Practical Law

The summer is traditionally a slow time for new developments but 2022 has not played ball. In particular, the government’s proposed reforms of the UK data protection regime have moved a step closer to reality with the introduction of the Data Protection and Digital Information Bill to parliament.

The ICO also held its annual data protection practitioners conference (DPPC) which, among other things, provided us all with some valuable insights into the direction of travel at the ICO. The new Information Commissioner, John Edwards, spoke in some depth about his plans for the regulator. This is embodied in the draft three-year strategic plan, ICO25, which is open for public consultation closing on 22 September. See the recent blog post by Kate Partridge of Fieldfisher on what ICO25 means.

My colleague, Helen Padley, attended the DPPC and has also shared her key takeaways here on the in-house blog.

Developments over summer 2022

There have been several key data privacy developments over the summer that in-house counsel should be aware of:

• On 20 June, the government published the outcome of a consultation on proposals to standardise qualifications and certification within the cyber security profession to better support cyber resilience.
• On 28 June, the ICO released a report from the Global Privacy Assembly’s International Enforcement Working Group, which provides guidance for commercial organisations and individuals on how to prevent, detect and mitigate the risk of credential stuffing attacks.
• On 30 June, the European Data Protection Board published guidelines on certification as a tool for transfers adopted at its 66th Plenary session.
• On 5 July, the UK and South Korean governments reached agreement on a data adequacy decision in principle and the ICO and the South Korean Personal Information Protection Commission (PIPC) signed a Memorandum of Understanding on Cooperation in the Regulation of Laws Protecting Personal Data.
• On 8 July, the ICO and NCSC wrote to the Law Society to remind solicitors that they should not advise their clients to pay ransomware demands in the event of a cyber-attack and that the ICO will not take this into account as a mitigating factor when considering regulatory action.
• On 12 July, the EDPB issued Statement 02/2022 on personal data transfers to the Russian Federation.
• On 14 July, the Information Commissioner, Mr John Edwards, presented his vision for the ICO and launched the ICO25 plan, an ambitious draft three-year strategic plan, which is open for public consultation.
• On 18 July, the Data Protection and Digital Information Bill (Bill 143 2022-23) and Explanatory Notes (Bill 143 EN 2022-23) were introduced into Parliament.
• On 25 July, the ICO published updated guidance and revised application forms and tables to simplify the UK Binding Corporate Rules (UK BCRs) approval process for controllers and processors.
• On 1 August, the ECJ ruled that the disclosure of personal data that may indirectly disclose the sexual orientation of a natural person constitutes processing of special categories of personal data for the purpose of Article 9(1) of the EU GDPR.
• On 17 August, DCMS published in a report setting out the experiences of a range of organisations who each suffered a serious cyber security attack within the last four years.

Key dates: autumn 2022

Key forthcoming dates include:

• 16 September. ICO consultation on two draft chapters in the new anonymisation and pseudonymisation guidance ends.
• 21 September. Deadline for entering into new standard contractual clauses (SCCs) on the basis of Transitional SCCs.
• 22 September. The consultation relating to the ICO’s draft three-year strategic plan, ICO25, closes.
• 30 September. Consultation on EDPB’s guidelines on certification as a tool for transfers closes.

New Practical Law content

Over the course of the summer, Practical Law has published:

• Blog post, UK data protection reform: winners, losers and what to watch discusses the DCMS consultation on reform of the UK’s data protection laws.
• Article, International employee DSARs: practical tips for UK employers provides guidance on handling employee data subject access requests which have proven to be one of the most onerous areas of the GDPR compliance to manage.
• Standard document, Cyber vulnerability handling process (VHP) (UK) documents how an organisation accepts, verifies, and handles potential cyber vulnerability reports regarding its current IT infrastructure, and products and services, if applicable.
• Practice note, Bug bounty and vulnerability disclosure programmes (UK) explains how to implement bug bounty and vulnerability disclosure programmes, including key concepts and legal considerations that may affect organisations and security researchers.
• Building a bug bounty and vulnerability disclosure programme (UK): checklist outlines key steps to take when considering or building a bug bounty and vulnerability disclosure programme.
• Practice note, Vulnerability management (UK) provides an overview of cyber vulnerability management programmes, how they work, and the key role they play in any organisation’s information security programme.
• Practice note, Cybersecurity jargon buster sets out a jargon buster to help you to understand some of the key terms used in the cybersecurity sphere and to explain common types of cybersecurity incidents, attack techniques and forensic terms.
• Blog post, ICO25: a plan for empowerment looks at the ICO’s plans for data protection regulation in the UK over the next three years, “ICO25”.
• Practice note, Processing personal data: applicability of EU GDPR and UK GDPR provides guidance on the personal data processing regimes in the UK and examines how they apply to controllers and processors established in the UK and the EU.
• Article, EU regulatory data framework: a new generation explores some key elements of the EU regulatory data framework and gives an overview of the main data-related requirements of each initiative.

Practical Law has also published a set of legislation trackers for selected UK and EU data protection legislative proposals and legislation in force:

• UK data protection legislation tracker
• EU data protection legislation tracker
• UK data protection legislation in force tracker
• EU data protection legislation in force tracker

Featured Asks

We have also published the following Asks:

• Do you have any precedent for a “data mapping exercise” which a start-up business can use to record all the personal data they process and how it flows through the business?
• Is a controller obliged to obtain a data subject’s consent in order to share details of their DSAR request for the purpose of obtaining legal advice?
• An employee is going to be based in Australia. What are the relevant data protection considerations?
• Can a company rely on legitimate interests for featuring an employee in its video content which is to be made publicly available in addition to relying on consent?
• What are categories of data subjects?
• Is a biometric passport special category personal data, for example where a company is using this for travel bookings?
• A UK-based processor is conducting data processing activities on behalf of a US-based customer who wants to vet the processor’s employees to determine their suitability. What data transfer arrangements should we put in place, including for any onward transfers by the US client?
• Can a debt recovery agency breach the UK GDPR by contacting a company director at his private home address?
• Could a charity extend its existing employee privacy policy to be applicable to volunteers or would it be required to produce a separate privacy policy for this group of individuals?
• If a company is part of a group and has a holding company, is it sufficient for the holding company to be registered with the Information Commissioner’s Office or does each legal entity need to have its own registration?
• If a shop collects personal data from its in-store customers, what are the data protection obligations under the UK GDPR? Specifically, how should in-store customers be provided with the information required under Article 13, UK GDPR?
• Can a company rely on the right to data portability to force a supplier to provide call recordings in a useable format?
• If a shop collects personal data from its in-store customers, what are the data protection obligations under the UK GDPR? Specifically, how should in-store customers be provided with the information required under Article 13, UK GDPR?
• If an employee has two employment contracts with the same employer, would they transfer under Transfer of Undertakings (protection of employment) Regulations 2006 (TUPE) where there is a relevant transfer only applying to one?
• Are the UK GDPR recitals legally binding or just a framework for guidance?
• Can we use the UK Addendum in conjunction with a specific set of EU SCCs?
• Do you have any examples of how to describe “processing activity” and “purpose” in the context of the Records of Processing Activities (Article 30) and Data Protection Impact Assessments?