The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

We recently teamed up with Sheridans Associate Krishan Neelendra to host a webinar on the UK GDPR, where he answered key questions from production companies and project freelancers.

Although the UK GDPR is not new, an increased need to collect special category data, such as vaccination and diversity data, means that compliance remains a key concern for the production industry. 

Q. How do I know whether the UK GDPR applies to my production company?

Krishan: The UK GDPR applies to your production company if you process personal data. “Process” is interpreted broadly under the UK GDPR and essentially means dealing with personal data in any way, including transferring, analysing or merely storing it. If you do any of these things, you’re caught by the UK GDPR.

Q. I outsource all data processing to my freelance production team — am I safe from liability under the UK GDPR?

Krishan: This depends on your relationship with your freelance production team and the processing activities you undertake. However, broadly, if you’re the decision maker in relation to the processing activities (i.e., the freelance production team is acting on your behalf and in accordance with your instructions), you are a data controller and the freelance production team is a data processor.

Data controllers are primarily responsible for their own compliance and ensuring the compliance of their processors. This means that, regardless of the terms of a contract with a processor, controllers may be subject to any of the corrective measures and penalties set out in the UK GDPR (e.g., claims for compensation from a data subject and administrative fines).

However, it should be noted that data processors can still be: 

• Contractually liable to the data controller for a failure to comply with the applicable data protection terms
• Fined by the data protection regulator (i.e., the Information Commissioner’s Office in the UK) 
• Subject to a claim by an individual where they fail to comply with certain data processor-specific UK GDPR obligations or act outside the data controller’s lawful instructions

Q. How can I ensure that I’m UK GDPR compliant?

Krishan: There are a number of different considerations to consider but the three golden rules for data controllers are as follows:

• Make sure that you’ve published and implemented the relevant documentation, contracts and policies.
• When making any personal data-related decision, always consider the seven data protection principles set out in the UK GDPR.
• Get used to documenting any incidents, projects and decisions relating to data protection. For example, if you’re planning a project that will involve processing a lot of personal data, assess this from a data compliance perspective as soon as possible so you know what safeguards you need to implement later on.

Q. Am I allowed to collect vaccination data and, if so, what are the rules?

Krishan: Vaccination data constitutes “health data” and is therefore special category data. While the requirements largely depend on the context in which this data is collected, you should in any case: 

• Consider whether you have a lawful basis and special condition (essentially a legal and valid justification) under data protection laws to collect the data
• Only collect the data from individuals who you reasonably require it from 
• Tell individuals you are collecting the data (e.g., via privacy notices and appropriate policy documents) 
• Appropriately safeguard the data (e.g., through appropriate access controls and encryption)
• Delete or destroy the data as soon as you no longer need it

Q. What special requirements apply to capturing diversity data?

Krishan: The requirements for capturing diversity data are largely the same as for vaccination data (above), but the analysis in relation to lawful basis and special conditions will be slightly different. The key thing to bear in mind is that you must determine a valid and legal justification for processing the data.

Q. I have fewer than 250 employees. If I carry out a one-off diversity survey, do I have to document the processing of that data?

Krishan: All personal data processing activities, regardless of the nature of the personal data, trigger certain documentation requirements. For example, you must tell the relevant individuals how you are using (or “processing”) their personal data in a privacy notice.

When carrying out a one-off diversity survey, as you are processing special category data, some additional requirements apply. In particular, you must prepare a separate “appropriate policy document” (which must set out certain information about how you are processing the special category data in accordance with data protection laws).

Q. I’m collecting data to monitor the diversity of my production, including around disabilities and caring responsibilities. These aren’t listed as types of special category data — do they count as such?

Krishan: Disability data concerns an individual’s health and therefore constitutes special category data.

In relation to caring responsibilities, while the fact that an individual is a carer is unlikely to constitute special category data, if the data reveals that an individual is a carer for a specific person (e.g., a parent or partner), it may constitute special category data of the person being cared for (depending on how the relevant information is provided). If this is the case, and you don’t reasonably require this information, your survey should avoid any invitation to provide this information (e.g., by limiting the response to the question “are you a carer for another individual?” to a simple yes/no).

Q. What is a data subject access request?

Krishan: Data subject access requests are an example of data subject rights under the UK GDPR. Effectively, any data subject can ask a company to provide them with all the information it holds about them, subject to certain limited exemptions. In recent years, there’s been an increase in the number of data subject access requests. They tend to arise in two contexts: 

• A pre-litigation context, where a data subject may want to sue someone and is gathering information before doing so
• A grievous employee context, where an employee has left a business and is gathering information about why they were dismissed or why certain decisions were made before taking their case to an employment tribunal

It’s important to remember that there are no formality requirements for data subject access requests. You can receive requests by phone or text and they don’t have to include the words “data subject access request.” 

Please note that the responses in this document do not constitute legal advice. If you require legal advice on any of these points, we recommend that you seek this independently.