures.

With regards to notification, international transfers of personal data do not generally require notification to the ICO. However, where data exporters cannot rely on any derogations, adequacy decisions or other transfer mechanisms, the UK GDPR allows organisations to make a one-off restricted transfer where it is in the organisation’s compelling legitimate interests, and those interests outweigh the rights and freedoms of individuals. The ICO gives the example of a transfer of personal data to protect a company’s IT systems from serious immediate harm.

Where such a one-off restricted transfer is made, the transferor would need to assess the circumstances surrounding the transfer and provide suitable safeguards to protect the personal data, such as strict confidentiality agreements, a requirement for data to be deleted soon after transfer, technical controls to prevent the use of the data for other purposes or sending pseudonymised or encrypted data.

When making a transfer based on this exception, the transferring organisation must inform the individual, explaining its compelling legitimate interest to them, and the ICO. The ICO will ask to see full details of the assessment taken by the organisation in determining whether it can rely on this exemption.

Both the controller and processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data. This includes adequate cybersecurity measures proportionate to the risk exposure of the organisation. The parties should consider factors such as the state of the art, implementation costs and the context of processing. Such measures could include pseudonymisation, encryption of personal data and a process for regularly testing the effectiveness of wider network security measures. The legislation does not specify the level of security required, since it needs to be proportionate to the risks presented by the processing carried out.

Measures should be put in place following an evaluation of the risks to prevent unauthorised or accidental processing and to ensure it is possible to establish the precise details of any processing that takes place. The measures must ensure the confidentiality, integrity and availability of the systems and services that process personal data, and the data itself. Such measures should enable the controller to restore the personal data in a timely manner in the event of a physical or technical incident. Recently, the ICO has commented that measures should be proportionate and accurately recorded. Organisations have faced criticism when the security measures that they state to have in place, are not adhered to. (See for example the £98,000 fine issued to Tuckers LLP in March 2022. The ICO noted in part that, while Tucker’s data protection policy required two-factor authentication where available, it did not use MFA for remote access).

Yes. Broadly speaking, UK legislation addresses security breaches in relation to personal data as well as service operation and/or availability (see question 1 above).

Under the UK GDPR, a “personal data breach” is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data. The PECR adopt a similar definition, with an additional caveat that such personal data breach takes place in connection with the provision of a PECS.

Other legislation with cybersecurity requirements adopt differing definitions. Under NIS, an “incident” is defined as any event having an actual adverse effect on the security of network and information systems, whereas the Communications Act 2003, stets out the definition of a “security compromise” in Sections 2 and 3, which encompasses compromises of availability, performance and functionality as well as security compromises and loss or alteration of data. A business should ensure it has robust breach detection, identification, investigation and internal reporting procedures in place to help it determine whether it needs to notify the personal data breach to the relevant supervisory authority (e.g., the ICO) and the affected individuals. A business must keep a record of any personal data breaches, regardless of whether it is required to notify the breach.

As referred to at question 1 above, certain providers may also have separate security or reporting obligations under the PECR, eIDAS and NIS (certain digital services).

For example, under NIS, digital service providers (DSPs) and operators of essential services (OESs) must comply with more stringent cybersecurity measures and notification requirements in the event of a cyber incident, including a personal data breach. This is because of their increased risk profiles and the large-scale reliance on their services, which means that a cyber incident or service outage involving such entities would have a highly disruptive impact across the UK

DSPs are regulated by the ICO and include three types of businesses: (i) online search engines,

(ii) online marketplaces and (iii) cloud computing services. The ICO does not designate companies as DSPs and organisations are required to determine their potential status as a DSP themselves and consequently register with the ICO.

OESs relate to organisations across five sectors: energy, transport, health, drinking water supply and distribution and digital infrastructure. Each of these sectors has a separate designated competent authority responsible for the issuance of guidance and further regulations to govern their activities, responsibilities and obligations vis-à-vis the NIS Regulations. Even though the UK has now left the EU, the European Union Agency for Cybersecurity offers useful and concrete sector-specific guidance for OESs, including industry standard and best practice documents.

In January 2022, the UK announced a review of the UK cyber security regime under the current NIS Regulations (see question 42 below).

All organisations have a duty to report certain types of personal data breach to the relevant supervisory authority (i.e., the ICO). Controllers must report a breach without undue delay and where feasible within 72 hours of having become aware of it unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification must contain certain information specified in the UK GDPR. Where it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Any delay in making a notification must be accompanied by reasons for the delay. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, those individuals must be informed without delay.

