U.K General Data Protection Regulation (U.

K GDPR)

Nuvven Ltd T/A Coastr

What is Data Privacy and Protection?
Security for Privacy is the
Information Privacy
protection of personal
extends beyond information
information against Information security is a
security to consider the
unauthorized physical and foundational set of services that
entire lifecycle of personal
logical access every organization needs to
information and the business
processes that use it. implement to protect confidentiality,
integrity and availability

Privacy Privacy Security

(Requirements
for Security)

Security
(Enablers
for Privacy )

There can be no privacy without security.

Security alone does not assure privacy.
Privacy Compliance Frameworks
People Process
⮚ Staff Training ⮚ Management
and Awareness systems
⮚ Professional skills ⮚ Governance
and qualifications Frameworks and
best practices
⮚ Competent
Resources ⮚ IT Audit

Technology
Deploying technology
without competent
people and supporting
processes within an
overall plan is difficult
 ➔ What is UK GDPR?

The UK General Data Protection Regulation (UK GDPR) is a regulation that replaces the EU General Data Protection
Regulation (GDPR) in the UK following the end of the Brexit transition period on December 31, 2020. The UK GDPR has the
same provisions and protections as the EU GDPR and is designed to ensure the continued protection of personal data in the
UK.

➔ Purpose of the UK GDPR

The purpose of the UK GDPR is to protect the privacy and personal data of individuals in the UK, and to ensure that companies
and organizations that process personal data are transparent about their data processing activities and comply with high
standards of data protection. The regulation is also intended to create a level playing field for companies operating in the UK,
and to foster innovation and competition by promoting trust in digital services.
What is personal data?
● Personal data is information that relates to an identified or identifiable individual.

● What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a
cookie identifier, or other factors.

● If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.

● If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You
should take into account the information you are processing together with all the means reasonably likely to be used by either you or any
other person to identify that individual.

● Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it
‘relates to’ the individual.

● When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of
the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the
individual.

● It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another
controller.

● Information which has had identifiers removed or replaced in order to pseudonymised the data is still personal data for the purposes of
UK GDPR.

● Information which is truly anonymous is not covered by the UK GDPR.

● If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the
information is still personal data, as it relates to that individual.
Data Processing

Data processing refers to any operation or set of operations performed on personal data, such as collection, storage, use,
alteration, or destruction. The UK GDPR sets out several different types of data processing, including:

1. Collection: The process of gathering personal data from individuals or other sources.

2. Storage: The process of keeping personal data in a secure and organized manner.

3. Use: The process of utilizing personal data for specific purposes, such as marketing or research.

4. Alteration: The process of making changes to personal data.

5. Destruction: The process of destroying personal data that is no longer required.

Data Processing

The legal basis for processing personal data under the UK GDPR must be one of the following:
1. Consent: The individual has freely given their informed and unambiguous agreement to the processing of their personal
data.
2. Contract: The processing is necessary for the performance of a contract with the individual.
3. Legal obligation: The processing is necessary for compliance with a legal obligation.
4. Vital interests: The processing is necessary to protect the vital interests of the individual.
5. Public interest: The processing is necessary for the performance of a task carried out in the public interest.

Obtaining consent is an important aspect of data processing under the UK GDPR, especially in cases where the processing is
not required for a contract or legal obligation. Consent must be freely given, informed, and unambiguous, and individuals must
have the right to withdraw their consent at any time.
The company and its employees are responsible for ensuring that all data processing is carried out in accordance with the UK
GDPR.

Data processing refers to any operation or set of operations that is performed on personal data, such as collection, storage, use,
alteration, or destruction. Data processing must be carried out in accordance with the principles of the UK GDPR, including the
need for a legal basis for processing, the need to ensure that personal data is accurate, and the need to implement appropriate
security measures to protect personal data.
Processing of data involves any and all of the following:

➔ Adapting
➔ Altering
➔ Collecting
➔ Combining
➔ Consulting
➔ Destroying
➔ Disclosing
➔ Erasing
➔ Organizing
➔ Recording
➔ Retrieving
➔ Storing
➔ Structuring
➔ Using
Lawfulness, fairness and transparency

- You must identify valid grounds under the UK GDPR (known as a ‘lawful basis’) for collecting and using
personal data.
- You must ensure that you do not do anything with the data in breach of any other laws.
- You must use personal data in a way that is fair. This means you must not process the data in a way
that is unduly detrimental, unexpected or misleading to the individuals concerned.
- You must be clear, open and honest with people from the start about how you will use their personal
data.
Checklist

Lawfulness
☐ We have identified an appropriate lawful basis (or bases) for our processing.
☐ We don’t do anything generally unlawful with personal data.

Fairness
☐ We have considered how the processing may affect the individuals concerned and can justify
any adverse impact.
☐ We only handle people’s data in ways they would reasonably expect, or we can explain why
any unexpected processing is justified.
☐ We do not deceive or mislead people when we collect their personal data.

Transparency
☐ We are open and honest, and comply with the transparency obligations of the right to be
informed.
What Are the Subject’s Rights Under UK GDPR?

