Software and Apps Data Protection Resources

Resources for Software Apps Data Protection Resources

Applicable Legislation in UK

  1. UK GDPR – retained version of the EU General Data Protection Regulation 2016
  2. Data Protection Act 2018
  3. Privacy and Electronic Communications Regulations 2003 (“PECR”)

Fines for non-compliance are the higher of £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year.

Key Definitions:

Personal data – any information identifying a data subject (individual in personal or business capacity) directly or indirectly from that data alone or in combinations with other information that is processed or can reasonably be accessed

Examples of personal data (non-exhaustive):

  • Name
  • Email address
  • Postal address
  • IP address
  • User ID
  • Photo (special category data)

Data Subject – individual whose data is being processed.

Data Controller – decides on the means and purposes of processing.

Data Processor – processes or has access to personal data, typically in the course of the provision of its services to data controller.

Special Category Data – information in connection with race or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

Data Protection Officer – appointed in specific circumstances, such as processing on a large scale, or as a choice.

Data Processing – any activity involving the use of personal data – obtaining, storing, holding, recording, copying, sharing, organising, amending or retrieving.

Data Breach – any act or omission that compromises the security, confidentiality, integrity or availability of personal data or the organisations, technical, physical or administrative safeguards; the loss of, unauthorised access, disclosure or acquisition of personal data.

GDPR Principles

  • Lawfulness, fairness and transparency
  • Purpose limitation
    • Specified, explicit and legitimate purpose
    • Only process personal data in a manner compatible with the purpose
  • Data minimisation
    • Adequate
    • Relevant
    • Collect and keep what is necessary
  • Accuracy
    • Accurate and kept up to date
    • Corrected or deleted promptly
  • Storage limitation
    • Only keep data for as long as necessary for the purpose
  • Integrity and confidentiality
    • Appropriate technical and organisations measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage

Controller or Processor

Every business is likely to be both.

Controller – in relation to users, customers, employees, contractors, suppliers and business contacts

Processor – where there is exposure to data entered or shared by customers or users in relation to their employees, clients, contractors and other parties


Documents – Procedures – Training

Data Controller – record of data processing activities (use a flow charts), data protection policy, data retention policy, IT security policy, privacy policy for website/ app, terms and conditions, cookie policy, privacy policy for employees, other potential documents including data processing impact assessments and consent language

Data Processor – data processing agreement or data processing language in the relevant terms and conditions

Most of the documents are internal with user facing documents typically including privacy policy, terms and conditions, cookie policy, consent language and marketing communications including unsubscribe options.

Steps to demonstrate compliance:

  • Privacy governance structure
  • Policies/ documents and procedures
  • Implement technical and security measures
  • Training
  • Tests and audits to demonstrate compliance

Lawful bases for processing

There must be a lawful basis to lawfully process personal data

  • Consent
  • Contract or taking pre-contractual steps
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

Most businesses are likely to use the four lawful bases in italics above.

Data subjects’ rights 

  • Right to be informed about processing
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Rights to data portability
  • Right to object
  • Right in relation to automated decision making and profiling

International data transfers

For transfers outside of European Economic Area (EEA) and UK use safeguards, including:

  • transferring to countries that have adequacy decisions and are considered as having similar protection as countries within EEA;
  • use Standard Contractual Clauses;
  • when necessary for the performance of a contract;
  • necessary to establish, exercise or defend legal claims.

If your company is not established in the UK and does not have a branch or a subsidiary in the UK you will need to appoint a UK data protection representative. The same applies to European countries.

What information to include in user/ customer privacy notice or policy

  • name and contact details of organisation
  • name and contact details of representative (if relevant)
  • contact details of data protection office (if applicable)
  • purposes of processing
  • lawful basis for the processing
  • legitimate interests for the processing (if applicable)
  • categories of personal data obtained (if not directly from the individual)
  • recipients or categories of recipients of the personal data
  • details of transfers to any third countries of international organisations (if applicable)
  • retention periods
  • rights of individuals
  • right to withdraw consent
  • right to lodge a complaint with a supervisory authority (ICO in UK)
  • source of personal data (if not obtained from individual)
  • details of whether individuals are under a statutory or contractual obligation to provide the personal data
  • details of any automated decision-making, including profiling (if applicable)


GDPR Post Brexit GDPR compliance requirements

There have been several developments since the UK left the EU. For example, the UK was granted Adequacy by the EU, and the EU and ICO have created new contractual clauses to be used when transferring personal data between countries.

We outline all you need to know about the changes to GDPR post-Brexit.

What is the UK GDPR?

The General Data Protection Regulations (GDPR) gives rights to individuals and their personal data. This, in turn, means that organisations bear a regulatory burden and have obligations and responsibilities to make sure that the personal data they hold is protected.

The individuals should be provided with more transparent information about how and why the data is held, informing them of their rights over their data. Also, it should be ensured the organisation has adequate security for protecting that data.

Organisations must also have in place and maintain a process on how to identify, assess and deal with any breaches of the security of that personal data. 

GDPR changes after Brexit

During the Brexit transition period, from January 2020 to 1 January 2020 (EU Exit Day), the GDPR applied to UK organisations as it had done since its implementation in May 2018. 

As with many other EU laws, the principles and regulations of the GDPR were transposed into what is now known as the UK GDPR. From Brexit Day, the EU GDPR ceased to apply to UK personal data; however, it continues to apply to EU personal data processed by UK-based organisations.

