Navigating data protection can be unremittingly complex and challenging for subscribers. Data protection compliance frequently relies on interpreting non-explicit rules with limited detailed guidance available. The ambiguity on how to interpret the law can be the cause of much frustration for practitioners and lawyers alike.
Certain themes regularly feature across subscriber questions; applying exemptions, the age-old question of “When is an organisation a controller or a processor?” and recently, the implications of using biometric data has been a hot topic.
The Information Commissioner’s Office (ICO) new data transfer clauses (released February 2022) have made transfers, predictably, the most prevalent subscriber issue. Typically, new requirements such as these can entail significant investment by organisations for whom data transfers form an integral business practice. Implementation of the requirements is further compounded by the need for transfer risk assessments.
Using Standard contractual clauses
Standard Contractual Clauses (SCCs) are generally recognised as the most common data transfer tool. Organisations have been very receptive towards the ICO’s new set of SCCs, the International Data Transfer Agreement (IDTA) and the Addendum to the EU. However, executing the clauses has been difficult; business practice is yet to be established and the ICO clause by clause guidance has not been published. The IDTA and Addendum are both user friendly but, in the absence of regulator guidance, there have numerous questions on execution, as illustrated by How should we complete Table 4 of the Addendum to the EU SCCs?, which relates to the allocation of termination rights to the data exporter and importer in the event the ICO makes changes to the Addendum. The answer is nuanced and based on the risk and compliance implications for each of the parties.
Transfer risk assessments
Transfer risks assessments are required when relying on SCCs. The requirement is still relatively new. Subscribers often raise questions about how to carry out such an assessment, the risk factors to consider and the risk mitigation measures required, for example in Where an exporter is relying on an appropriate safeguard under Article 46 of the UK GDPR to transfer personal data to an importer located outside the UK, is there a view on what countries are high risk in terms of transfer risk assessments?.
Assessments are based on a broad spectrum of factors. Considerations include the:
- Legal framework in the importer’s country.
- Type of data and processing.
- Importer’s compliance capacity.
- Feasibility of instituting contractual, technical and organisational measures appropriate to the specific transfer.
Exemptions under the UK GDPR and DPA 2018
Applying exemptions can be tricky, often because there is no blanket approach with application based on the facts of a particular situation. The broad range of questions we receive on exemptions showcases how truly diverse and difficult applying exemptions is in practice. For example:
- Do we still need to respond to a DSAR given that after redacting information about other individuals, the report is rendered nonsensical?
- To what extent does the legal proceedings exemption under the DPA 2018 apply to special category data and to what extent must we redact personal/special category data?
- In order to defend itself, the solicitor of a hospital accesses the medical records of a claimant without their consent. Can the hospital rely on an exemption under the DPA 2018 to access the claimant’s records?
When is an organisation a controller or processor?
This is a question which crops up, time and time again. It may seem obvious but, in large supply chains involving multiple parties and providers offering a plethora of services, distinguishing roles and responsibilities for processing of personal data can be a challenge (see Could an accountancy firm act as a processor in respect of certain client services or will they always be a controller?).
Classifying data as biometric data and processing biometric data has its own set of data protection challenges. If the data meets the definition of special category data, processing the data requires enhanced protective measures, for example a data protection impact assessment (DPIA). It is not always apparent that the data will be classified as special category data and, if it is, the scope of protective measures required (see Is a biometric passport special category personal data, for example where a company is using this for travel bookings? and My client is building an app which will build an avatar using facial features of an individual. Do you have any guidance as to what issues should be concerned including whether this would be considered to be biometric/sensitive personal data?).
UK government reform to amend or replace the UK GDPR and DPA 2018 is increasingly likely. Once finalised, these reforms will, no doubt, form the basis of many queries as subscribers look for guidance and practical knowhow.