● Rectification of the personal data

● Notice when their personal data is used

● Includes modifications and erasures

● Can restrict how their data are processed

● Can reject automated individual decision-making

● Access to their personal data collected about them

● Must be able to receive their data and transfer it to a third party

What is Needed for Legally Effective Consent?

● Must be in clear and plain language, intelligible, and easily accessible

● Must be specific about the purpose of the data processing

● Must be distinguishable from other matters

● Must be given by a clear act or statement

● Must be an unambiguous indication

● Must fully inform the data subject

● Must be freely given

Data Breaches

A data breach under UK GDPR is defined as any unauthorized or accidental access, use, disclosure, alteration, or destruction
of personal data. This includes loss of data, theft of data, and unauthorized access to data.

If a company experiences a data breach, it must report the breach to the Information Commissioner's Office (ICO) without
undue delay and, if possible, within 72 hours of becoming aware of the breach. The company must also inform individuals
affected by the breach, if the breach poses a high risk to their rights and freedoms.

When investigating a data breach, companies must consider the causes of the breach and identify the steps that need to be
taken to prevent similar breaches from occurring in the future. This may include reviewing and updating security measures,
conducting risk assessments, and improving data protection policies and procedures.

Non-compliance with UK GDPR can result in significant fines and sanctions. The ICO can impose administrative fines of up to
€20 million or 4% of a company's annual global turnover, whichever is higher.

!It is important to take data breaches seriously and to act promptly and effectively to minimize their impact.
Data Subject Requests

Data subject requests refer to requests made by individuals to access, rectify, or erase their personal data that is being
processed by a company. Under UK GDPR, companies are required to respond to these requests in a timely and transparent
manner within a reasonable time of 1month.

The procedures for responding to data subject requests typically involve verifying the identity of the data subject, locating the
relevant personal data, and providing the requested information or carrying out the requested action, such as rectifying or
erasing the data.

Verifying the identity of the data subject is an important step in the process of responding to data subject requests. This helps to
ensure that personal data is only disclosed to individuals who have the right to access it, and that it is not disclosed to
unauthorized individuals or organizations. Companies may verify the identity of the data subject using various methods,
including through the provision of personal identification or by confirming information that is known about the individual.
Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments (DPIAs) are a key component of the UK GDPR and are used to assess the impact of data
processing activities on the privacy rights of individuals. DPIs are used to identify and assess the risks to personal data,
including the risk of harm or damage to individuals, and to implement measures to mitigate those risks.

DPIAs should be carried out when the processing of personal data is likely to result in a high risk to the rights and freedoms of
individuals. This includes processing activities that involve large-scale processing, use of new technologies, or processing of
sensitive personal data, such as health or financial information.

The steps involved in carrying out a DPIA include the following:

1. Identification of risks: The first step in carrying out a DPIA is to identify the risks to personal data associated with the
data processing activity. This involves considering the nature of the data, the context of the processing, and the potential
consequences for individuals.

2. Assessment of impacts: The next step is to assess the potential impacts of the risks on individuals, including the
likelihood and severity of harm or damage.

3. Implementation of appropriate measures: Based on the results of the DPIA, appropriate measures must be
implemented to mitigate the identified risks to personal data. This may include technical or organizational measures,
such as encryption, secure storage, or access controls, as well as procedural measures, such as training or audits.

DPIs are an important tool for ensuring that the processing of personal data is carried out in a manner that is compliant with UK
GDPR and that protects the rights and freedoms of individuals. By carrying out DPIs, companies can identify and mitigate risks
to personal data, demonstrate their commitment to data protection, and minimize the risk of non-compliance with UK GDPR.
International Data Transfers

Under UK GDPR, international data transfers are restricted in order to protect the privacy rights of individuals. The regulation
sets strict requirements for transferring personal data outside the European Economic Area (EEA), as the privacy laws in other
countries may not provide the same level of protection as those in the EEA.

In order to ensure compliance with UK GDPR for international data transfers, companies must use appropriate contracts and
agreements that provide adequate safeguards for personal data. This can include standard contractual clauses (SCCs),
binding corporate rules (BCRs), and certifications such as the EU-US Privacy Shield.

It is important for companies to assess the risks associated with international data transfers and to implement appropriate
measures to mitigate those risks.
Employee Responsibilities

Employees have a critical role in ensuring compliance with UK GDPR and protecting the privacy rights of individuals. Their
responsibilities include:

1. Confidentiality: Employees must maintain the confidentiality of personal data and not disclose it to unauthorized third
parties.
2. Security: Employees must take appropriate measures to protect personal data from unauthorized access, use,
disclosure, alteration or destruction.
3. Accountability: Employees must be aware of their responsibilities under UK GDPR and act in accordance with the
regulation.

The consequences of non-compliance with UK GDPR for employees can be severe, including disciplinary action, legal liability,
and damage to the company's reputation.

It is important for employees to seek guidance and support from the company's data protection officer or legal department if
they are unsure of their responsibilities or need help complying with GDPR. This can help to minimize the risk of data breaches
and ensure that the company is fully compliant with the regulation.
For further information please visit the ICO website:
https://ico.org.uk/for-organisations/guide-to-data-protection/
Thank You!!