Author: Martin Kayes, CISSP
Yes, all companies, businesses and organisations that process personal data of individuals within the United Kingdom are required to comply with the UK General Data Protection Regulation (UK GDPR) – and likewise, with the GDPR for EU residents. The UK GDPR applies to both Data Controllers (entities that determine the purposes and means of processing personal data) and Data Processors (entities that process personal data on behalf of data controllers) operating within the UK. Although all organisations must be compliant, not all organisations are required to register with the relevant enforcement body, such as the ICO. See our seperate post…
Under the UK General Data Protection Regulation (UK GDPR), not all companies are required to register with the Information Commissioner’s Office (ICO). Registration or notification with the ICO was a requirement under the previous Data Protection Act 1998, but it is not a requirement under the UK GDPR. The ICO has a self-assessment tool on their website which will help you decide if you should register with them or not; https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/ However, there are certain circumstances where Organisations may still need to inform the ICO about their data processing activities. This typically applies to Organisations that process personal data and fall…
The UK General Data Protection Regulation (UK GDPR) is the United Kingdom’s adaptation of the General Data Protection Regulation (GDPR), which governs data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA). The UK GDPR came into effect on May 25, 2018, and replaced the Data Protection Act 1998. After Brexit, the UK chose to maintain data protection standards similar to those outlined in the GDPR to ensure the continued protection of personal data and to maintain compatibility with those organisations and individuals based in the EU. The UK GDPR shares many similarities…
A faulty server being down for an extended period could potentially be considered a breach of the GDPR if it leads to a loss of control over personal data or if it compromises the security or availability of that data. Here’s how: 1. **Loss of Control:** If the faulty server contains personal data and its downtime results in a loss of control over that data (e.g., unauthorised access, loss, or corruption), it could constitute a breach under the GDPR. This loss of control violates the GDPR’s principles of data protection, including the requirement to process personal data securely and protect…
When responding to a SAR you must consider whether the information you hold includes the personal details of, or infers the involvement or actions of any other parties, the GDPR says that when responding to a SAR; “The right to obtain a copy… …shall not adversely affect the rights and freedoms of others”. and “The right of access is not absolute – organisations can refuse or limit their response to SARs in some circumstances where exemptions may apply.” These are two extremely important points that should not be overlooked. A SAR is a request for a copy that individual’s personal…
In the UK, nuisance phone calls, including unsolicited marketing calls, silent calls, and scam calls, can be reported to the Information Commissioner’s Office (ICO) as a breach of the GDPR and also to the Telephone Preference Service (TPS). Here’s how: 1. **Telephone Preference Service (TPS)**: The TPS is a free service that allows individuals to register their telephone numbers to opt out of receiving unsolicited marketing calls. If you’re receiving unwanted marketing calls and your number is registered with the TPS, you can report these calls to the TPS for investigation. There is also a version of the TPS for…
The ICO have put together an extremely useful glossary here, most of which I have repeated below and added a little to for extra clarity: Personal DataPersonal data is information about who you are, where you live, what you do and more. It’s any and all information that identifies you as a Data Subject. Data protection law is all about protecting personal data. Organisations are likely to be handling items containing personal data or otherwise processing personal data, such as: If a document, file or image identifies a person, or could be used in combination with other information to identify them, then it’s…
A Data Protection Officer (DPO) is a designated individual or role within an organisation responsible for overseeing data protection strategy and implementation to ensure compliance with the GDPR. Not all organisations require a DPO. Primarily a DPO would be required by organisations who process sensitive types of personal data or that meet one of the cases detailed below. There are also some restrictions on who should be assigned the role of DPO. We can advise you in regards to that. The main responsibilities of a DPO typically include: 1. **Monitoring compliance:** Ensuring the organisation complies with GDPR requirements regarding the…
Can you film or photograph people in public places? Yes and No (the rules are complicated). In January 2024, pianist Brendan Kavanagh hit the headlines when filming himself playing the piano at London’s St. Pancras train station – a group of Chinese tourists asked not to be filmed and it was reported that Brendan took issue with their request and published (or live streamed) the video anyway. The Chinese tourists then decided to take legal action against Mr Kavanagh – But who was right? Professional photographers and filmographers will know the answer to this already as the regulations and guidelines…
Here are some of the key rights granted to individuals under the GDPR, which correspond to different types of request, the most being the Subject Access Requests (SARs): 1. **Right of Access (Article 15)**: Individuals have the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and if so, access to that personal data and certain related information. 2. **Right to Rectification (Article 16)**: Individuals have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them. 3. **Right to Erasure…