Where industry-specific notification requirements apply under sectorial legislation, relevant organisations must comply with notification timeframes set out in that legislation and in relevant guidance:

• Under PECR, PECS providers must notify the ICO without undue While this had previously been mandated as within 24 hours of detection, the ICO has indicated that it will exercise its discretion not to pursue PECS providers that take longer than 24 hours to notify an incident, provided that the incident is reported within 72 hours and is unlikely to harm data subjects.
• Under the Communications Act 2003, PECS and PECN providers must notify incidents to Ofcom, for ”urgent” compromises as soon as reasonably practicable and ideally within three hours of providers becoming aware of them, and non-urgent compromises within 72 hours of providers becoming aware of them.
• Under NIS, incidents must be notified without undue delay and in any event no later than 72 hours after the controller becoming aware of the incident.
• Under eIDAS, incidents must be notified without undue delay but in any event within 24 hours of the controller having become aware of the breach of security / loss of

While UK law enforcement does not encourage, endorse or condone ransom payments in ransomware attacks, the payment of a ransom is not of itself an offence. However, an offence may be committed where a payment is made to a sanctioned entity designated by the UK Government, determined to be subject to the Proceeds of Crime Act 2002 and/or where the payment with be subject to the Terrorism Act 2000. In February 2023, the UK OFSI designated seven individuals subject to sanctions who were involved with known ransomware groups.

The United Kingdom does not have a separate cybersecurity regulator. As raised above, the ICO determines whether an organization has the appropriate technical and security measures in place in respect of processing of personal data. However, the NCSC plays an important role in this field by providing organisations with cybersecurity advice and support (see www.ncsc.gov.uk). The NCSC oversees the implementation of the NIS Regulations in respect of organisations subject to it.

Individuals have the right to be provided with certain information about the collection and use of their personal data, including the purpose for processing, the retention period and who it will be shared with, as set out in response to question 19.

There are certain exceptions, including when the data subject already has the information, or where providing the information would prejudice the prevention, investigation, detection or prosecution of criminal offences. Additional limited exemptions apply where personal data is obtained from a source other than the data subject, including where providing the information proves impossible or would involve a disproportionate effort.

Individuals also have the following rights:

• the right to access their personal data;
• the right to have inaccurate personal data rectified, or completed if it is incomplete;
• the right to have personal data erased (also known as the “right to be forgotten”). The right is not absolute and the request may declined on various grounds, including where the deletion is not compatible with the right of freedom of expression and information, where processing is necessary to comply with a legal obligation, or necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
• the right to restrict processing of personal data (so that it may only be stored and not used). This is not an absolute right and only applies in certain circumstances;
• the right to data This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. The right only applies to information an individual has provided to a controller;
• the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct In other cases where the right to object applies a controller may be able to continue processing if it can show that it has a compelling reason for doing so. Controllers must tell individuals about their right to object; and
• other rights in relation to automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual) as set out in response to question 22.

The individual may make a request in relation to the above rights either verbally or in writing. There is a period of one month in which to respond. Note that a large percentage of complaints received by the ICO relates to the exercise of data subject rights, and the ICO has increasingly been focusing on compliance with subject access requests.

Companies should be aware that when dealing with subject access requests it is not possible in most circumstances to charge a fee for complying. However, in some cases a company can refuse to comply with a subject access request, usually where: (i) a relevant exemption applies; (ii) the request is manifestly unfounded; or (iii) the request is excessive. Reasons need to be given for refusal and the data subject needs to be informed of their right to make a complaint to the ICO or to enforce the right judicially.

The ICO has the power to take action against controllers and processors. Individuals can complain to the ICO if they believe their rights have been infringed.

Individuals can also seek remedies through the courts and can bring claims for compensation and damages against both controllers and processors.

Any person who has suffered as a result of an infringement of the DPA 2018 and/or UK GDPR has the right to bring a claim for compensation against a controller or processor for the damage suffered. They can also complain to the ICO and relevant supervisory authorities.

Individuals do not need to show actual material damage or monetary loss in order to bring a claim, as the UK GDPR and DPA 2018 provide for a right to compensation for non-material damage, including distress.

Representative actions, comparable to US-style class action suits, have previously been used in privacy and data protection claims against organisations. However, the decision in Lloyd v Google LLC [2021] UKSC 50 has cast some doubt on the extent to which representative actions in the UK can be used in a similar way to class actions in the US. Representative opt-out actions can effectively be used to establish liability for infringements, but not necessarily to establish the quantum of damages. The latter would most likely need to be pursued through an opt-in group litigation order.

