GDPR and Data Protection
Frequently Asked Questions

What is personal data?

The General Data Protection Regulation (GDPR) defines personal data as “any information which are related to an identified or identifiable natural person.” By using the term ‘any type of information’, it can be determined that the intention of the GDPR is to be as broad as possible. Identifiers can be a name, an identification number (e.g. national insurance number, car registration plate), location address (e.g. information from the network or service about the location of a phone or other device), an online identifier (e.g. IP address) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data may still be considered ‘personal data’ even without one of the above identifiers, e.g. if the content or subject matter is about an individual.

What is a data subject?

ICO defines a data subject as “the identified or identifiable living individual to whom personal data relates.” A data subject refers to any individual person who can be identified, directly or indirectly, via an identifier, such as a name, an identification number (e.g. national insurance number, car registration plate), location address (e.g. information from the network or service about the location of a phone or other device), an online identifier (e.g. IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

What does ‘processing’ of personal data include?

‘Processing’ covers a wide range of activities performed on personal data, including by both manual and automated means. It includes collecting, recording, storing, organising, structuring, analysing, modifying, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying personal data.

What is a data controller?

A data controller can be defined as an organisation or individual which makes decisions about personal data processing activities, most notably ‘why’ (the purposes for which) and ‘how’ (the means by which) personal data is processed. Data controllers exercise overall control of the personal data being processed and are ultimately in charge of, and responsible for, the processing.

A controller can be a company or other legal entity, or an individual (e.g. sole trader or self-employed professional).  However, an individual processing personal data for purely personal or household purposes is not subject to the GDPR.

What is a joint controller?

If an organisation jointly determines, with one or more other organisations, ‘why’ and ‘how’ personal data should be processed, it is a joint controller. It is important to note that joint controllers have the same or shared purposes.  Controllers will not be joint controllers if they are processing the same data for different purposes. Joint controllers are required to enter into an arrangement with the other organisation/s setting out their respective responsibilities for complying with the GDPR rules. Joint controllers must also communicate the main aspects of the arrangement to the relevant data subjects.

What is a data processor?

If an organisation processes personal data purely on behalf of a data controller, it is a data processor. Data processors are typically external to data controllers and can be a company or other legal entity (e.g. partnership or public authority), or an individual (e.g. consultant). However, employees of a data controller who are fulfilling their duties are regarded as agents of the controller, not processors.

Data processors act on behalf of the relevant data controller and under their authority. In doing so, they serve the controller’s interests rather than their own. Although a processor may make its own day-to-day operational decisions, Article 29 of the GDPR specifies that it should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.

It should be noted that if a data processor acts without the data controller’s instructions in such a way that it determines the purpose and means of processing, including to comply with a statutory obligation, it will be a data controller in respect of that processing and will have the same liability as a data controller.

What is the difference between GDPR recitals and articles?

The GDPR contains 99 articles and 173 recitals, but what is the difference between these 2 components? The articles represent the legal requirements which an organisation must meet in order to demonstrate compliance with the Regulation. The recitals, on the other hand, provide supporting information and further guidance to supplement the articles. Organisations can use the recitals, for example, to learn more about how to comply with the GDPR.

What is a privacy notice?

A privacy notice is an external statement which informs data subjects how and why their personal data will be processed and is a key document in satisfying the transparency requirements of the GDPR (see Lawfulness, Fairness and Transparency Principle). Whilst not defining a privacy notice, the GDPR does provide a minimum set of information which an organisation should include within its privacy notice. Data subjects should be provided with the organisation’s contact details and be informed of such things as:

• The type of personal data being collected
• How their personal data is collected and where from
• Why their information needs to be collect or held and the lawful basis* for doing this
• Whether personal data is passed to any third party and the reasons for doing this
• How or where their personal data is kept, how long the organisation intends to keep it for and then how it will be securely destroyed or disposed of
• Their data protection rights
• How to make a complaint to both the organisation and also to the supervisory authority

* If an organisation is relying on consent to process an individual’s information, then it should also tell the individual about their right to withdraw consent and how they can do this.

It is important to note that an organisation is required to write the privacy notice in clear and plain language and keep it concise, transparent and easily accessible and provided free of charge.

What is a ROPA?

Article 30 of the UK GDPR requires organisations to create and maintain a record of processing activities (ROPA) under their responsibility*. The record can be kept in either an electronic or paper format. Importantly, the record must contain specific information including the following:

• The name and contact details of the controller
• Where applicable, the name of the joint controller
• The purposes of the processing
• A description of the categories of data subjects and the categories of personal data
• The categories of recipients to whom the personal data have been or will be disclosed
• Where applicable, transfers of personal data to a third country or an international organisation.
  ‍

*There are certain exemptions for organisations with less than 250 organisations but these exemptions will only be relevant to a small percentage of businesses.

What is a DPIA?

A data protection impact assessment (DPIA) describes a process aimed at identifying risks associated with the processing of personal data and minimising these risks, ideally before the processing begins. Article 35 of the UK GDPR requires organisations to conduct a DPIA where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. This is particularly relevant when a new data processing technology is being introduced.
A DPIA is required where there is:

• Processing on a large-scale that involves health records or criminal convictions and offences.
• Systematic monitoring of a publicly accessible area on a large scale, e.g., deployment of CCTV in a publicly accessible area.

It is good practice to conduct a DPIA even when there is uncertainty if it is required.

What is a DPO?

