European Privacy Packs¶
United Kingdom — UK GDPR and Data Protection Act 2018¶
Pack ID: uk-gdpr
Framework: UK-GDPR
Regulator: ICO (Information Commissioner's Office)
Controls: 14 (7 critical, 6 high, 1 medium)
Law: UK GDPR (retained EU law) + Data Protection Act 2018
UK-GDPR-01: ICO Registration¶
Critical
Register with the UK Information Commissioner's Office (ICO) as a data controller or processor if required.
Legal Reference: DPA 2018 Part 3 Section 137; ICO Registration Guidance
Register with the ICO and pay the annual data protection fee if processing personal data (unless exempt). Maintain accurate registration entries describing processing purposes. Update when processing activities change.
| Check | Description |
|---|---|
| UK-GDPR-01-C1 | ICO registration completed and current |
| UK-GDPR-01-C2 | Annual data protection fee paid |
| UK-GDPR-01-C3 | Registration entries reviewed and updated |
UK-GDPR-02: Data Protection Officer (UK)¶
High
Designate a DPO where required under UK GDPR and ensure ICO notification.
Legal Reference: UK GDPR Article 37; DPA 2018 Part 3 Section 69
Designate if: public authority, core activities require large-scale regular and systematic monitoring, or large-scale special category data processing. Submit DPO contact details to ICO. DPO must report to highest management, operate independently.
| Check | Description |
|---|---|
| UK-GDPR-02-C1 | DPO designated if required |
| UK-GDPR-02-C2 | DPO contact details submitted to ICO |
| UK-GDPR-02-C3 | DPO independence and reporting line documented |
UK-GDPR-03: Records of Processing Activities (UK)¶
Critical
Maintain ROPA documenting all UK personal data processing activities.
Legal Reference: UK GDPR Article 30
Include: controller/processor details, processing purposes, data categories, data subject categories, recipient categories, third-country transfers, retention periods, security measures. Organizations under 250 employees exempt unless high-risk processing.
| Check | Description |
|---|---|
| UK-GDPR-03-C1 | ROPA maintained with all Article 30 required fields |
| UK-GDPR-03-C2 | ROPA reviewed and updated when processing changes |
| UK-GDPR-03-C3 | Exemption assessment documented if applicable |
UK-GDPR-04: Special Category Data Conditions¶
Critical
Identify the Article 9 condition AND a Schedule 1 DPA 2018 condition for processing special category data.
Legal Reference: UK GDPR Articles 9-10; DPA 2018 Schedule 1
Special category data: race, ethnicity, political, religious, trade union, genetic, biometric, health, sex life, sexual orientation. Identify both an Article 9 condition and a Schedule 1 condition. Some require an "appropriate policy document."
| Check | Description |
|---|---|
| UK-GDPR-04-C1 | Article 9 condition identified for each special category processing |
| UK-GDPR-04-C2 | Schedule 1 DPA 2018 condition identified |
| UK-GDPR-04-C3 | Appropriate policy document in place where required |
UK-GDPR-05: Lawful Basis for Processing (UK)¶
High
Document and communicate the lawful basis for each processing activity under UK GDPR Article 6.
Legal Reference: UK GDPR Article 6; ICO Guidance on Children
Six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. Conduct Legitimate Interests Assessments (LIAs) where applicable. Children's data threshold: under 13 requires parental consent.
| Check | Description |
|---|---|
| UK-GDPR-05-C1 | Lawful basis documented per processing activity |
| UK-GDPR-05-C2 | Legitimate Interest Assessments conducted where applicable |
| UK-GDPR-05-C3 | Children's data protections (age 13 threshold) implemented |
UK-GDPR-06: UK Data Subject Rights¶
Critical
Implement all UK GDPR data subject rights with ICO-compliant response procedures.