It is unclear whether the split process will be economically viable for litigation funders (who fund a sizeable proportion of these types of claims), as the expense of pursuing an opt-out claim to establish liability may not be recoverable through a subsequent opt-in procedure on quantum unless a sufficiently large number of claimants signs up.

The Lloyd v Google case was also determined under the old statutory regime predating the DPA 2018 and the UK GDPR, and so it is unclear whether the same decision would have been reached under current legislation.

Yes, individuals are entitled to monetary damages. Damage may be material or non-material (including distress).

The ICO has a range of powers it can exercise, including restricting or stopping the processing of personal data.

In addition, the ICO can issue fines on a controller or a processor for its breach of the obligations that apply to it. The ICO can issue an:

• information notice to require any person to provide information they reasonably require for the purposes of carrying out its functions, or investigating suspected failures or offences. It is an offence to fail to comply with an information notice, whether intentionally or recklessly and the court can make an order to compel the person to comply with the information notice;
• assessment notice to permit the ICO to carry out an assessment of a business to identify if it has complied with, or is complying with, data protection legislation. This can be done through means such as allowing the ICO access to specified premises,
• technology and directing the ICO to certain documents, and explaining such documents; and
• enforcement notice which requires a person to take steps specified in the notice, or refrain from taking steps specified in the notice, or both. The notice must include details of what the person has failed, or is failing, to do and the ICO’s reasons for reaching that opinion.

There is a two-tier system of fines reflecting the seriousness with which a breach of specified obligation is viewed. For example, breaches of the principles, conditions applicable to consent, lawful basis, individual’s rights and restricted transfers provisions are subject to the higher tier of up to £17.5 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Breaches of obligations such as maintaining the record of processing activities, conducting a DPIA, a processor’s obligations, privacy by design and appointing a data protection officer (amongst others) are subject to a lower standard tier where the maximum fine is £8.7 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The ICO in issuing a fine will take account of: the nature, gravity and duration of the infringement, any mitigating action taken, previous infringements and the intentional or negligent character of the infringement.

At the time of writing, to date the highest fine issued by the ICO was in respect of a personal data breach suffered by British Airways, which was fined £20 million (revised down from £183 million) in 2020. The ICO found that British Airways had not implemented sufficient security measures, both to prevent the cyber-attack and to detect it. Other significant fines issued by the ICO include the £18.4 million fine issued to Marriott International in 2020 and £7.5 million issued to Clearview AI in 2022.

The ICO has published a “Regulatory Action Policy” following public consultation. The Regulatory Action Policy sets out the ICO’s likely position in relation to the level of penalty it may impose for breaches of the UK GDPR. In particular, the ICO states that where it has discretion to set the amount of a fine, it will follow the below five steps (with each step identifying an “element” of the overall fine) before imposing a fine:

1. An ‘initial element’ removing any financial gain from the breach of the UK
2. Adding in an element to censure the breach of the UK GDPR based on its scale and
3. Adding in an element to reflect any aggravating
4. Adding in an amount for deterrent effect to
5. Reducing the amount (save that in the initial element) to reflect any mitigating factors, including ability to pay (financial hardship).

The ICO has identified that the amount of fine will generally be higher where:

• vulnerable individuals or critical national infrastructure are affected;
• there has been deliberate action for financial or personal gain;
• advice, guidance, recommendations or warnings (including those from a data protection officer or the ICO) have been ignored or not acted upon;
• there has been a high degree of intrusion into the privacy of a data subject;
• there has been a failure to cooperate with an ICO investigation or enforcement notice; and
• there is a pattern of poor regulatory history by the target of the investigation.

The ICO also confirmed that when assessing the amount of any fine in data protection cases (including NIS cases) involving failures to meet data security obligations, it will consider the security breach separately from the failure to report the incident. In all other cases the ICO will adopt a ‘whole case’ approach when setting the amount of fine.

An organisation can appeal an ICO decision to the First-tier Tribunal. Individuals can also appeal to the First-tier Tribunal if they have filed a complaint with the ICO and have not received a response within 3 months.

Data subjects can also apply to court for a compliance order requiring an organisation to take steps to remedy non-compliance with the data protection legislation.

