UK GDPR Compliance for Productions: Q&A with Sheridans

An increased need to collect special category data - as well as recent proposed changes to the UK General Data Protection Regulation (GDPR) - mean that compliance with data protection law remains a key concern for the production industry.

As such, we asked Sheridans Associate Krishan Neelendra to answer key questions on the UK GDPR from UK production companies and freelancers.

Q. Can individuals be held personally liable under the UK GDPR?

Krishan: Generally, where an individual breaches the UK GDPR in their capacity as an employee, the employer will be liable.

This can be distinguished from situations where an employee acts outside the course of their employment (e.g., by purposely leaking payroll data or confidential information with an intent to harm their employer or colleagues), in which case the employee would be liable.

However, in most cases, the general rule is that the employer will be liable in the event that their employee breaches the UK GDPR.

Q. What counts as a serious breach (and needs to be reported) currently, and what will count if the proposed changes to the UK GDPR go ahead?

Krishan: Currently, when a personal data breach occurs, you need to establish the likelihood of the risk to people’s rights and freedoms (including the risk of physical, material, and non-material damage). If such a risk is likely, you must notify the Information Commissioner’s Office (ICO).

The UK GDPR provides some specific examples of incidents which constitute high risk and therefore require notification. These include discrimination and indentity theft, as well as the depravation of rights and freedoms of individuals and a loss of confidentiality. So for example, if a person’s passport goes missing and is accessed by a third party, that will constitute a data breach.

The government consultation on the UK GDPR has proposed a higher threshold in relation to notifiability - essentially, a breach would have to be reported “unless the risk to individuals is not material.” The government has cited reducing a culture of “over-reporting” - and the related time, effort and money incurred as a result of this by both the ICO and reporting organisations - as motivations behind this proposal. 

It’s currently unclear what would constitute a “material risk,” but we may see:

• More specific, and narrowly defined, examples of what constitutes a “material risk” (when contrasted with some of the current broad examples cited under the UK GDPR)
• More guidance on what constitutes a “large amount” of personal data, if it continues to be used as a factor for notifying the ICO
• Specific examples of breaches that would not require notification of the ICO

Q. What steps should be taken when processing gender recognition data?

Krishan: Like vaccination and diversity data, gender recognition data constitutes special category data, which means you’ll need to consider the following requirements:

• Consider whether you have a lawful basis and special condition (essentially a legal and valid justification) under data protection laws to collect the data. Essentially, this means that one of the conditions set out in Article 9 of the UK GDPR must apply.
• You can only collect this data from the individuals who you reasonably require it from.
• Tell individuals that you’re collecting this data. It’s good practice to update your privacy notices to reflect that you’re collecting this information. You’ll also need to put in place an appropriate policy document because you’re capturing special category data (the ICO has a handy template for this).
• Appropriately safeguard the data (e.g., through appropriate access controls and encryption).
• Delete or destroy the data as soon as you no longer need it. This might be dictated by legal requirements (eg, the Gender Recognition Act), but you should also take into account whether you still need to hold the information and, if not, you should delete it. 
  

Q. Are the rules around international data transfers being reviewed and, if so, what should we look out for?

Krishan: The ICO recently held a consultation on how organisations can continue to protect people’s personal data when it’s transferred outside the UK. While no changes have come into effect yet, it seems likely that UK law will diverge from EU law in this respect, with different agreements, requirements and terminology likely to come into play.

Under EU law, transfers outside the European Economic Area to countries whose privacy laws are not deemed adequate by the European Commission must be safeguarded using specific contractual measures (known as “appropriate safeguards”).

In terms of who should put those appropriate safeguards in place, if you’re contracting on your counterparty’s agreed terms, you should ask them to direct you to the relevant appropriate safeguards for international transfers. If not, you’ll need to put the appropriate safeguards in place yourself with the assistance of data privacy lawyers.

While none of the proposed data protection changes have been confirmed, it’s important to stay up to date with the consultations so that you can remain compliant.

Please note that the responses in this document do not constitute legal advice. If you require legal advice on any of these points, we recommend that you seek this independently.