Navigating data protection can be unremittingly complex and challenging for subscribers. Data protection compliance frequently relies on interpreting non-explicit rules with limited detailed guidance available. The ambiguity on how to interpret the law can be the cause of much frustration for practitioners and lawyers alike.
Certain themes regularly feature across subscriber questions; applying exemptions, the age-old question of “When is an organisation a controller or a processor?” and recently, the implications of using biometric data has been a hot topic.
The Information Commissioner’s Office (ICO) new data transfer clauses (released February 2022) have made transfers, predictably, the most prevalent subscriber issue. Typically, new requirements such as these can entail significant investment by organisations for whom data transfers form an integral business practice. Implementation of the requirements is further compounded by the need for transfer risk assessments.