A data protection officer (DPO) is the individual who is responsible for overseeing the organisation’s data protection strategy. The person also monitors its implementation to ensure compliance with GDPR requirements.
According to the UK Information Commissioner’s Office (ICO), “The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level”
The DPO can be an existing employee or externally appointed. There is also a growing trend of organisations appointing a virtual DPO.

Do we need a DPO?

Under the UK GDPR, certain organisations are required to appoint a DPO and are as follows:

• A public authority or body
• Organisations whose core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
• Organisations whose core activities consist of large scale processing of special categories (e.g., health records) of data or personal data relating to criminal convictions and offences.

What type of data breaches do the ICO need to be notified about?

If an organisation is involved in a personal data breach, one of the decisions it needs to make is whether to report it to the supervisory authority (ICO in the UK). That decision will need to be made on an assessment of the risks to the data subjects involved. Organisations need to consider both the severity and likelihood of the potential negative consequences of the breach, including the risks to the rights and freedoms of the data subjects. Recital 85 of the GDPR provides a steer on the types of negative consequences which can result from a data breach, including loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality etc.  As such, organisations need to consider a range of adverse effects on individuals, which includes emotional distress, and physical and material damage.  These effects need to be assessed on a case-by-case basis, looking at all relevant factors.  Apart from the potential consequences, organisations should also be considering other factors, such as how easy is it to identify individuals from the data, what type of a breach is it (e.g. loss of data or disclosure), how sensitive is the data, are vulnerable individuals involved etc.

If, following a risk assessment, an organisation decides that it doesn’t need to report a breach, it needs to be able to justify this decision and document it.

If it is necessary to report a data breach to the ICO, there are various criteria which the GDPR requires an organisation to meet, including the requirement to report within 72 hours of becoming aware of a breach. Given that breach reporting is an area where organisations understandably have limited expertise and experience, this is where third party assistance from specialist organisations such as URM can be invaluable.

What is the difference between the UK GDPR and the EU GDPR, and where do they both apply?

The splitting of the GDPR into two ‘versions’ is a direct result of Brexit. In preparation for the UK finally leaving the European Union on 31 December 2020, the UK’s Data Protection Act 2018 (the DPA) incorporated the whole of the GDPR into UK law so that it would remain the law in this country after we left the EU. The DPA’s incorporation of the entirety of the GDPR was also intended to make it easier for the European Commission to grant the UK, in the six months following Brexit day, the important ‘adequacy decision’ (an official finding that the UK’s privacy laws provide people a level of protection ‘essentially equivalent’ to that provided by EU laws) necessary to allow data transfers from the remaining EU states to the UK to continue uninterrupted.

A few months after the DPA, in 2019, the UK parliament passed some EU exit amendment regulations which made many technical changes to the language of the DPA, including introducing the terms ‘UK GDPR’ and ‘EU GDPR’. These 2019 regulations also amended the UK GDPR to make it read like a UK law – e.g., references to a ‘supervisory authority’ were changed to refer to the UK’s data protection regulator, the Information Commissioner’s Office (ICO).

Since 1 January 2021, any organisation which processes personal data in the UK, or anywhere in the world in the context of the activities of an establishment in the UK, must comply with the UK GDPR; as must organisations which are not established in the UK (e.g., foreign businesses, including those based in the EU) but which process anywhere in the world the personal data of people in the UK in relation to offering goods and services to those UK people, or monitoring their behaviour in the UK.

On the other hand, UK organisations which process in the UK (or anywhere else) personal data in the context of the activities of an establishment in the EU, or the data of people in the EU in relation to offering goods and services to those EU people, or monitoring their behaviour in the EU, must continue to comply with what UK law now calls the EU GDPR (i.e. the GDPR as originally published, without any of the 2019 amendments). Apart from the technical wording differences referred to above, the UK GDPR and EU GDPR are essentially identical (as at 15 April 2022).

The UK parliament can, in theory, change the UK GDPR at any time, because as stated it is part of a UK law. However, the adequacy decision which the EU did grant to the UK in June 2021 is conditional upon UK data protection law not diverging too far from EU law, so any future changes to the UK GDPR are unlikely to be significant. The UK parliament cannot vary the EU GDPR on the other hand – because it is a piece of EU legislation, only the EU parliament can change it.

What are the key differences between the GDPR
and the Data Protection Act 2018?

When the GDPR, as a European regulation, came into effect on 25 May 2018, all European Union member states, including the UK, were required to comply and adopt it into national law. The Regulation, however, contains a number of ‘derogations’, where EU member states have a degree of flexibility over the application of certain provisions. Any derogations implemented by a member state need to respect the ‘essence’ of data protection rights and be a proportionate and necessary measure.

The Data Protection Act 2018 (DPA), which came into effect on the same date as the GDPR, tailors how the Regulation applies in the UK. The DPA, for example, provides an exemption from certain requirements of personal data protection where personal data is being processed for publication in the public interest.  It also allows certain data subject rights to be ignored if compliance with these rights would significantly impact an organisation’s ability to carry out their functions when processing data for scientific, historical, statistical and archiving purposes. The DPA also sets out separate data protection rules for law enforcement authorities and extends data protection to some other areas such as national security, immigration and defence.

The DPA also sets out the functions and powers of the ICO, the UK’s supervisory authority. There are some other specific differences between the GDPR and the DPA 2018, for example, the GDPR states that a child can consent to data processing at the age of 16, whilst the DPA sets the age at 13. Another specific difference centres on automated decision making or profiling. With the GDPR, data subjects have a right not to be subject to such practices, but automated decision making or profiling is permitted under the DPA, providing there are legitimate grounds for doing so and safeguards are in place to protect individual rights and freedoms.