Practical Law

Following the European Commission’s adequacy findings for the UK back in June, to a collective sigh of relief, there has been continued focus on cross-border data exports over the summer. On 11 August, the ICO launched a public consultation on key aspects of the post-Brexit international transfer regime under the UK GDPR .

The consultation covers proposals for:

• Updated ICO guidance on international transfers.
• Transfer risk assessments (TRAs), including a new TRA tool.
• A new international data transfer agreement (IDTA) to replace the European Commission’s standard contractual clauses.

The consultation remains open until 5:00pm on 7 October 2021. For a detailed discussion on the ICO’s proposals, see Article, ICO consultation on international data transfers: what to do now.

Meanwhile DCMS has launched a consultation on potentially far-reaching reforms to the UK’s data protection regime. Details of the reforms are set out in accompanying document Data: A new direction and include data adequacy partnerships, an International Data Transfers Export Council and an enhanced role for the Information Commissioner.

The reforms are part of the government’s National Data Strategy and aim to shape a new data protection regime that will maintain high standards of data protection and public trust, without unnecessary burdens for business or barriers to innovation and international data transfers.

The consultation will close at 11.45 pm on 19 November 2021. For more information, see Legal update, UK launches post-Brexit global data plans.

Looking back: Summer 2021

In addition to the ICO and DCMS consultations outlined above, there have been a number of other key developments over the summer.

• On 15 July, the ICO published a blog on what’s next for its accountability framework. The accountability framework is designed as a practical tool to help organisations understand what good accountability looks like. It also includes an accountability self-assessment tool.
• On 20 July, the ICO published a blog announcing that it has published an AI and data protection toolkit to help organisations using AI to process personal data lawfully.
• On 22 July, the Centre for Data Ethics and Innovation announced in a blog that it had published its first report on data intermediaries, “Unlocking the value of data: Exploring the role of data intermediaries“.
• On 28 July, the ICO’s Head of Regulatory Strategy, Michael Murray, blogged on the actions required of organisations to help ensure compliance with the best interests of the child, detrimental use of children’s data and data minimisation standards in the Age Appropriate Design Code (Children’s Code).
• On 30 July, the High Court considered whether misuse of private information, breach of confidence and the tort of negligence can be cited as causes of action in a claim for compensation for distress relating to a cyber-security breach.
• On 4 August, the ICO published new guidance on direct marketing and the public sector. The guidance is designed to assist public sector organisations in understanding when direct marketing rules apply to their messages.
• On 19 August, the ICO approved the first three certification scheme criteria under the UK GDPR.
• On 10 September, MPs approved the appointment of John Edwards as the new Information Commissioner. Mr Edwards is currently the New Zealand Privacy Commissioner and will take up his new role after Elizabeth Denham’s tenure ends on 31 October.

Key dates: Autumn 2021

Key forthcoming dates include:

• 1 October. Closing date for comments on the European Data Protection Board’s (EDPB) draft Guidelines 04/2021 on codes of conduct as tools for transfers. (See more.)
• 7 October. Closing date for responses to ICO’s consultation on its updated guidance and draft international data transfer agreement for personal data transfers outside the UK. (See more.)
• 21 October. Closing date for responses to ICO’s call for views on data protection and employment practices guidance. (See more.)
• 19 November. Closing date for responses to DCMS consultation on government plans to reform the UK’s data protection laws. (See more.)
• 28 November. Closing date for responses to ICO consultation on the first draft chapter of its draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies. (See more.)

New Practical Law content

Over the course of the summer, Practical Law has published:

• Video, Changes to the UK’s data privacy regime post-Brexit transition period which provides an overview of the key changes to the UK’s data privacy regime post-Brexit transition period, including required changes to corporate governance structures, implications for international data transfers and the recent UK adequacy decisions.
• Video, Minimising data privacy risks as staff return to the office which looks at the types of data privacy and data security risks that employers should consider as employees return to work in the office or move to a hybrid working pattern as a result of the COVID-19 pandemic. It covers practical steps as employees return and the importance of having up-to-date policies and procedures for home working.
• Practice note, Information and cyber security risk (UK): compliance roadmap which gives an overview of information and cyber security risk in the UK and provides a detailed route-map to managing this risk by task, including links to related resources.
• Practice note, Data subject rights under UK GDPR: compliance roadmap gives an overview of the risks associated with data subjects exercising their rights under the UK GDPR and provides a detailed route-map to managing the risk by task, including links to related resources.
• Practice note, Employee monitoring (UK): compliance roadmap which gives an overview of the risks associated with the monitoring of employees and provides a detailed route-map to managing the risk by task, including links to related resources.
• Practice note, Anonymisation and pseudonymisation under UK GDPR and DPA 2018 which gives an overview of anonymisation and pseudonymisation under the UK GDPR and the Data Protection Act 2018.
• Standard document, Record of processing activities under Article 30 UK GDPR (acting as controller) which is a record of processing activities required under Article 30 of the UK GDPR for use when acting as a controller.
• Standard document, Record of processing activities under Article 30 UK GDPR (acting as processor) which is a record of processing activities required under Article 30 of the UK GDPR for use when acting as a processor.
• Standard document, Data protection due diligence questionnaire which is a legal due diligence information request list to be used in connection with an asset or share purchase where the target company processes personal data.
• Standard document, Infographic: Do we need a DPIA? which provides a flowchart for deciding whether a data protection impact assessment (DPIA) is necessary.
• Article, Changing face of cyber insurance: the devil finds work for idle hands which explains the nature of cyber insurance and the impact of the COVID-19 pandemic on cyber risks to organisations.
• Article, Key Takeaways From the European Commission’s Article 28 Standard Contractual Clauses which discusses the background and key takeaways from the European Commission’s new standard contractual clauses (SCCs) between EEA-based controllers and processors under GDPR Article 28(7).
• Article, Data breach claims: encouraging news for data controllers and processors which reports on an important High Court decision that provides clarity on the scope of liability for companies faced with claims from data subjects whose data have been targeted by a cyber attack.
• Article, ICO consultation on international data transfers: what to do now which discusses the ICO consultation on international data transfers and sets out what to do now.

Featured Asks

Data subject access:

• Is there a definition of “intelligible” under the UK GDPR in relation to data subject access requests (DSARs)?
• Under the UK GDPR, is it possible for us to respond directly to a data subject in response to a DSAR or must we always liaise only with the third party appointed to act on their behalf?
• What should a controller do where it has requested clarification on a DSAR more than once and the data subject does not provide it?
• When responding to a DSAR, is there a cut off point for the search where the controller has extended the timeframe for responding by an additional two months?
• As the legal representatives of a client, is it possible for us to send a DSAR response directly to the individual?

Miscellaneous:

• Could a processor negotiate with a controller to have the controller consult and agree with them before giving any notice of personal data breach?
• Does the frozen GDPR still apply to data collected before 1st January 2021 or is the frozen GDPR no longer relevant?
• Is there any guidance, case law or other reference which might support the view that gender identity is (or should be treated as) special category personal data?
• Can an employer provide privacy information in relation to the COVID-19 vaccination status of employees by way of a layered approach?
• Will a clause limiting a supplier’s liability in its terms and conditions also apply to its liability arising under related SCCs?
• Can joint controllers appoint a joint processor?
• Under the UK GDPR and PECR, could failure to obtain consent correctly by a controller result in damages being awarded to an individual and if so, is there any defence to such an action?