UK organisations that process personal data from an EU/EEA Member State must comply with EU GDPR principles, the UK GDPR, and the Data Protection Act 2018 (DPA 2018). 

EU-based organisations processing UK personal data must observe both UK GDPR and EU GDPR. 

Has the UK been granted Adequacy?

If the EU grants another country Adequacy, it means that, following extensive investigation and consideration, the EU Commission has decided that a particular nation’s data protection laws are ‘adequate’.

Therefore, additional safeguards are not required when sending personal data to and from an EU State. 

Adequacy was granted to the UK in June 2021. However, it can be withdrawn if the European Union perceives that the UK law enacts data protection and privacy laws that move it too far from the EU GDPR.

Do I need to appoint an EU/EEA-based representative?

The Information Commissioner’s Office (ICO) is no longer the Lead Supervisory Authority (LSA) concerning data protection matters for all UK companies. 

Before Brexit, if a company suffered a data breach, the ICO took control, and the company didn’t need to contact supervising authorities in the other EU/EEA Member States. 

Businesses that process data from EU/EEA data subjects and do not have an office or other form of base in an EU/EEA Member State must appoint a representative

The GDPR personal representative requirement applies to organisations that

  • provide products or services in the EU or
  • monitors the behaviour of individuals located in the EEA

A GDPR representative can be an individual or company (such as a lawyer or GDPR consultant). 

They must be based in a Member State where some of the organisation’s data subjects are situated. The appointment needs to be made in writing with the relationship detailed:

  • The representative must be set up in an EU or EEA state where some people whose personal data the organisation is processing are located
  • The appointed representative (an individual or a company) must be your main contact for any questions and concerns regarding data protection from any EU citizen or any data protection supervisory authority
  • Your representative must be authorised via a written service agreement which sets out the terms of your relationship with them
  • You should appoint the representative to act on your behalf on your EU GDPR compliance matters and to deal with any supervisory authorities or data subjects in this respect
  • You must inform the affected EEA-based individuals and provide them with the details of the representative. This may be done by including information in your privacy notice or in the upfront information you provide to individuals when their data is collected
  • This information must also be easily available to the relevant supervisory authorities – i.e. by publishing details on your website

As the representative is the face of a company’s compliance in the EU, care must be taken in choosing a suitable person or company to fill the position. When deciding which is right for you, you should consider the most suitable jurisdiction.

The GDPR only requires one representative to be appointed in a member state where the customers are based, given the differences between each EU country’s interpretation of the GDPR processes and cultural differences between the various nations. 

You may want to consider appointing several representatives if this is economically feasible for you.

Suppose you fail to appoint a representative and provide details of the appointment in your customer-facing privacy notice. In that case, it is immediately apparent that you are not meeting your duties under Article 27

This is a red flag that you may have other incidents of potential non-compliance elsewhere. Whereas, if you comply with Article 27 and provide details of your representative, this shows that you are taking GDPR compliance seriously.

What are the compliance requirements when transferring data?

In June 2021, the European Commission approved a new set of Standard Contractual Clauses (SCCs) with safeguards to permit international data transfers. The UK Government disapproved of the SCCs. 

Businesses that are transferring data to the European Union or other countries that have been granted adequacy were required to continue using the previous version of the clauses to comply with Article 46 of the GDPR.

Following widespread consultation, the ICO created the template international data transfer agreement (IDTA) and the template international data transfer addendum to the EU’s SCCs (the Addendum). 

Together these form the UK version of the new EU SCCs. Following Parliamentary approval, the IDTA and the Addendum came into force on 21 March 2022.

What are the penalties for non-compliance?

There may be significant fines and penalties for organisations that breach GDPR (depending on the nature of the incident). 

For administrative breaches, the fines may be up to £8m or 2% of a company’s global turnover (whichever is higher), and fines for more significant incidents of up to £17m or 4% of global annual turnover.

Not only does a data breach involve the risk of large GDPR fines, but organisations under ICO investigations face high legal costs and loss of trust from customers, potential investors, and commercial partners.

How is the GDPR applicable in the UK post-Brexit?

Data protection and privacy compliance measures are ongoing commitments. A surefire way to accidentally commit a UK GDPR breach is to rely on the compliance measures you put in place almost two years ago. 

To protect your business, the data it holds and be post-Brexit complaint you can take the following five steps:

1. Map data flows to and from the EU/EEA to identify what compliance steps need to be taken. In turn, data flows within the UK should be regularly mapped to ensure that if a breach occurs or a SAR is made, you can swiftly isolate the data affected/required.

2. Check if you need to appoint an EU/EEA-based representative and put one in place if necessary.

3. Identify if an EU supervising authority qualifies as a relevant LSA for your business’ data transactions.

4. Amend existing contracts and template terms to include relevant data transfer wording and appropriate referencing to the UK and EU GDPR.

5. Implement the new SCCs, IDTA and the Addendum to ensure that data transfers are compliant.

What is the Data Protection and Digital Information Bill?

A new Data Protection and Digital Information Bill (or Data Reform Bill), covers several data protection issues, ranging from the definition of personal data to international data transfers, data subject access requests, cookies and legitimate interest assessments.

The Bill will remove the need for some businesses to recruit a Data Protection Officer (DPO) and run Data Protection Impact Assessments (DPIA) if they can effectively manage data protection and privacy risks themselves.

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.