UK GDPR Blog

On the importance of developing, introducing, and sustaining Communication Standards

On the importance of developing, introducing,

and sustaining Communication Standards


When communicating with companies from UK, China, EU/EEA/EFTA (via means of meetings, presentations, conferences; or consulting individually etc), it is important to pay attention to, or hold a focus (where appropriate) on needs of companies from UK, and/or China, and/or EU/EEA/EFTA, as well as reflect on interconnections.

In order to meet this goal, it can be useful to approach the communication process with companies from respective countries through establishing and elaborating standards of communication, that are based on current conditions of doing business in corresponding countries, including the sphere of personal data protection that is linked to customers (that every company has), and who also can come from different countries with different or common features in private data protection regulation.


1. Establishing and introducing target groups

When preparing the session of communication, it is suggested to address the audience on the bases of their needs and external requirements; the establishment and introduction of target groups can help; the target groups can be linked to two main categories which are; ‘Individuals’, and ‘Companies’ (Picture 1).

Picture 1. Establishing and introducing target groups helps to create a structured flow information

 

It is advised to have a link to categories ‘Individuals’ and ‘Companies’, because application of private data protection rules have specific provisions that are addressed differently to individuals and companies. Ignorance of these facts negatively influences on the ‘usefulness’.


2. Developing and sustaining Standards of Communication with target groups

Preparing and conducting communication with the audience without separation on target groups can help to omit overlapping and confusion in understanding of the information flow. Then, a presentation of a topic on technology and innovation (or, consulting individually) can lead to a logical structure; it is also accessible to show the interconnections where applicable due to the international cooperation (Table 1; Table 2).

Table 1. Individuals as a target group (ITG)

Table 2. Companies as a target group (CTG)

3. Conclusions

  1. The elaboration and implementation of the corresponding standards can help to create structures of components in the complex information flow.
  2. The elaboration and implementation of the corresponding standards can contribute to defining which components belong to which structure; examine needs of companies (or individuals as customers); be flexible, react accordingly, and help to meet their needs.
  3. The Standards are suggested to be treated as ‘live’ documents, that are subject to regular updates due to changes in the business environment, as well as changes in regulation (legal) requirements.

Date: 29 November 2021

Author: Dr. Elizabeth Sushko-West

Processing of which Individual’s personal data is regulated by UK GDPR?

Processing of which Individual’s personal data

is regulated by UK GDPR?


1. What does UK GDPR refer to?

UK GDPR refers to UK legislation (originating from the EU), in particular EU General Data Protection Regulation No.2016/679, supplemented by the Data Protection Act 2018.

2. Which data is considered ‘personal data’ by UK GDPR?

According to UK GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person.

For example;

  • a name,
  • an identification number,
  • location data,
  • an online identifier.

‘Special categories of personal data’, or ‘sensitive’ information consist of peculiar and specific information about an Individual, such as data on physical, physiological, genetic, mental, economic, cultural, or social identity.


3. How is ‘processing’ defined by UK GDPR?

Before answering the question asked by the third paragraph of this publication, let’s clarify meanings of ‘processing’ and ‘operation’, as well as their interconnection.

3.1. What does ‘processing’ mean?

Processing (or a ‘processing operation’) of private data means an operation or a combination of operations that are performed by using personal data or units of personal data, whether or not they are obtained by automated means. 

3.2. Which operations does private data processing include?

An operation or combination of operations that are performed by using personal data or by using units of personal data, they include the following actions;

  • collection of personal data,
  • recording of personal data,
  • organisation of personal data,
  • structuring of personal data,
  • storage of personal data,
  • adaptation or alteration of personal data,,
  • retrieval of personal data,
  • consultation using personal data,
  • use of personal data,
  • disclosure by transmission of personal data,
  • dissemination of personal data, or otherwise making personal data available,
  • alignment or combination of personal data,
  • restriction of personal data,
  • erasure or destruction of personal data.

Generally, processing sensitive information of personal data is prohibited. However, an entity can process a special category of personal data if processing can satisfy one of conditions defined by UK GDPR.

Legal grounds for processing sensitive information are more demanding than those for processing private data of other identifiable types of personal information. A Controller must be able to demonstrate that the processing of sensitive information is strictly necessary and satisfy one of the conditions in Schedule 8 of the Data Protection Act 2018, or is based on explicit consent. 

3.3. What is the interconnection between ‘processing’ and ‘operation’?

An operation or a combination of operations shall mean processing. An operation can include defined actions using personal data that are specified by UK GDPR.

 

4. Conclusions

  1. UK GDPR regulates processing of any information relating to an identified or identifiable natural person that comprise personal data.
  2. Processing is an operation or a combination of operations that include certain actions using personal data that are specified by UK GDPR.
  3. UK GDPR prohibits processing ‘sensitive’ information unless it is subject to processing in specific circumstances or for specific purposes defined by UK GDPR, and Schedule 8 of the Data Protection Act 2018.
  4. Processing sensitive data requires a high level of protection. It demands extra care from controllers. So, it is advised to address information security responsibly, protecting sensitive personal data regarding legal and regulatory requirements.

 

Date: June 2021
Author: Dr. Elizabeth Sushko-West

What is the correlation between ‘data subject’, ‘controller’, and ‘processing’?

