Practical Law

The UK’s new Information Commissioner took charge in January and quickly opened a major listening exercise to gather feedback from businesses, organisations, and individuals about their experiences of engaging with the ICO. The consultation remains open until 1 May.

There have been several other key data privacy and cyber security developments over the winter that in-house counsel should be aware of:

• On 15 December 2021, the government published its new National Cyber Strategy.
• On 4 January 2022, John Edwards started a five-year term as the UK’s new Information Commissioner and set out his approach to the role in a blog post.
• The European Data Protection Board (EDPB) has published final guidelines 01/2021 on examples regarding personal data breach notification adopted at its 58th Plenary Session held on 14 December 2021.
• On 19 January, the government published a review detailing the progress made in improving cyber resilience between 2016 and 2021 and what action is needed to further enhance cyber resilience in the UK.
• On 7 February, the ICO invited feedback on two further chapters added to its draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies.
• On 22 February, the EDPB published the final version of Guidelines 04/2021 on Codes of Conduct as tools for transfers adopted at its 61st plenary, following a public consultation.
• On 30 March, DCMS published the Cyber Security Breaches Survey 2022.

Key dates: Spring 2022

Key forthcoming dates include:

• 10 April. The government’s consultation on proposals for new laws to improve the cyber resilience of organisations closes.
• 22 April. The ICO’s consultation on its draft new guidance on making use of the provisions in the UK GDPR and Data Protection Act 2018 (DPA 2018) relating to processing personal data for research purposes closes.
• 1 May. The new Information Commissioner’s major listening exercise to receive feedback from businesses, organisations, and individuals closes.
• 11 May. The European Commission’s proposal for a Regulation on harmonised rules on fair access to and use of data (Data Act) feedback period ends.
• 25 May. The European Commission’s call for evidence and public consultation on an EU Cyber Resilience Act closes.

New Practical Law content

Over the course of the winter, Practical Law has published:

• Practice note, Privilege in cyber investigations is a note on the relevance of privilege as part of a cyber investigation.
• Practice note, Transferring personal data outside the UK: FAQs is a list of frequently asked questions and answers on transferring personal data outside of the UK under the UK GDPR and Data Protection Act 2018.
• Practice note, Cybersecurity risk assessments and reporting (UK) explains how to plan, perform and report on cybersecurity risk assessments.
• Standard document, Information asset register takes the form of a template Excel spreadsheet that can be used to record data about an organisation’s information assets as part of its overall information/data governance programme.
• Checklist, Cybersecurity risk assessment checklist (UK) outlines key steps for an organisation to take when planning and performing a cybersecurity risk assessment.
• Standard document, ICO International Data Transfer Agreement (IDTA) (UK), which features the Information Commissioner’s Office’s (ICO’s) International Data Transfer Agreement (IDTA) for the transfer of personal data from the UK.
• Standard clause, ICO International Data Transfer Addendum to EU Commission Standard Contractual Clauses (UK), which sets out the ICO’s International Data Transfer Addendum (Addendum) to the EU Commission Standard Contractual Clauses (SCCs).
• Article, Lloyd v Google: the upshot for data class actions discusses the outlook for data class actions following the Supreme Court’s decision in Lloyd v Google.
• Article, Practical Law Data Protection: what to expect in 2022 summarises the main developments that will affect data protection practitioners in England and Wales in 2022.
• Article, AI and automated decision making: to regulate or deregulate? discusses the current and future regulation of artificial intelligence and automated decision-making technologies.
• Video, Cyber threats and managing a cyber attack provides an overview of potential cyber threats that can affect organisations, as well as advice on how to prepare for cyber attacks to minimise their impact on business operations.
• EU Strategy for data: Data Governance Act (DGA): legislation tracker charts developments relating to the European Commission proposal for a Regulation on European data governance (Data Governance Act).
• EU Strategy for data: Data Act: legislation tracker charting developments relating to the European Commission proposal for a Regulation on harmonised rules on fair access to and use of data (Data Act).

Featured Asks

We have also published the following Asks:

• Do the rules surrounding international data transfers under the UK GDPR apply to transfers of such personal data back to the jurisdiction from which it originates?
• What are the security requirements around sharing personal data via email?
• Will the UK GDPR apply to the US clients of a UK-based software company, or only the UK or EU-based clients?
• If an organisation purchased a list of customers from a third party, can that organisation then send targeted advertisements via social media to that list of customers?
• Do we still need to respond to a DSAR given that after redacting information about other individuals, the report is rendered nonsensical?
• What are the enforcement options under the UK GDPR and DPA 2018 if an employee takes customer personal data to another company?
• My client is building an app which will build an avatar using facial features of an individual. Do you have any guidance as to what issues should be concerned including whether this would be considered to be biometric/sensitive personal data?
• Upon termination of a contract between a controller and processor, does providing the controller with access to the data to perform a data extraction, constitute a return of the data as required under Article 28, UK GDPR?
• How does a transfer mechanism get approved under the UK GDPR?
• Can a controller subject to the UK GDPR and EU GDPR rely on the Directive SCCs to comply with the data transfer requirements under both data protection regimes?
• Are we required to meet the restricted transfer requirements under the UK GDPR when sending personal data to an individual contractor based in India who may be operating as a sole trader or via a limited company?
• What are the implications of getting the nature of a data protection controller to controller relationship incorrect?
• What resources are available to help put together an intra-group agreement and what issues should we consider?
• If you are a non-UK company, but under the UK GDPR, you are caught by the Article 3 territorial scope requirements, are you required to pay the data protection fee to the ICO?
• Is it necessary in contracts to reproduce the text of (i) the new EU SCCs (DPAs and DTA), (ii) the old EU SCCs and (iii) the new UK SCCs? For ease of contracting, we were wondering if links or references to these transfer mechanism texts was sufficient?
• Do company emails need to include privacy policies?