• Large fines are not necessarily restricted to personal data breaches and further enforcement actions may be taken. While the highest fines to date (see question 39) still relate to personal data breaches and issues surrounding data security, the ICO has also levied large fines for non-compliance with other UK GDPR requirements. For example:
  • the ICO issued a large fine of £7.5 million against Clearview AI in May 2022, for using biometric data derived from images of UK data subjects obtained from the internet. The ICO alleged that Clearview used such images to generate vectors that may be used to identify individuals. Clearview was also given an enforcement notice that required them to stop processing the personal data of UK data subjects, which is currently the subject of an appeal to the First Tier Tribunal.
  • In April 2023, the ICO issued a £12.7 million fine against TikTok for failing to obtain appropriate consent from the parents of under 13s when offering its services, failing to provide transparent information regarding TikTok’s collection, use and sharing of personal data, as well as failing to carry out adequate checks to identify and remove underage children from its platform.
• A large proportion of fines still relate to breaches of unsolicited marketing rules. In the last year, around 80% of fines issued by the ICO related to unsolicited marketing calls, texts and emails. While such fines are typically not the largest issued by the ICO, they form a large part of the ICO’s enforcement activity and are not insubstantial (fines have typically ranged from £20,000 to £200,000).
• Adtech and related data use are drawing increased scrutiny. Mirroring the concerns of European regulators, the ICO has increased its scrutiny on adtech practices and any related data use. Following the publication of the ICO’s opinion on adtech practices in November 2021, the ICO has conducted several audits of “data brokers” including Experian, Equifax and TransUnion. Data broking involves the collection and combination of data about individuals from various sources, after which it is sold or rented to organisations for marketing The ICO issued an enforcement notice against Experian in 2020, requiring changes to be made to Experian’s processing of personal data. Experian appealed the ICO’s decision to the First- Tier tribunal, which found partially in Experian’s favour in February 2023 and limited the scope of the enforcement notice. It remains to be seen whether the ICO will appeal the First Tribunal’s decision.

As referred to at question 1 above, the UK is currently looking at proposals to adopt a number of laws in the privacy, data protection and cybersecurity space, namely:

• Online Safety Bill

The Online Safety Bill (OSB) was introduced in Parliament on 17 March 2022. Following intense scrutiny in the media and in the UK Parliament, the OSB is currently under debate in the House of Lords, the UK Parliament’s second chamber. Amongst other things the OSB will require social media platforms, search engines and other apps and websites allowing people to post their own content online to protect people from harmful content, tackle illegal activity and upload their stated terms and conditions. The OSB also includes a requirement for social media platforms to verify users, which will lead to the collection of vast quantities of personal data and further extend the scope of online service providers’ data protection compliance obligations. A proposed amendment to the OSB was introduced in January 2023 that would extend the criminal liability regime of the OSB to sanction senior managers of online services that have failed in their compliance with safety duties to protect children, as required under the OSB.

• UK Data Protection Reform Bill

On 8 March 2023, the UK Government’s Department for Science, Innovation and Technology introduced the new Data Protection and Digital Information (No.2) Bill (the “DPDI”) to the UK Parliament, amending a previous Bill introduced in July 2022. The DPDI seeks to reform the UK’s existing data protection regime (including the UK GDPR, DPA 2018 and PECR). The DPDI will not replace these laws, but seeks to amend and supplement these laws. Among other changes, the DPDI proposes changes to the rules regarding DPIAs, data subject access requests, the requirement to appoint representatives, records of processing activity and consent to certain types of cookies.

According to the UK government’s announcement, the DPDI is intended to reduce red tape and to “introduce a simple, clear and business-friendly framework”.

• NIS 2

On 14 December 2022, the EU adopted the Network and Information Security 2 Directive (NIS 2), expanding the scope of the Network and Information Security (NIS) Directive, the EU’s first cybersecurity legislation. NIS 2 builds on the NIS Directive adopted in 2016. NIS 2 will cover a larger share of the EU economy and implement additional security and reporting requirements across EU states. As EU law, NIS 2 will not be implemented in the UK. However, on 30 November 2022, the UK government announced a proposal to expand the scope of the UK NIS Directive. The proposal suggests that some changes similar to NIS 2 can be expected. The proposals remain open for response until April 2023. Proposals include:

• expanding the scope of the UK NIS to “Managed Service Providers”, i.e. B2B providers of services such as security monitoring, managed network services or the outsourcing of business processes which involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems;
• expanding the incident reporting requirements under UK NIS to include incidents which pose a significant risk to the security and resilience of the entities and the essential services they provide; and
• establishing a 2-tier supervisory regime for digital service providers in scope of UK The regime would have a proactive supervisory regime for the most critical digital services and a reactive supervisory regime for the remaining digital services under UK NIS.