As per Art. 30 of the UK GDPR every company must create a register of processing activities (ROPA) to the particular data processes. Company structures should also be noted during the creation and management of the registers, like the catalogues from the perspective of the contracting service company.

Companies are required per Art. 25 and 32 of the UK GDPR to decide technical and organisational measures in order to protect personal data, namely, to reflect data protection pre-sets (Privacy by Design, Privacy by Default). Inside the company there should not be any vulnerabilities in order to not endanger the UK GDPR-compliance. Also, company-wide protection concepts should be prioritised.

According to Art. 35 of the UK GDPR there should always be a Data Protection Impact Assessment (DPIA), if there is a potential high risk during data processing activities due to the kind, the scope, the circumstances, and the purpose of the data processing. A DPIA expertly analyses the risks to the rights and freedoms of data subjects before their data is processed, which has very extensive requirements for complex processes.

Expanded data subject rights are included in Art.12 to Art. 22 of the UK GDPR, like the right to information and the right to objection. As in corporations data is transferred, processed together, or ordered to be processed by partnered companies it is in one’s favour to create uniformed processes and regulations in the handling of data subject rights in the company.

If a data breach occurs, then the responsible parties and, in some circumstances, the data subject must be informed per Art. 33 and 34 UK GDPR. Companies often process data on behalf of other companies within the group as a shared service. Therefore, the establishment of a uniform system within the group where a quick information exchange can be held in the case of a data breach or similar cases is advisable.

Some compliance requirements need an as-extensive-as-possible processing of personal data. However, a principle of the UK GDPR is data minimization and only allows to process data when absolutely needed. to accomplish a specific purpose. Some compliance issues require a specific management system which should also emphasise data protection to eliminate contradictions and to create synergy between compliance and data protection requirements.

For companies there is the opportunity to create Binding Corporate Rules (BCRs) for the purpose of data transfers outside the UK. These apply group-wide but must still be approved by the ICO. BCRs as a transfer mechanism can also serve as a guarantee for data transfers to countries outside the UK in accordance with the GDPR.

Groups of companies do not enjoy any corporate privileges and therefore every data transfer must be justifiable. According to the type of the cooperation between companies of a group this can either be in the form of Joint Controller Agreements (JCA) or Data Processing Agreements (DPA). However, if the data transfer is outside the UK then one will need either the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (Addendum) or other guarantees. Instead of establishing BCRs one would mostly suggest framework agreements for group-wide data transfers, including Joint Controller Agreements, Data Processing Agreements and if necessary the Addendum with the Standard Contractual Clauses. Other companies of the group may join such framework agreements, so that the greatest possible flexibility is maintained.

Group of companies are due to their great responsibility in data protection often in the focus of authorities and lawyers. The rule of thumb says that a vast number of processed personal data as well as affected data subjects mean an elevated risk to become a target of authorities and courts. Therefore, legal expertise is crucial in order to avoid this ire.

The compliance of regulatory requirements is tied to the continuing training of the involved persons in data processing. For companies it is indispensable to have a successful data protection structure which helps to create a uniform data protection standard in all companies of the group. Therefore, regular education courses of employees as well as a culture of open discussion are essential.