EP NowEP StoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

UK GDPR Compliance for Productions: Q&A with Sheridans

Special category data, liability, data transfers and reporting - Sheridans answer your questions on the UK GDPR and the proposed changes.
May 4, 2022

An increased need to collect special category data - as well as recent proposed changes to the UK General Data Protection Regulation (GDPR) - mean that compliance with data protection law remains a key concern for the production industry.

As such, we asked Sheridans Associate Krishan Neelendra to answer key questions on the UK GDPR from UK production companies and freelancers.

Q. Can individuals be held personally liable under the UK GDPR?

Krishan: Generally, where an individual breaches the UK GDPR in their capacity as an employee, the employer will be liable.

This can be distinguished from situations where an employee acts outside the course of their employment (e.g., by purposely leaking payroll data or confidential information with an intent to harm their employer or colleagues), in which case the employee would be liable.

However, in most cases, the general rule is that the employer will be liable in the event that their employee breaches the UK GDPR.

Q. What counts as a serious breach (and needs to be reported) currently, and what will count if the proposed changes to the UK GDPR go ahead?

Krishan: Currently, when a personal data breach occurs, you need to establish the likelihood of the risk to people’s rights and freedoms (including the risk of physical, material, and non-material damage). If such a risk is likely, you must notify the Information Commissioner’s Office (ICO).

The UK GDPR provides some specific examples of incidents which constitute high risk and therefore require notification. These include discrimination and indentity theft, as well as the depravation of rights and freedoms of individuals and a loss of confidentiality. So for example, if a person’s passport goes missing and is accessed by a third party, that will constitute a data breach.

The government consultation on the UK GDPR has proposed a higher threshold in relation to notifiability - essentially, a breach would have to be reported “unless the risk to individuals is not material.” The government has cited reducing a culture of “over-reporting” - and the related time, effort and money incurred as a result of this by both the ICO and reporting organisations - as motivations behind this proposal. 

It’s currently unclear what would constitute a “material risk,” but we may see:

  • More specific, and narrowly defined, examples of what constitutes a “material risk” (when contrasted with some of the current broad examples cited under the UK GDPR)
  • More guidance on what constitutes a “large amount” of personal data, if it continues to be used as a factor for notifying the ICO
  • Specific examples of breaches that would not require notification of the ICO

Q. What steps should be taken when processing gender recognition data?

Krishan: Like vaccination and diversity data, gender recognition data constitutes special category data, which means you’ll need to consider the following requirements:

  • Consider whether you have a lawful basis and special condition (essentially a legal and valid justification) under data protection laws to collect the data. Essentially, this means that one of the conditions set out in Article 9 of the UK GDPR must apply.
  • You can only collect this data from the individuals who you reasonably require it from.
  • Tell individuals that you’re collecting this data. It’s good practice to update your privacy notices to reflect that you’re collecting this information. You’ll also need to put in place an appropriate policy document because you’re capturing special category data (the ICO has a handy template for this).
  • Appropriately safeguard the data (e.g., through appropriate access controls and encryption).
  • Delete or destroy the data as soon as you no longer need it. This might be dictated by legal requirements (eg, the Gender Recognition Act), but you should also take into account whether you still need to hold the information and, if not, you should delete it. 

Q. Are the rules around international data transfers being reviewed and, if so, what should we look out for?

Krishan: The ICO recently held a consultation on how organisations can continue to protect people’s personal data when it’s transferred outside the UK. While no changes have come into effect yet, it seems likely that UK law will diverge from EU law in this respect, with different agreements, requirements and terminology likely to come into play.

Under EU law, transfers outside the European Economic Area to countries whose privacy laws are not deemed adequate by the European Commission must be safeguarded using specific contractual measures (known as “appropriate safeguards”).

In terms of who should put those appropriate safeguards in place, if you’re contracting on your counterparty’s agreed terms, you should ask them to direct you to the relevant appropriate safeguards for international transfers. If not, you’ll need to put the appropriate safeguards in place yourself with the assistance of data privacy lawyers.

While none of the proposed data protection changes have been confirmed, it’s important to stay up to date with the consultations so that you can remain compliant.

Please note that the responses in this document do not constitute legal advice. If you require legal advice on any of these points, we recommend that you seek this independently. 