Legal Reference: UK GDPR Articles 12-22
Rights: access (Art 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), automated decision-making (22). Respond within one month (extendable by two for complex requests). Free first copy.
| Check | Description |
|---|---|
| UK-GDPR-06-C1 | All 7 data subject rights implemented |
| UK-GDPR-06-C2 | Response within one month with extension procedure |
| UK-GDPR-06-C3 | Manifestly unfounded/excessive request handling documented |
UK-GDPR-07: Data Protection Impact Assessment (DPIA)¶
High
Conduct DPIAs for high-risk processing under UK GDPR and ICO guidance.
Legal Reference: UK GDPR Article 35; ICO DPIA Guidance
Required for: large-scale special category data, systematic monitoring of public areas, systematic and extensive profiling, large-scale processing of vulnerable groups. Follow ICO DPIA template. Consult ICO if high residual risks remain.
| Check | Description |
|---|---|
| UK-GDPR-07-C1 | DPIA screening criteria established |
| UK-GDPR-07-C2 | DPIAs conducted for high-risk processing |
| UK-GDPR-07-C3 | ICO prior consultation when residual high risk |
UK-GDPR-08: UK International Transfer Mechanisms¶
Critical
Use UK-approved transfer mechanisms for international personal data transfers.
Legal Reference: UK GDPR Chapter V; ICO International Transfers Guidance
Transfer to adequate countries per UK adequacy regulations (EEA, Gibraltar, others). For non-adequate: International Data Transfer Agreement (IDTA), UK Addendum to EU SCCs, BCRs, or Article 49 derogations. Conduct Transfer Risk Assessments (TRAs).
| Check | Description |
|---|---|
| UK-GDPR-08-C1 | Transfer register maintained with mechanism per transfer |
| UK-GDPR-08-C2 | IDTA or UK Addendum executed for non-adequate transfers |
| UK-GDPR-08-C3 | Transfer Risk Assessments conducted per ICO guidance |
| UK-GDPR-08-C4 | UK adequacy regulations monitored for updates |
UK-GDPR-09: Security of Processing (UK)¶
Critical
Implement appropriate technical and organizational security measures per UK GDPR Article 32.
Legal Reference: UK GDPR Article 32; ICO Security Guidance
Measures: pseudonymisation, encryption, confidentiality, integrity, availability, resilience, restoration procedures. Regularly test and evaluate effectiveness. Document security risk assessments.
| Check | Description |
|---|---|
| UK-GDPR-09-C1 | Security measures documented and risk-assessed |
| UK-GDPR-09-C2 | Encryption and pseudonymisation implemented |
| UK-GDPR-09-C3 | Measures tested and evaluated regularly |
UK-GDPR-10: ICO Breach Notification¶
Critical
Notify the ICO of personal data breaches within 72 hours and notify affected individuals when high risk.
Legal Reference: UK GDPR Articles 33-34; ICO Breach Reporting Guidance
Notify ICO within 72 hours of becoming aware (unless unlikely to result in risk). Use ICO's personal data breach reporting service. If high risk to individuals, notify without undue delay. Document all breaches.
| Check | Description |
|---|---|
| UK-GDPR-10-C1 | ICO 72-hour notification procedure implemented |
| UK-GDPR-10-C2 | Individual notification for high-risk breaches |
| UK-GDPR-10-C3 | Internal breach register maintained |
UK-GDPR-11: Data Processor Contracts (UK)¶
High
Execute Article 28-compliant data processing contracts with all processors.
Legal Reference: UK GDPR Article 28
Cover: subject matter, duration, nature/purpose, data types, data subject obligations, processor duties (instructions, confidentiality, security, sub-processor controls, data return/deletion, audit assistance).
| Check | Description |
|---|---|
| UK-GDPR-11-C1 | Article 28 contracts executed with all processors |
| UK-GDPR-11-C2 | Sub-processor flow-down terms included |
| UK-GDPR-11-C3 | Contracts reviewed for ICO compliance |
UK-GDPR-12: Accountability Principle (UK)¶
High
Demonstrate compliance with UK GDPR accountability principle through documented evidence.
Legal Reference: UK GDPR Article 5(2); ICO Accountability Framework
Maintain evidence: policies, procedures, training records, DPIAs, audit results, ROPA, consent records, contracts, breach records, DPO reports. Conduct annual ICO accountability self-assessment.
| Check | Description |
|---|---|
| UK-GDPR-12-C1 | Accountability evidence maintained and organized |
| UK-GDPR-12-C2 | Annual ICO accountability self-assessment conducted |
| UK-GDPR-12-C3 | Data protection by design integrated into projects |
UK-GDPR-13: Direct Marketing (PECR)¶
High
Comply with Privacy and Electronic Communications Regulations (PECR) for marketing.
Legal Reference: PECR; ICO Direct Marketing Guidance
Obtain consent before electronic marketing (email, SMS, in-app). Clear opt-out in every message. Honor opt-outs promptly. Soft opt-in for existing customers (similar products, clear opt-out).
| Check | Description |
|---|---|
| UK-GDPR-13-C1 | PECR-compliant consent obtained for electronic marketing |
| UK-GDPR-13-C2 | Opt-out mechanism in every marketing message |
| UK-GDPR-13-C3 | Soft opt-in criteria assessed for existing customers |
UK-GDPR-14: UK Representative¶
Medium
Appoint a UK representative if offering goods/services or monitoring individuals in the UK from outside the UK.
Legal Reference: UK GDPR Article 27
Required if based outside the UK and processing UK personal data related to offering goods/services or behavior monitoring. Representative acts as contact point for data subjects and ICO.
| Check | Description |
|---|---|
| UK-GDPR-14-C1 | UK representative appointed if applicable |
| UK-GDPR-14-C2 | Representative contact details available to data subjects |
Switzerland — Federal Act on Data Protection (revFADP)¶
Pack ID: ch-fadp
Framework: FADP
Regulator: FDPIC (Federal Data Protection and Information Commissioner)
Controls: 8 (2 critical, 5 high, 1 medium)
Law: revFADP (in effect September 1, 2023)
FADP-01: Data Protection Officer / Advisor¶
High
Designate a data protection advisor if processing high-risk personal data on a large scale.
Legal Reference: FADP Article 10
Designate when a data security risk assessment indicates high risk to personality or fundamental rights, particularly for large-scale or sensitive processing. Advisor maintains the processing register, advises on DPIAs, liaises with FDPIC.
| Check | Description |
|---|---|
| FADP-01-C1 | Risk assessment conducted to determine advisor requirement |
| FADP-01-C2 | Advisor designated if high-risk threshold met |
FADP-02: Principles of Data Processing¶
Critical
Comply with FADP principles: lawfulness, proportionality, purpose, transparency, and accuracy.
Legal Reference: FADP Articles 6-7
Process lawfully, in good faith, proportionally. Process only for the purpose indicated at collection. Special categories (health, biometric, genetic, racial, religious, political, trade union, sexual) require explicit consent.
| Check | Description |
|---|---|
| FADP-02-C1 | Processing purposes documented and communicated |
| FADP-02-C2 | Explicit consent obtained for special category data |
| FADP-02-C3 | Proportionality assessment conducted |
FADP-03: Transparency and Information Duties¶
High
Provide information to data subjects about data collection and processing.
Legal Reference: FADP Article 19
Inform data subjects of: controller identity, processing purpose, data categories, recipients, retention, cross-border transfers, data subject rights. For third-party data, inform within a reasonable timeframe.
| Check | Description |
|---|---|
| FADP-03-C1 | Privacy notices published with all FADP-required information |
| FADP-03-C2 | Third-party data subjects informed within reasonable time |
FADP-04: Data Subject Rights¶
High
Implement FADP data subject rights including access, correction, destruction, and objection.
