UK Information Commissioner Updates on GDPR

As directors may be held personally liable for some forms of non-compliance with the European Union’s General Data Protection Regulation (Regulation EU 2016/679), it is essential that they keep up with change to the UK’s Data Protection bill, currently being drafted in Parliament. Clarification on policy is being made available by the Information Commissioner’s Office, which is responsible for enforcement of GDPR in the UK. Recent policy guidance has been published on policy for fines, the role of insurance, consent of data subjects and the legal bases to justify processing.

On 7 August 2017, the UK government released its Statement of Intent regarding the transposition of the European Union’s General Data Protection Regulation (Regulation EU 2016/679) (GDPR) into the UK’s new Data Protection Bill. The Statement formally confirms previous ministerial pronouncements that the Bill will be aligned with the GDPR, and thus will also come into force on 25 May 2018.

“Bringing EU law into our domestic law will ensure that we help to prepare the UK for

the future after we have left the EU. GDPR has been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation,” Matt Hancock, Minister of State for Digital, said in the Statement.

Since the issuance of the Statement, the UK Office of the Information Commissioner, which is the authority responsible for the enforcement of the Data Protection law, has already published a number of articles and statements intended to provide more information for businesses ahead of the new law’s passage. These statements have clarified a number of key points, and also pointed to what ICO policy will be once the law comes into force.

The policy statements come straight from the pen of the Information Commissioner Elizabeth Denham herself.

Limited use of fines

Denham has made it clear that the power to impose very large fines – up to £17 million ($22.6 million) or 4 per cent of a company’s total annual turnover – would be used with great discretion. “Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned,” Denham wrote. The ICO has a lot of effective tools it can use to clear up cases without resorting to fines, she added, citing warnings, reprimands and corrective orders.


Denham noted, however, that companies should not assume that obtaining insurance for non-compliance would suffice to protect them from damages. She warned that other sanctions would gravely hurt a company’s reputation – “and you can’t insure against that,” she said.

Enjoying what you are reading? Sign up now to receive more content from Diligent.

Clarification of legal bases to justify processing

Denham also addressed the issue of obtaining and justifying consent from those whose personal data is to be used in processing. She pointed out that consent is only one legal basis of those for which processing will be lawful. Here are the others:

  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

Processing for the performance of a contract implies the consent of the contractor, and so there is a clear lawful basis.

Where a legal obligation is the basis of processing, an obligation of Member State or EU law to which the controller is subject; and  “clear and precise” and its application foreseeable for those subject to it, according to the specialist UK law firm Bird & Bird.

Where vital interests are concerned, this basis may apply to processing that is necessary for humanitarian purposes (e.g., monitoring epidemics) or in connection with humanitarian emergencies (e.g., disaster response). In cases where personal data are processed in the vital interests of a person other than the data subject, this ground for processing should be relied on only where no other legal basis is available.

The basis for the processing of personal data in order to comply with a legal obligation or perform a task in the public interest must be laid down in EU or Member State law. This means that organisations cannot rely on this ground if the legal obligation or task that forms the basis for the processing is found in the law of a non-EU Member State (e.g., the US). Member States are expected to introduce more specific rules on the processing of personal data for these purposes.

As regards the “legitimate interests” condition: The legislation recognises that you may have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with. The “legitimate interests” condition is intended to permit such processing, provided you meet certain requirements: You must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it; these interests must be balanced against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Considerable further guidance is expected on this point from the ICO.

As regards consent, Denham insists that the conditions for proof of consent have been made more stringent – just ticking the “opt-in” box is no longer sufficient. Explicit consent requires a very clear and specific statement of consent, and it should be kept separate from other terms and conditions. Your request for consent should be specific and granular – vague or blanket consent is not enough. Any third parties who will make use of the consent should be named. Withdrawal of consent should be simple, and instructions should be included with the request.

It is critical for companies to keep evidence of consent – who, when, how and what you told people. This is now an essential part of GDPR compliance. Detailed guidance on consent has already been issued by the ICO for clarification on this subject.

This covers some of the main points addressed by the ICO in its effort to clarify its policies under GDPR. As more such guidance and clarification is published, we will cover it here.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog