Photo of Philip Thomas

The European Commission (the “Commission”) announced its plans to open a public consultation on the new Standard Contractual Clauses (“SCCs”) in the fourth quarter of 2024. The new SCCs will address the scenario where the data importer (controller or processor) is based outside of the European Economic Area (“EEA”) but is directly subject to the

On 17 November 2022, the UK Information Commissioner’s Office issued updated guidance on international personal data transfers.  The guidance is to be used for transfers of personal data from the UK to third countries. The ICO added a template transfer risk assessment (TRA) to the guidance, which is required when organisations rely on a  transfer tool under Article 46 of the UK GDPR, e.g. the ICO’s International Data Transfer Agreement (the UK version of the EU SCCs); the Addendum to the EU SCCs, or the Binding Corporate Rules. The requirement to carry out transfer impact assessments stems from Article 46(1) of the UK GDPR, which states that the transfer mechanisms can be used “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” confirmed by the CJEU’s Schrems II judgement.

The ICO’s TRA offers an alternative approach to the  EDPB’s transfer impact assessments (TIA),  to assist data exporters with carrying out their analysis to check that that protections under the transfer tool are not undermined by the laws and practices of the recipient third country.Continue Reading ICO provides an alternative to the EDPB transfer impact assessment

On 24 November 2022, the Data Protection (Adequacy) (Republic of Korea) Regulations were laid before the UK parliament for approval. The Regulations are due to come into force on 19 December 2022.  From then onwards, transfers of personal data to South Korea by organisations in the UK may be made without the need to put UK International Data Transfer Agreements (UK versions of the Standard Contractual Clauses) or other transfer tools in place with recipients of personal data in South Korea.Continue Reading UK Government grants South Korea a data adequacy status

Following a consultation in January 2021, the European Data Protection Board (EDPB) has published its finalised guidelines on examples of personal data breaches and whether they are notifiable. These guidelines supplement previous guidance on personal data breach notification: the Opinion on Personal Data Breach Notification (Opinion 03/2014) and the general Guidelines on Personal Data Breach Notification under the GDPR (WP 250), both issued by the EDPB’s predecessor, the Article 29 Working Party.

The new guidelines offer welcome clarification on when notifications are required given that some data protection authorities and commentators have acknowledged over-reporting.

In this article we recap on the key takeaways from the finalised guidelines, focussing on key changes made since the January 2021 consultation, and exploring the challenges of managing data breach notifications in multiple jurisdictions.Continue Reading New guidelines on personal data breach notifications

The ICO has announced plans to replace its existing employment practices guidance with a more user-friendly online resource. The new resource will be divided into specific topics such as recruitment and selection, employment records, monitoring of workers, and information about workers’ health.

In particular, the new guidance aims to:

  • Address the changes in data protection law,
  • Reflect the changes in the way that employers use technology and interact with staff, and
  • Meet the needs of people using the ICO’s guidance products.

To this end, the ICO has launched a public consultation to gather views on these and related subject areas.

The consultation

The ICO has prepared a survey for completion by those wishing to take part in the consultation. Contributions may be submitted by responding to an online survey or by completing and returning a word document by email or post.

The deadline for responding is midnight on Thursday 21 October 2021.Continue Reading The UK’s ICO launches public consultation on employment practices

As a result of the COVID-19 pandemic, many more organisations have moved their business operations online.  From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s data by locking the computer or encrypting the data until the demanded ransom is paid. In some cases, the attackers also threaten to disclose the stolen data if the ransom is not paid.

Ransom attacks are on the rise, with the ICO reporting an increase from 13 ransomware incidents per month to 42 at its 2021 conference. In the U.S., the recent Kaseya ransomware attack affected nearly 200 companies, while the recent pipeline attack disrupted fuel supplies to the East Coast for several days, leading to fuel shortages.

According to a global survey conducted by Sophos, the average total cost of recovery from a ransomware attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. These remediation costs include business downtime, lost orders and operational costs. The average ransom paid is $170,404, yet only 8 per cent of organisations managed to recover all of their data after paying a ransom.

In 2020 and so far this year in 2021, the manufacturing, government, education, services and healthcare industries have been particularly hard hit by ransomware attacks. However, no industry is immune from such attacks and ransomware attacks are featured across all industries, including utilities, technology, logistics, transportation, finance and retail.Continue Reading Ransomware is on the rise – what to do if you are faced with a cyber attack

The European Commission is considering amending the existing rules for the financial sector regarding digital operational resilience, with a view to unifying and strengthening the legal framework in this area.

The proposed change to legislation would amend the existing Network and Information Security (NIS) Directive and create a new regulation on digital operational resilience, known

On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here).

The current SCCs were adopted by the Commission before the GDPR came into force.  The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will repeal the current SCCs. Data controllers and processors alike will therefore need to re-paper their agreements.

The main changes introduced by the draft SCCs are summarised below.Continue Reading European Commission releases draft updated standard contractual clauses

On 12 November 2020, the European Commission released its first draft set of clauses covering the Article 28 GDPR requirements, for consultation (available here).

Article 28 of the GDPR governs the relationship between controllers and processors. In particular, Articles 28(3) and (4) outline the details that must be included in a data processing agreement between a controller and a processor (e.g. purpose and duration of processing, details of the measures used to ensure security of data) as well as the obligations that apply to the processor (e.g. processing only on the documented instructions of the controller, implementation of security measures, assistance).

The clauses offer a useful insight into the Commission’s expectations on data processing agreements, which should assist organisations with any review (and, if required, development) of their data processing agreement templates.Continue Reading European Commission publishes draft Article 28 clauses for consultation

All businesses are concerned with whether their revenue and custom will continue during a crisis.

When their services (more importantly those involving technology) depend on the use of third party suppliers, businesses should also think about their own ability to deliver.

Questions that business managers will be agonising over during a crisis include:

Will our