In May 2018 GDPR was adapted in to UK law and is officially known as the UK GDPR, it sits alongside the Data Protection Act 2018. Although they are different, many people use these names interchangeably.
The UK General Data Protection Regulation (UK GDPR) is the United Kingdom’s adaptation of the GDPR, which governs data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA). The UK GDPR came into effect on May 25, 2018.
The UK GDPR exists to protect the fundamental rights and privacy of individuals. It achieves this by placing strict requirements on how organisations can collect and use an individual’s personal data and by giving individuals rights on how their data is used (called ‘processing’).
As an individual, the GDPR gives you the right to receive a copy of the data an organisation holds on you, also you can restrict how they use that data, ask for it to be erased, errors corrected or ask for it to be transferred to another organisation.
An individual, such as yourself, is known as a Data Subject. The company or organisation that you deal with is considered the Data Controller and any companies they need to share your data with are considered a Data Processor.
For example; When you buy a product online the retailer would be the Data Controller, they to get the product to you, they have to give your name, address and contact details to the delivery company – the delivery company is a Data Processor.
The Data Controller makes the decisions about how your data is used – it is the Data Controller that you would need to contact if you wish to make a Subject Access Request (SAR).
Here is a detailed list of key points within the UK GDPR:
1. **Scope**: The UK GDPR applies to the processing of personal data by Organisations operating within the UK, as well as Organisations outside the UK that offer goods or services to individuals in the UK or monitor the behaviour of individuals within the UK.
2. **Principles**: Like the GDPR, the UK GDPR is based on several fundamental principles, including lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
3. **Rights of Individuals**: The UK GDPR grants individuals various rights regarding their personal data, including the right to access their data, the right to rectify inaccuracies, the right to erase data in certain circumstances (the “right to be forgotten”), the right to restrict processing, the right to data portability, and the right to object to processing.
4. **Lawful Basis for Processing**: Organisations must have a lawful basis for processing personal data, such as consent, contractual necessity, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest or in the exercise of official authority, or legitimate interests pursued by the data controller or a third party.
5. **Data Protection Impact Assessments (DPIAs)**: Organisations may be required to conduct DPIAs for processing activities that are likely to result in a high risk to individuals’ rights and freedoms, such as large-scale processing of sensitive data or systematic monitoring of individuals.
6. **Data Protection Officers (DPOs)**: Some Organisations may be required to appoint a Data Protection Officer to oversee compliance with data protection laws, particularly if they engage in large-scale processing of sensitive data or public authority activities.
7. **Data Breach Notification**: Organisations must notify the relevant supervisory authority of data breaches without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
8. **International Data Transfers**: The UK GDPR regulates the transfer of personal data outside the UK to ensure that adequate safeguards are in place to protect individuals’ rights and freedoms. It recognises mechanisms such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) for facilitating lawful international data transfers.
9. **Enforcement and Penalties**: The UK Information Commissioner’s Office (ICO) is responsible for enforcing data protection laws in the UK. Organisations found to be in breach of the UK GDPR may face significant fines, depending on the nature and severity of the violation, as well as other corrective measures and sanctions.
Overall, the UK GDPR aims to enhance individuals’ control over their personal data, promote transparency and accountability in data processing activities, and ensure a high level of protection for personal data across the UK.