On 19 December 2023, the Information Commissioner’s Office (ICO) published its updated guide on UK Binding Corporate Rules (BCRs), introducing the UK BCR Addendum for controllers and processors (the Addendum). It will enable organisations with existing EU BCRs to include data transfers from the UK.Continue Reading Introduction of a UK BCR Addendum
ICO
The UK Information Commissioner’s Data Protection Practioner’s Conference 2023 on Cybersecurity
On 3 October 2023, the UK Information Commissioner’s Office organised its annual Data Protection Practioner’s Conference 2023 (DPPC 2023). This year its focus was on Cybersecurity – a topic that concerns organisations across the board. Here are the takeaways from the DPPC 2023 (the event sessions available here).Continue Reading The UK Information Commissioner’s Data Protection Practioner’s Conference 2023 on Cybersecurity
Boosting digital resilience – The UK Information Commissioner and NCSC CEO sign Memorandum of Understanding
On 12 September 2023, the UK Information Commissioner and the Chief Executive of the National Cyber Security Centre (NCSC), signed a joint Memorandum of Understanding (MoU), which establishes how the NCSC and the Information Commissioner’s Office (ICO) will cooperate. The NCSC is the technical authority in the UK that provides standards and guidance to organisations on cyber security. The ICO is responsible for providing guidance and enforcement of the data protection rules in the UK, including the obligation of organisations to apply security measures around personal data.Continue Reading Boosting digital resilience – The UK Information Commissioner and NCSC CEO sign Memorandum of Understanding
The Entangled Web of Deceptive Design: ICO and CMA Investigate Harmful Website Practices
On 9 August 2023, the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) published a joint position paper on Harmful Design in Digital Markets (Harmful Designs Paper) that urges businesses to stop using harmful website designs that exploit customers by encouraging them to provide more personal data than necessary. The regulators are…
ICO enforcement actions in Q1 2022
In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.Continue Reading ICO enforcement actions in Q1 2022
What does the ICO tell us about using data for research purposes?
The UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’), has released draft guidance on the research provisions within the UK’s General Data Protection Regulation (‘UK GDPR’) and Data Protection Act (‘DPA’). The guidance is out for public consultation until 22 April 2022.
Continue Reading What does the ICO tell us about using data for research purposes?
ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET
On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).
Continue Reading ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET
DCMS launches public consultation on reforms to the UK’s data protection regime
On 10 September 2021, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on its proposed reforms to the UK’s data protection regime, with a view to assessing the case for legislative change.
The consultation comes as the first step in the government’s plans to deliver on ‘Mission 2’ of its National Data Strategy, published in 2020: to secure a data regime that promotes growth and innovation for UK businesses, while also maintaining public trust.
The UK’s data protection regime has not received a substantive update since 2018 when the European Union’s General Data Protection Regulation (GDPR) took effect, alongside the introduction of the UK’s Data Protection Act 2018. The government’s National Data Strategy has suggested that the UK may start to move away from EU law when it comes to data protection.
According to the Secretary of State, the ultimate aim of the consultation is to ‘create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards’.
Continue Reading DCMS launches public consultation on reforms to the UK’s data protection regime
The ICO approves the first UK GDPR certification schemes
Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism for three UK GDPR certification schemes, in the following areas:
- IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed. This scheme is for companies who provide IT asset disposal services and focuses on IT asset recovery and data sanitisation. There are currently no certification bodies listed on the ICO’s website to deliver this scheme;
- Age assurance – Age Check Certification Scheme (ACCS) have developed this scheme which includes data protection criteria for organisations operating or using age assurance products. These allow organisations to estimate or verify a person’s age so that they can access age restricted products or services; and
- Age appropriate design, specifically children’s online privacy. Again developed by ACCS, this scheme provides criteria for the age appropriate design of information society services which are based on the ICO’s Children’s Code. The certification body for both ACCS schemes is Age Check Certification Services Ltd.
The ICO has commented that for these “constantly evolving” areas “enhanced trust and accountability in how personal data is protected is vital”.
Continue Reading The ICO approves the first UK GDPR certification schemes
The UK’s ICO launches public consultation on employment practices
The ICO has announced plans to replace its existing employment practices guidance with a more user-friendly online resource. The new resource will be divided into specific topics such as recruitment and selection, employment records, monitoring of workers, and information about workers’ health.
In particular, the new guidance aims to:
- Address the changes in data protection law,
- Reflect the changes in the way that employers use technology and interact with staff, and
- Meet the needs of people using the ICO’s guidance products.
To this end, the ICO has launched a public consultation to gather views on these and related subject areas.
The consultation
The ICO has prepared a survey for completion by those wishing to take part in the consultation. Contributions may be submitted by responding to an online survey or by completing and returning a word document by email or post.
The deadline for responding is midnight on Thursday 21 October 2021.Continue Reading The UK’s ICO launches public consultation on employment practices