Legal Reference: FADP Articles 25-27
Rights: information about processing, access, correction of inaccurate data, destruction of unlawfully processed data, objection to direct marketing/profiling, restriction. Respond within 30 days (extendable by 60). Free access.
| Check | Description |
|---|---|
| FADP-04-C1 | All FADP data subject rights implemented |
| FADP-04-C2 | Response within 30 days with extension procedure |
| FADP-04-C3 | Direct marketing objection respected |
FADP-05: Data Security and Breach Notification¶
Critical
Implement appropriate security measures and notify the FDPIC of qualifying data breaches.
Legal Reference: FADP Articles 7, 24
Implement measures based on risk. Maintain a data processing register. Notify FDPIC as soon as possible when a breach is likely to result in high risk to personality or fundamental rights.
| Check | Description |
|---|---|
| FADP-05-C1 | Security measures documented and risk-assessed |
| FADP-05-C2 | Data processing register maintained |
| FADP-05-C3 | FDPIC breach notification procedure for high-risk breaches |
FADP-06: Cross-Border Data Transfers¶
High
Ensure adequate protection for personal data transferred outside Switzerland.
Legal Reference: FADP Article 16
Transfer to countries providing adequate protection (FDPIC recognizes EU/EEA and certain others). For non-adequate: Swiss SCCs, BCRs, or FDPIC-approved mechanisms. Conduct transfer assessments.
| Check | Description |
|---|---|
| FADP-06-C1 | Adequacy assessment conducted per destination country |
| FADP-06-C2 | Swiss SCCs or equivalent safeguards for non-adequate transfers |
| FADP-06-C3 | FDPIC adequacy list monitored |
FADP-07: DPIA for High-Risk Processing¶
Medium
Conduct Data Protection Impact Assessments for processing likely to result in high risks.
Legal Reference: FADP Articles 22-23
Required for: systematic monitoring, large-scale sensitive data, profiling with significant effects, innovative technologies. Document methodology, risks, and mitigation measures.
| Check | Description |
|---|---|
| FADP-07-C1 | DPIA criteria established for high-risk processing |
| FADP-07-C2 | DPIAs documented with risk assessments |
FADP-08: Processor Management (FADP)¶
High
Execute written contracts with processors processing personal data on behalf of the controller.
Legal Reference: FADP Article 9
Cover: processing only on documented instructions, security obligations, confidentiality, sub-processor controls, data return/deletion, audit assistance. Processors jointly and severally liable.
| Check | Description |
|---|---|
| FADP-08-C1 | Written contracts with all processors |
| FADP-08-C2 | Contracts include FADP Article 9 requirements |
Exercise: UK GDPR vs EU GDPR Comparison
The UK GDPR diverged from EU GDPR after Brexit. Test your knowledge:
| Question | EU GDPR Answer | UK GDPR Answer |
|---|---|---|
| Transfer mechanism for non-adequate countries? | EU SCCs | ? |
| Adequacy decision authority? | European Commission | ? |
| Children's consent age? | Member state sets (13-16) | ? |
| DPO contact submitted to? | Lead supervisory authority | ? |
| Maximum fine? | EUR 20M or 4% global revenue | ? |
Answers
- UK uses IDTA or UK Addendum to EU SCCs
- UK Secretary of State (via regulations)
- 13 years old (UK GDPR threshold)
- ICO
- GBP 17.5M or 4% global revenue
Exercise: Swiss FADP Transfer Assessment
Your Swiss company wants to transfer customer data to a US-based cloud provider.
- Is the US on the FDPIC adequacy list? (Check current status)
- What transfer mechanism would you use?
- What assessment must you conduct before relying on it?
- What supplementary measures might be needed?
Guidance
- The FDPIC recognizes the EU-US Data Privacy Framework
- Use Swiss SCCs or the UK Addendum approach
- Conduct a Transfer Impact Assessment (TIA)
- Consider encryption, pseudonymisation, and access controls