The UK GDPR
GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). The EU GDPR is an EU Regulation and as such no longer applies domestically in the UK. The provisions of the EU GDPR have been incorporated directly into UK domestic law (including Northern Ireland) as the UK GDPR, although the UK has the independence to keep the framework under review. In practice, there is little change to the core data protection principles, rights and obligations. The key principles, rights and obligations remain the same.
The UK GDPR is defined in Regulations made under the European Union (Withdrawal) Act 2018, section 211(2) of the Data Protection Act 2018 (DPA 2018) and section 2(2) of the European Communities Act 1972 as meaning "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018."
On 28 June 2021 the EU Commission adopted decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate. Both decisions are expected to last until 27 June 2025. The EU adequacy decisions apply to the whole of the UK, including Northern Ireland.
EEA to UK data
If a UK organisation receives personal data from the EU or EEA it can continue to flow as before and does not need to take further action, because of the EU adequacy decisions. Whilst these remain in place (until 27 June 2025), the UK GDPR applies. The EU Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an equivalent level of data protection. The Commission can amend, suspend, or repeal the decisions if issues cannot be resolved. Also, EU data subjects or an EU data protection authority can initiate a legal challenge to the decisions. The Court of Justice of the European union would then have to decide whether the UK did provide essentially equivalent protection.
UK to EEA data
Transfers of data from the UK (England, Scotland, Wales, and Northern Ireland only) to the EEA are also permitted. The UK government will keep this under review. The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:
offering goods or services to individuals in the UK; or
monitoring the behaviour of individuals taking place in the UK.
If a UK organisation has an office, branch or other established presence in the EEA, or if has customers in the EEA, it needs to comply with both UK and EU data protection regulations, as the EU GDPR still applies to this processing. It may also need to designate a representative in the EEA. The UK Information Commissioner's Office (ICO) guidance covers the key issues to consider regarding cross-border processing.
Lawfulness, Fairness & Transparency
Article 5(1) of the UK GDPR says:
“1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”
There are more detailed provisions on lawfulness and having a ‘lawful basis for processing’ set out in Articles 6 to 10.
There are more detailed transparency obligations set out in Articles 13 and 14, as part of the ‘right to be informed’.
Summary obligations
A Data Controller or Processor must -
identify valid grounds under the UK GDPR (known as a ‘lawful basis’) for collecting and using personal data,
ensure that they do not do anything with the data in breach of any other laws,
use personal data in a way that is fair; this means they must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned and can justify any adverse impact,
be clear, open and honest with people from the start about how they will use their personal data,
handle people’s data in ways they would reasonably expect, or be able to explain why any unexpected processing is justified,
not deceive or mislead people when they collect personal data.
be open and honest, and comply with the transparency obligations of the right to be informed.
Under the GDPR, certain organisations are required to appoint a designated Data Protection Officer (DPO). Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority. An organisation is required to appoint a designated data protection officer (Article 37) where ... inter alia ... the core activities of the controller or the processor consist of processing on a large scale of special categories of data, or personal data relating to criminal convictions and offences.
The NBSCCCI Guidance in Appendix B (see Article 256) recommends that a Church Authority appoint a DPO.
The Article 29 Data Protection Working Party (WP29) – an advisory group made up of a representative from the Data Protection authority of each EU Member State, the European Data Protection Supervisor and the EU Commission – have published guidance on the interpretation of the words "core activities" and "large scale". Thus, a bank or insurance company processing customer data in the regular course of their business should be considered large scale but the processing of patient data by a single GP should not.
The processing of personal data is not in any sense a "core activity" of the NWE Region of the Prelature, in the UK or elsewhere. Unlike, for example, a diocese, the instances in which Article 9 categories of data have to be processed are few and far between. Accordingly, the Prelature in Ireland does not require the formal appointment of a DPO. The Safeguarding Coordinator will supervise the compliance of the Prelature with the requirements of GDPR in its activities.