UK General Data Protection Regulation – A Guide to the Law

 

James Castro-Edwards

 

£65, Law Society

 

★★★✩✩

Once seen as a niche area, data protection law now sits front and centre in the UK legal landscape. Whether advising a celebrity concerned about press intrusion or a hospital patient wanting to see their medical records after a botched operation, it is essential that lawyers have a sound understanding of the UK data protection regime as set out in the UK General Data Protection Regulation(UK GDPR) and the Data Protection Act 2018 (DPA 2018).

James Castro-Edwards’ book on the UK GDPR is highly informative and logically set out. It highlights the differences between the UK GDPR and the EU General Data Protection Regulation (EU GDPR) and explains what the UK GDPR means both for firms’ own personal data and the personal data of their clients.

This book covers all the important topics, with the chapters following the structure of the UK GDPR itself. It starts by explaining the scope of the regulation, pointing out developments since Brexit. The following chapters cover, among other things, the GDPR principles, data subjects’ rights, breach notification, remedies and the role of the regulator. The chapter on data subjects’ rights includes a useful section explaining the myriad exemptions alongside a clear summary table. This is particularly welcome as, during my years of training data protection practitioners, I have often found that this is the subject they find most challenging. In particular, the language of schedules 2-4 of the DPA 2018 is not straightforward, especially for those not used to reading the legislation.

Those grappling with international data transfers will find chapter 5 of the book worth a read. It discusses the latest guidance issued by the European Data Protection Board (EDPB) since the landmark judgment of the Court of Justice of the European Union delivered in Case C 311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, also known as ‘Schrems II’. There is also discussion of the latest EU standard contractual clauses as well as the UK’s International Data Transfer Agreement, which was in draft at the time of this book’s publication but has now been finalised.

A Keeling Schedule at the end of the book clearly sets out the changes made to the EU GDPR for it to become the UK GDPR. This is a welcome addition as it gives readers what they need in one book. A further improvement would have been to include the GDPR Recitals as well as the key provisions of the DPA 2018. However this would have significantly added to the current 209 pages of the book which is of a convenient size.

Unfortunately for the author this book will soon require updating. In the Queen’s speech, Prince Charles outlined the government’s priorities for the year ahead, including a new Data Protection Reform Bill which is predicted to make sweeping changes to the UK GDPR. The draft bill will be published this summer but you do not have to look too far back for clues about its contents. On 10 September 2021, the government launched a consultation entitled ‘Data: A new direction’ intended ‘to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data’. Cynics will say that it was an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the EU. Time will tell.

Much of the analysis in this book paraphrases the Information Commissioner’s Office and EDPB guidance. This is not a criticism but a strength of the book, as often these documents are lengthy and not always straightforward for the data protection novice to understand in one reading.

Overall, the logical sequence of chapters offers the reader a comprehensive overview of the UK GDPR and its many interlocking provisions. Good value at £65.

 

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)