News & InfoEP StoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

UK GDPR Compliance for Productions: Q&A with Sheridans

Special category data, liability, data transfers and reporting - Sheridans answer your questions on the UK GDPR and the proposed changes.
May 4, 2022

An increased need to collect special category data - as well as recent proposed changes to the UK General Data Protection Regulation (GDPR) - mean that compliance with data protection law remains a key concern for the production industry.

As such, we asked Sheridans Associate Krishan Neelendra to answer key questions on the UK GDPR from UK production companies and freelancers.

Q. Can individuals be held personally liable under the UK GDPR?

Krishan: Generally, where an individual breaches the UK GDPR in their capacity as an employee, the employer will be liable.

This can be distinguished from situations where an employee acts outside the course of their employment (e.g., by purposely leaking payroll data or confidential information with an intent to harm their employer or colleagues), in which case the employee would be liable.

However, in most cases, the general rule is that the employer will be liable in the event that their employee breaches the UK GDPR.

Q. What counts as a serious breach (and needs to be reported) currently, and what will count if the proposed changes to the UK GDPR go ahead?

Krishan: Currently, when a personal data breach occurs, you need to establish the likelihood of the risk to people’s rights and freedoms (including the risk of physical, material, and non-material damage). If such a risk is likely, you must notify the Information Commissioner’s Office (ICO).

The UK GDPR provides some specific examples of incidents which constitute high risk and therefore require notification. These include discrimination and indentity theft, as well as the depravation of rights and freedoms of individuals and a loss of confidentiality. So for example, if a person’s passport goes missing and is accessed by a third party, that will constitute a data breach.

The government consultation on the UK GDPR has proposed a higher threshold in relation to notifiability - essentially, a breach would have to be reported “unless the risk to individuals is not material.” The government has cited reducing a culture of “over-reporting” - and the related time, effort and money incurred as a result of this by both the ICO and reporting organisations - as motivations behind this proposal. 

It’s currently unclear what would constitute a “material risk,” but we may see:

  • More specific, and narrowly defined, examples of what constitutes a “material risk” (when contrasted with some of the current broad examples cited under the UK GDPR)
  • More guidance on what constitutes a “large amount” of personal data, if it continues to be used as a factor for notifying the ICO
  • Specific examples of breaches that would not require notification of the ICO

Q. What steps should be taken when processing gender recognition data?

Krishan: Like vaccination and diversity data, gender recognition data constitutes special category data, which means you’ll need to consider the following requirements:

  • Consider whether you have a lawful basis and special condition (essentially a legal and valid justification) under data protection laws to collect the data. Essentially, this means that one of the conditions set out in Article 9 of the UK GDPR must apply.
  • You can only collect this data from the individuals who you reasonably require it from.
  • Tell individuals that you’re collecting this data. It’s good practice to update your privacy notices to reflect that you’re collecting this information. You’ll also need to put in place an appropriate policy document because you’re capturing special category data (the ICO has a handy template for this).
  • Appropriately safeguard the data (e.g., through appropriate access controls and encryption).
  • Delete or destroy the data as soon as you no longer need it. This might be dictated by legal requirements (eg, the Gender Recognition Act), but you should also take into account whether you still need to hold the information and, if not, you should delete it. 

Q. Are the rules around international data transfers being reviewed and, if so, what should we look out for?

Krishan: The ICO recently held a consultation on how organisations can continue to protect people’s personal data when it’s transferred outside the UK. While no changes have come into effect yet, it seems likely that UK law will diverge from EU law in this respect, with different agreements, requirements and terminology likely to come into play.

Under EU law, transfers outside the European Economic Area to countries whose privacy laws are not deemed adequate by the European Commission must be safeguarded using specific contractual measures (known as “appropriate safeguards”).

In terms of who should put those appropriate safeguards in place, if you’re contracting on your counterparty’s agreed terms, you should ask them to direct you to the relevant appropriate safeguards for international transfers. If not, you’ll need to put the appropriate safeguards in place yourself with the assistance of data privacy lawyers.

While none of the proposed data protection changes have been confirmed, it’s important to stay up to date with the consultations so that you can remain compliant.

Please note that the responses in this document do not constitute legal advice. If you require legal advice on any of these points, we recommend that you seek this independently. 

Topic: UK

Related Content

Blue graphic with map of UK and title ICO penalty following ransomware attack

ICO issues £98,000 penalty following ransomware attack

Information Commissioner’s Office (ICO) imposed penalty on a leading UK law firm for breaching the UK...
Topic: UK

The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

Sheridans’ Associate Krishan Neelendra answers key UK GDPR questions from production companies and...
Topic: UK
Cabinet Office fined for disclosing addresses

Cabinet Office Fined £500,000 for Disclosing Addresses of High-Profile Individuals

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for accidentally...
Topic: UK
Blue graphic with map of UK and title ICO fines charity for GDPR breach

ICO Fines Charity £10,000 for UK GDPR Breach

According to the ICO, the charity failed to apply appropriate organizational and technical security...
Topic: UK
Changes to UK right to work checks

Important Changes to UK Right to Work Checks

On September 30, 2022 the UK rules around right to work checks will change. Here’s what productions need...
Topic: UK
Los Angeles Times logo-sq

Hollywood production in U.K. soars to record levels as crews complain of burnout

Spending on film and high-end television shoots reach record-breaking amounts as production activity...
Compliant crew contracting panel-square

Compliant Crew Contracting in the UK

Learn how to ensure your crew contracts are compliant with UK regulations and why the Production Portal is...
Topic: UK

Contracting in a COVID-19 World  

The pandemic has affected how UK production companies contract crew. Here’s how to reduce the impact of...

Terms to Include in UK Crew Contracts

Common terms which studios and production companies include in their UK crew contracts.
Topic: UK
KJ Lamb and Simon Donovan

Empowering the Next Wave of Production Accountants

The EP Production Portal team was delighted to participate in the biannual Netflix Assistant Production...
cell phone with sticky note stating sign here

Six e-Consent Myths (and Why They’re Not True)

Sheridans Associate, Sarmad Saleh, debunks some common e-consent myths.
Topic: Legal

Six Elements for Enforceable UK Crew Contracts

Although parties to a crew contract can largely enter into whatever terms they choose, certain elements...
Topic: UK
recycling conversation

Sustainability in Production: Q&A with Nikki Saunders

Nikki Saunders on sustainable filming practices, COVID-19, and why carbon offsetting isn’t a...
International Film Financing panel-featured

Film Financing Explained: International Financing

International production experts discuss how producers can utilize financing systems outside of the US,...
Crew contracting in the UK-panel

Quick and Compliant Crew Contracting in the UK

Neisha Glynternick and Sarmad Saleh from UK-based entertainment law firm Sheridans discuss crew...
Topic: Legal

Payroll & Finances

PayrollResidualsSmartStartNew SmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP Residency

Manage Multiple Productions

AssetHubSmartHubSmartHub Vault
Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2022 Entertainment Partners. All rights reserved.