Data Protection Guide for Organisations

Trethowans’ data protection team is working on a series of data protection Q&A articles which will cover the main concepts of data protection law and issues of interest to businesses. Here you will find the articles published so far.

What is data protection law, why do we have it and why do we have to comply with it?

Failure by an organisation to comply with data protection law poses many risks including enforcement action by the Information Commissioner’s Office (the UK data protection authority), loss of business and loss of reputation. Read more

What is personal data?

Personal data is defined in the UK General Data Protection Regulation (UK GDPR) as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Read more

Data Protection – News Alert

Firstly, it has been announced that before the end of 2022, the UK’s first independent adequacy decision will be in place allowing for the secure transfer of personal data to the Republic of Korea. This means that personal data can be transferred from the UK to the Republic of Korea without the need for data exporters to implement appropriate safeguards, like the EU model clauses, and carry out transfer risk assessments which are cumbersome and time consuming.

Secondly, John Edwards (the head of the UK Information Commissioner’s Office) has made the following announcement in relation to reprimands that the ICO issue to organisations for failure to comply with UK data protection legislation. Read more

What is special category / sensitive personal data?

Special category personal data (sometimes known as sensitive personal data as this is what it was known as in the Data Protection Act 1998) is personal information which is considered to need more protection in law as it relates to more sensitive or personal matters. Read more

Data Protection Quarterly News Roundup (October to December 2022)

The last quarter of 2022 remained a busy time for anyone keeping an eye on the UK data protection landscape. In this, the first of our quarterly news roundups, we bring you our news highlights of the last three months. Read more

What is criminal offence personal data?

Like special category personal data (which we considered in our 13 December 2022 Q&A article), data relating to criminal allegations, proceedings, offences and convictions is personal data which is considered to need more protection in law as it is data relating to sensitive matters. Read more

What  does “processing” of personal data mean?

To answer this question it is best to look at the UK General Data Protection Regulation (UK GDPR) and how it defines “processing”:

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Read more

Does my organisation need a Data Protection Officer (DPO)?

A private sector organisation which acts as a controller or processor in respect of any personal data must appoint a DPO when its core activities (i.e. its main business activities) consist of either:

  1. The regular and systematic monitoring of data subjects on a large scale. This may occur, for example, when the organisation carries out online behaviour tracking.
  2. Large-scale processing of special category or criminal conviction/offence personal data. Read more
Data Protection Quarterly News Roundup (January to March 2023)

In this, our first quarterly news roundup of 2023, we bring you our news highlights of the last three months which as usual have been full of data protection learnings. Read more

Does my organisation need to register with the ICO?

Organisations (which includes sole traders, partnerships, charities, LLPs and companies etc) that determine the purpose for which personal data is processed (i.e. they are a controller of at least some personal data) must register with the Information Commissioner’s Office (ICO) and pay a data protection fee to the ICO unless they are exempt. Read more

Data Protection – News Alert – AI and Chat GPT

Data Protection and Generative AI – what are the concerns?

AI, or artificial intelligence, has been in existence for many years and is in all likelihood already incorporated within software products used by organisations. However, the launch of the Chat GPT ‘chat bot’ by OpenAI towards the end of 2022 has brought the subject of AI (specifically what is known as ‘generative AI’) into news headlines and data protection publications as the undoubted benefits of generative AI also create a complex web of legal, regulatory and ethical issues. Read more

Is my organisation a controller or a processor under data protection law and why is it important to know?

The UK General Data Protection Regulation (UK GDPR) defines a controller as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Read more

Meta’s EU – US personal data transfers deemed unlawful

The largest ever EU GDPR fine was imposed on Meta Platforms Ireland Ltd (aka Facebook) by the Irish data protection regulator in May; an eye watering €1.2 billion. Read here

What does it mean if my organisation is a joint controller of personal data with another organisation?

When considering the roles of organisations who are sharing personal data between them, it is often the case that one is a controller whilst the other is a processor, but in other cases both parties may be a controller, as neither is processing the personal data on behalf of, or on the instructions of, the other. However, once we have established both are a controller there is another consideration which is whether the parties are independent controllers (which is generally preferable) or joint controllers. Read more

Data protection Quarterly News Roundup (April to June 2023)

This is our second quarterly news update of 2023 and as always seems to be the case in the world of data protection it has been another busy quarter. Read more

GDPR turns 5: should you be reviewing your data protection documents and policies?

The EU GDPR recently had its fifth anniversary, having come into effect in May 2018. In the run up to May 2018, UK organisations rushed to put in place policies and procedures to try and comply with the EU GDPR and avoid the huge fines which we had all been warned about. Read more

Jargon explained: What do encryption, anonymisation and pseudonymisation mean in data protection law?

Encryption– This is a method of encoding personal data so that access to it is limited to those that have the ‘encryption key’ which decodes the data. Read more

Data Protection – For what purposes can my organisation collect, use and process personal data?

If an organisation collects, uses or otherwise ‘processes’ personal data, it must ensure that it has a ‘lawful basis’ (i.e. a legitimate reason) for how it proposes to use that data and that lawful basis should be recorded in writing (and will also need to be set out in the organisation’s privacy notice). If an organisation cannot demonstrate a lawful basis for a processing activity, then it shouldn’t be carrying out that processing. Read more 

Answers are just a click away