UK’s ICO Releases Guide for Data Privacy Compliance

At the United Kingdom’s (UK) annual Data Protection Practitioners’ Conference last month, industry and regulatory leaders gathered to discuss pressing matters in data exchange and governance. Notably, discussions were held around the newly-introduced Data Protection and Digital Information Bill (DPDIB), and its potential for reforming the UK’s data protection regime.

The bill would be enforced by the Information Commissioner’s Office (ICO), which is the UK’s independent regulatory body. Under the Bill, the ICO would be granted extensive enforcement powers, with the ability to impose maximum fines at an increased rate after issuing the organization a notice of intent. Despite the ICO’s enforcement role, Edwards reiterated the need for privacy professionals and data protection experts in all organizations as “understanding not only what the law says, but also what that means in practice, and how it relates to your customers, staff and stakeholders, remains a specialist job.” This is why, according to Edwards, “the privacy professional is the eyes and ears of an organization in that respect.”

Purpose and Measures

According to a statement by newly appointed UK Information Commissioner John Edwards, DPDIB “reflects an understanding that there are areas of red tape for business that can be reduced, while acknowledging the value of protections that give people confidence to use the products and services that power the economy and society.”

The stated purpose of the 192-page bill is to establish procedures and parameters for:

• The processing of information related to “identified or identifiable living individuals”

• Services related to the use of information to “ascertain and verify facts about individuals”

• Accessing customer and business data

• Establishing and maintaining privacy in electronic communications

• The use of electronic signatures, seals, and other trust services

• Information disclosure for “public service” purposes

• The implementation of agreements governing information sharing with law enforcement

• The possession of birth and death registers

• Information utilized for health and social care

• Biometric data oversight

How DPDIB Can Facilitate Commissioner John Edwards

According to a statement by Matt Warman, the UK Parliament’s Minister for Media, Data and Digital Infrastructure, DPDIB’s effect will allow the UK to “realise the opportunities of responsible data use whilst maintaining the UK’s high data protection standards. The EU does not require countries to have the same rules to grant adequacy, so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”

DPDIB proposes that, where a UK organization is prompted to engage in a data transfer to third countries, the Secretary of State should enforce a standard of protection to the data from a recipient country that is “not materially lower than” the standard applied to data coming from a UK-based organization. As such, Warran is hopeful that the Bill will allow UK organizations to “strike partnerships with some of the world’s fastest growing economies” and “ensure that the mechanisms to transfer personal data internationally are secure and flexible to help British businesses grow.”

ICO’s Guide to Risk Assessments

To help Uk organizations achieve adequate data protection for seamless transfers to and from other countries, ICO has released a set of tools designed to guide organizations in analyzing the potential risk impact of international data transfers. These materials are further outlined in the ICO.25—a strategic plan ICO published last month—which sets four strategic enduring objectives: “safeguard and empower people; empower responsible innovation and sustainable economic growth; promote openness, transparency and accountability; and continuously develop the ICO’s culture, capability and capacity.”

ICO intends to achieve these goals by 2025, and will publish training materials for organizations to achieve internal data protection and greater transparency for consumers. The agency will also create a database on previously provided ICO guidance and templates for privacy compliance policies. ADCG will publish these materials as they become available.

* * * * * * *

To read our news alerts and breach report for the week of August 22, 2022 discussing: privacy experts voice concern over FTC’s data privacy agenda; States continue to push back on federal data privacy bill; and a study estimates improving privacy practices can drive up revenue,  click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

David Navetta, vice chair of Cooley LLP’s cyber/data/privacy practice and a prominent leader in privacy, information security and technology law also joins Jody Westby on our Privacy and Cybersecurity podcast released today to discuss the differences between cybersecurity governance and privacy governance, what are the critical activities in privacy governance, what actions are the hardest for organizations to implement, and how privacy governance will evolve in the future. Our Podcasts are released weekly (usually Thursdays and schedule permitting), here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!