News & InfoEP StoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

UK GDPR Compliance for Productions: Q&A with Sheridans

Special category data, liability, data transfers and reporting - Sheridans answer your questions on the UK GDPR and the proposed changes.
May 4, 2022
uk-gdpr-compliance-for-productions

An increased need to collect special category data - as well as recent proposed changes to the UK General Data Protection Regulation (GDPR) - mean that compliance with data protection law remains a key concern for the production industry.

As such, we asked Sheridans Associate Krishan Neelendra to answer key questions on the UK GDPR from UK production companies and freelancers.

Q. Can individuals be held personally liable under the UK GDPR?

Krishan: Generally, where an individual breaches the UK GDPR in their capacity as an employee, the employer will be liable.

This can be distinguished from situations where an employee acts outside the course of their employment (e.g., by purposely leaking payroll data or confidential information with an intent to harm their employer or colleagues), in which case the employee would be liable.

However, in most cases, the general rule is that the employer will be liable in the event that their employee breaches the UK GDPR.

Q. What counts as a serious breach (and needs to be reported) currently, and what will count if the proposed changes to the UK GDPR go ahead?

Krishan: Currently, when a personal data breach occurs, you need to establish the likelihood of the risk to people’s rights and freedoms (including the risk of physical, material, and non-material damage). If such a risk is likely, you must notify the Information Commissioner’s Office (ICO).

The UK GDPR provides some specific examples of incidents which constitute high risk and therefore require notification. These include discrimination and indentity theft, as well as the depravation of rights and freedoms of individuals and a loss of confidentiality. So for example, if a person’s passport goes missing and is accessed by a third party, that will constitute a data breach.

The government consultation on the UK GDPR has proposed a higher threshold in relation to notifiability - essentially, a breach would have to be reported “unless the risk to individuals is not material.” The government has cited reducing a culture of “over-reporting” - and the related time, effort and money incurred as a result of this by both the ICO and reporting organisations - as motivations behind this proposal. 

It’s currently unclear what would constitute a “material risk,” but we may see:

  • More specific, and narrowly defined, examples of what constitutes a “material risk” (when contrasted with some of the current broad examples cited under the UK GDPR)
  • More guidance on what constitutes a “large amount” of personal data, if it continues to be used as a factor for notifying the ICO
  • Specific examples of breaches that would not require notification of the ICO

Q. What steps should be taken when processing gender recognition data?

Krishan: Like vaccination and diversity data, gender recognition data constitutes special category data, which means you’ll need to consider the following requirements:

  • Consider whether you have a lawful basis and special condition (essentially a legal and valid justification) under data protection laws to collect the data. Essentially, this means that one of the conditions set out in Article 9 of the UK GDPR must apply.
  • You can only collect this data from the individuals who you reasonably require it from.
  • Tell individuals that you’re collecting this data. It’s good practice to update your privacy notices to reflect that you’re collecting this information. You’ll also need to put in place an appropriate policy document because you’re capturing special category data (the ICO has a handy template for this).
  • Appropriately safeguard the data (e.g., through appropriate access controls and encryption).
  • Delete or destroy the data as soon as you no longer need it. This might be dictated by legal requirements (eg, the Gender Recognition Act), but you should also take into account whether you still need to hold the information and, if not, you should delete it. 

Q. Are the rules around international data transfers being reviewed and, if so, what should we look out for?

Krishan: The ICO recently held a consultation on how organisations can continue to protect people’s personal data when it’s transferred outside the UK. While no changes have come into effect yet, it seems likely that UK law will diverge from EU law in this respect, with different agreements, requirements and terminology likely to come into play.

Under EU law, transfers outside the European Economic Area to countries whose privacy laws are not deemed adequate by the European Commission must be safeguarded using specific contractual measures (known as “appropriate safeguards”).

In terms of who should put those appropriate safeguards in place, if you’re contracting on your counterparty’s agreed terms, you should ask them to direct you to the relevant appropriate safeguards for international transfers. If not, you’ll need to put the appropriate safeguards in place yourself with the assistance of data privacy lawyers.

While none of the proposed data protection changes have been confirmed, it’s important to stay up to date with the consultations so that you can remain compliant.

Please note that the responses in this document do not constitute legal advice. If you require legal advice on any of these points, we recommend that you seek this independently. 

Topic: UK

Related Content

uk-gdpr-and-how-productions-reduce-exposure-LC

The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

5/3/2022
Sheridans’ Associate Krishan Neelendra answers key UK GDPR questions from production companies and...
Topic: UK
More
contracting-in-a-covid-19-world-LC

Contracting in a COVID-19 World  

5/3/2022
The pandemic has affected how UK production companies contract crew. Here’s how to reduce the impact of...
terms-to-include-uk-contracts-LC

Terms to Include in UK Crew Contracts

5/3/2022
Common terms which studios and production companies include in their UK crew contracts.
Topic: UK
More
KJ Lamb and Simon Donovan

Empowering the Next Wave of Production Accountants

5/2/2022
The EP Production Portal team was delighted to participate in the biannual Netflix Assistant Production...
cell phone with sticky note stating sign here

Six e-Consent Myths (and Why They’re Not True)

5/2/2022
Sheridans Associate, Sarmad Saleh, debunks some common e-consent myths.
Topic: Legal
More
six-elements-for-uk-contracts-LC

Six Elements for Enforceable UK Crew Contracts

5/2/2022
Although parties to a crew contract can largely enter into whatever terms they choose, certain elements...
Topic: UK
More
recycling conversation

Sustainability in Production: Q&A with Nikki Saunders

4/22/2022
Nikki Saunders on sustainable filming practices, COVID-19, and why carbon offsetting isn’t a...
International Film Financing panel-featured

Film Financing Explained: International Financing

3/10/2022
International production experts discuss how producers can utilize financing systems outside of the US,...
Crew contracting in the UK-panel

Quick and Compliant Crew Contracting in the UK

2/9/2022
Neisha Glynternick and Sarmad Saleh from UK-based entertainment law firm Sheridans discuss crew...
Topic: Legal
Watch

Digital Production Studio

Production Finance StudioProduction Management StudioEnterprise Management Hub

EP Sites

Central CastingEntertainment PartnersEP StoreSyncOnSetThe Production CommunityWe Got POP
Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2022 Entertainment Partners. All rights reserved.