Zscaler and UK Data Protection Laws
Introduction and Overview
When the United Kingdom (“UK”) withdrew from the European Union (“EU”) effective January 31, 2020, a “transition period” ensured that most EU laws—including EU data protection laws—continued to apply to the UK. Following the transition period, effective January 1, 2021, two key pieces of legislation govern data protection in the UK: the UK General Data Protection Regulation (Regulation (EU) (2016/679) (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).
The UK GDPR is largely identical to the EU GDPR, as incorporated into UK law by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and other domestic UK laws. The DPA 2018 supplements and complements the UK GDPR, including by providing certain exemptions from the UK GDPR.
Like the EU GDPR, the UK GDPR describes key principles governing the processing of personal data by controllers and processors, including the following:
Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. The controller must only process personal data on the basis of one or more of the legal grounds set out in Article 6 of the UK GDPR.
Personal data must only be collected for specified, explicit, and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Personal data must be accurate and, where necessary, kept up to date.
Personal data must not be kept in a form which permits data subjects to be identified for longer than is necessary for the purposes for which the data is processed.
Integrity and confidentiality
Personal data must be processed in a way that appropriately ensures its security. Controllers and processors must use appropriate technical or organizational security measures to ensure this.
The controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.
For cross-border transfers of personal data from the UK to countries that have not been determined to provide “adequate safeguards” under the UK GDPR (which includes the United States), the UK Information Commissioner’s Office (“ICO”) has approved (effective March 21, 2022) an International Data Transfer Addendum that supplements and provides options under the EU standard contractual clauses (“EU SCCs”) to ensure that the EU SCCs are applicable to data transfers from the UK.