Topic: UK

Related Content

ICO Issues 4.4M Penalty

ICO Warns Against Complacency as it Hands Out £4.4M GDPR Penalty

The Information Commissioner’s Office (ICO) imposes hefty penalty for failing to protect employee personal...
Topic: Security
Blue graphic with map of UK and title ICO penalty following ransomware attack

ICO issues £98,000 penalty following ransomware attack

Information Commissioner’s Office (ICO) imposed penalty on a leading UK law firm for breaching the UK...
Topic: UK

The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

Sheridans’ Associate Krishan Neelendra answers key UK GDPR questions from production companies and...
Topic: UK
UK Court Issues Warning for Personal Data at Work

UK Court Issues Warning for those with Access to Personal Data at Work 

UK Coventry Magistrates’ Court fines a former health adviser £3,000 for unlawfully accessing personal data...
Topic: UK
Cabinet Office fined for disclosing addresses

Cabinet Office Fined £500,000 for Disclosing Addresses of High-Profile Individuals

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for accidentally...
Topic: UK
Blue graphic with map of UK and title ICO fines charity for GDPR breach

ICO Fines Charity £10,000 for UK GDPR Breach

According to the ICO, the charity failed to apply appropriate organizational and technical security...
Topic: UK

7 Things Production Finance Teams Need to Know for Budgeting in 2023

Mark Hammond, VP of International Finance & Ops, shares some of the key factors production finance teams...
EP Newsroom-Thumbnail-PGGB

6FT From The Spotlight Wins Inaugural Earl of Wessex Award at PGGB Talent Showcase

Film and TV industry charity 6ft From the Spotlight were awarded The Production Guild of Great Britain’s...

Entertainment Partners and Netflix Pledge £500K ($608K) to New PGGB Talent Development Fund

Production Guild of Great Britain (PGGB) Talent Development Fund will support the development and...

New Union Agreement for Engaging Crew on UK HETV Takes Effect

Pact/Bectu 2023 agreement makes a number of key changes to the terms and conditions for engaging crew.
Topic: UK
Master Series square Thumbnail Pact Bectu Agreement

Understanding the New Pact/Bectu TV Drama Agreement 2023

Your comprehensive overview of the new Pact/Bectu TV Drama Agreement and how key changes will impact...
Topic: UK
Virtual Production

The UK Invests in Virtual Production as Content Boom Continues

The UK is doubling down on Virtual Production infrastructure; learn how and why they’re leading the charge...
Topic: UK
Doctor Strange

9 Hollywood Blockbusters Actually Filmed in the UK

Major US studios are taking advantage of what the UK has to offer, and clever set design and special...
Topic: UK

UK Production Incentives All Producers Should Know About

Don't miss out on the UK's tax incentives, special programs, and national and regional funding...

Behind the Boom: Why the UK is a Hotspot for Production

Explore the generous industry incentives, talent, and infrastructure available to productions filming in...

Three Mistakes That Can Slow Down Your Production Payroll (And How to Avoid Them)

Stay compliant with UK rules and regulations, and get your crew and talent paid on time, with these...
UK Govt backtracks on growth plan

UK Government Backtracks on Growth Plan: What it Means for Production

Former UK Chancellor Kwasi Kwarteng was replaced by Jeremy Hunt after 38-day run, and policies reversed in...
Topic: UK
Changes to UK Pensions Act

Proposed Changes to the UK Pensions Act Could Impact Production Budgets

Reintroduced bill seeks to give UK government the power to extend pensions auto-enrollment to young and...
Topic: UK
UK Gov Growth Plan

Mini Budget; Big Changes: What the UK Government’s Growth Plan Means for Production 

UK Chancellor Kwasi Kwarteng announces new Growth Plan (aka the “mini budget”) and a big shake up of the...
Topic: UK
Changes to UK right to work checks

Important Changes to UK Right to Work Checks

On September 30, 2022 the UK rules around right to work checks will change. Here’s what productions need...
Topic: UK
Los Angeles Times logo-sq

Hollywood production in U.K. soars to record levels as crews complain of burnout

Spending on film and high-end television shoots reach record-breaking amounts as production activity...
Compliant crew contracting panel-square

Compliant Crew Contracting in the UK

Learn how to ensure your crew contracts are compliant with UK regulations and why the Production Portal is...
Topic: UK

Contracting in a COVID-19 World  

The pandemic has affected how UK production companies contract crew. Here’s how to reduce the impact of...

Terms to Include in UK Crew Contracts

Common terms which studios and production companies include in their UK crew contracts.
Topic: UK
KJ Lamb and Simon Donovan

Empowering the Next Wave of Production Accountants

The EP Production Portal team was delighted to participate in the biannual Netflix Assistant Production...
cell phone with sticky note stating sign here

Six e-Consent Myths (and Why They’re Not True)

Sheridans Associate, Sarmad Saleh, debunks some common e-consent myths.
Topic: Legal

Payroll & Finances

PayrollResidualsSmartStartNew SmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP Residency

Manage Multiple Productions

AssetHubSmartHubSmartHub Vault
Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2023 Entertainment Partners. All rights reserved.