What is the correlation between

‘data subject’, ‘controller’, and ‘processing’?


1. How can ‘data subject’, ‘controller’, and ‘processing’ be explained?

To answer this question, let’s clarify how ‘data subject’, ‘controller’ and ‘processing’ are defined by UK GDPR. 

1.1. What is a ‘data subject’?

A ‘data subject’ is an individual (a natural person) who is identified or who is identifiable. An identifiable individual is someone who can be identified either directly or indirectly.

An identifiable individual can be identified by reference to an identifier such as;

  • a name,
  • an identification number,
  • location data,
  • an online identifier.

An individual can be also identified when referring to their physical, physiological, genetic, mental, economic, cultural, or social identity that would constitute ‘sensitive’ information.


1.2. What is a ‘controller’?

A ‘controller’ means either a natural or a legal person, public authority, agency, or other entity.
A ‘controller’ solely or jointly with another controller or controllers, determines purposes and means of personal data processing.

 

1.3. How should be ‘processing’ understood?

1.3.1. What does ‘processing’ mean under UK GDPR?

‘Processing’ refers to an operation or a combination of operations that are performed over personal data or on sets of personal data, whether or not by automated means. It can be also called as a ‘processing operation’.

1.3.2. What does ‘processing’ include?

Processing of private data includes the following actions on private data;

  • collection,
  • recording,
  • organisation,
  • structuring,
  • storage,
  • adaptation or alteration,
  • retrieval,
  • consultation,
  • use,
  • disclosure by transmission,
  • dissemination or otherwise making available,
  • alignment or combination,
  • restriction,
  • erasure or destruction. 

2. How are ‘data subject’, ‘controller’, and ‘processing’ interconnected?

Processing of personal data is exercised by a controller or jointly by controllers that define purposes and means of such processing.

A controller is connected with a data subject through an operation of processing, where a controller processes private data of a data subject.


3. Conclusions

  1. An individual who is identified or who is identifiable shall mean a ‘data subject’ under UK GDPR. Purposes and means of personal data processing are determined by a controller. ‘Processing’ refers to an operation or a combination of operations that are performed over personal data or sets of personal data as outlined in UK GDPR.
  2. The correlation between ‘data subject’, ‘controller’, and ‘processing’ can be visualised in the following way:

 

 

Date: May 2021

Author: Dr. Elizabeth Sushko-West

What is the difference between “GDPR” and “UK GDPR”?

What is the difference between

“GDPR”

and

“UK GDPR”?

 

1. What does “GDPR” mean?

“GDPR” means General Data Protection Regulations.
The General Data Protection Regulation No.679 was adopted by the European Parliament and the Council of the European Union on 27 April 2016.

The European Data Protection Regulations became applicable as of 25 May, 2018.
A regulation is a legal act of the European Union that becomes immediately enforceable as law in all EU member states simultaneously (Article 288 of the Treaty on the Functioning of the European Union).

This General Data Protection Regulation repealed Directive 95/46/EC (General Data Protection Regulation) on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
It is focused on the protection of individuals with regard to the processing of personal data. It also regulates the transfer of personal data outside of the EU and the EEA.

The purpose of Regulation No. 679 is to give individuals control over the processing of their personal data. It also unifies relevant regulations within the EU and makes clear standards and requirements for international data transactions.
With reference to article 2 of the GDPR, “This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where a Member State’s law applies by virtue of public international law.”


2. What does “UK GDPR” mean?

“UK GDPR” is referred to as the UK General Data Protection Regulations.
The United Kingdom joined the EU on 1 January 1973.

After 47 years, the UK became the first and only country that officially left the EU. After long-term negotiations, a final deal was agreed between the UK and the EU that defined their future relationships, that took effect at 23.00 GMT on 31 December 2020.

At the time of UK membership in the EU, organisations in the UK complied with General Data Protection Regulation No.679 alongside with the Data Protection Act 2018.

After 23.00GMT on 31 December 2020, the UK officially left the EU. However, the GDPR was retained in UK law and became the UK GDPR. In the UK it is referred to as “UK legislation (originating from the EU).”

UK GDPR is supplemented by the Data Protection Act 2018. Together, these laws form the data protection regime in the UK.


3. Conclusions

  1. “GDPR” means General Data Protection Regulations.
  2. The General Data Protection Regulation No.679 is a legal act of the European Union that became enforceable as law in all EU member states. The European Data Protection Regulation entered into force in 2018.
  3. After the UK officially left the EU on the last calendar day of 2020, the GDPR has been retained in UK law as the UK GDPR referring to it as UK legislation (originating from the EU), supplemented by the Data Protection Act 2018.
  4. In order to avoid confusion in “GDPR” terminology, GDPR of the EU can be referred to as the “EU GDPR”, whereas “UK GDPR” implies that this GDPR is part of UK legislation.

 

Date: May 2021
Author: Dr. Elizabeth Sushko-West

Issues

  • UK GDPR Compliance
  • Unjustified enrichment
  • Cooperation between UK and PRC companies
  • Sino-UK joint ventures
  • Registration of companies in China
  • Registration of representative offices in China
  • Investment in the banking sphere in China
  • Employment of foreigners in China
X

Right Click

No right click