Introduction
Ahead of its much-anticipated guidance on the UK International Data Transfer Agreement / Addendum (IDTA) (the United Kingdom’s version of the EU standard contractual clauses (EU SCCs)), the UK data protection regulator, the Information Commissioner’s Office (ICO), has revised its guidance on international transfers of personal data under the UK GDPR (Transfer Guidance).
Continue Reading UK Data Protection Regulator Updates its Guidance on Data Transfers
The United Kingdom and the United States joined forces last week in an initiative to combat ransomware attacks by sanctioning seven Russian nationals believed to be members of a hacking network. Together with U.S. authorities, the UK’s Foreign Office has reportedly identified the individuals in question, frozen their assets and imposed travel bans in respect of them.
Ransomware is a type of malware that typically renders systems or data inaccessible, often due to the encryption of files. Devices are often locked, and data may be leaked, in addition to being encrypted or deleted, unless and until the victim pays a “ransom” to the actors who deployed the ransomware in return for decryption.
International transfers of personal data under the UK GDPR are set to continue to be a key topic in 2023, in particular, regarding new UK adequacy regulations, transatlantic data flows, and updated guidance regarding the UK’s International Data Transfer Agreement (IDTA).
While 2022 saw the Department for Digital, Culture, Media & Sport (DCMS) and ICO comment on imminent updates on these issues, very little has actually materialised, leaving businesses and commentators alike hopeful that 2023 will be a year of increased certainty when undertaking restricted international transfers subject to the UK GDPR.
Continue Reading UK GDPR: What Will 2023 Hold for International Data Transfers?
2023 will bring with it updates and reforms in relation to data protection and cybersecurity in the UK. The proposed changes are expected to place tighter restrictions on digital content; increase protection around the internet of things and connected products; and, to the delight of some, lighten compliance burdens with respect to personal data. A few highlights to watch out for are set out below:
Continue Reading Incoming Privacy and Cybersecurity Developments in the UK
The UK Government’s vision for a post-Brexit data protection regime includes controversial changes to the remit and workings of the Information Commissioner’s Office. In a Privacy Laws & Business article on possible ICO reform, Edward Machin considers what its proposed structure, duties and powers means for the independence of the regulator and its standing on
On July 18, 2022, the UK Government introduced into Parliament the Data Protection and Digital Information Bill (the Data Reform Bill), which proposes legislation to reform the UK data protection regime. A recent article in Entertainment Law Review by Ropes & Gray attorneys Rohan Massey, Christopher Foo & Edward Machin analyzes the Data Reform Bill’s
Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist.
Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that takes place. Of the penalties issued for data protection infractions across the EU and UK in 2022 so far, over 70 include security, which is almost 20% of the total fines issued. Specifically, these fines were issued due to a breach of Article 32 of the GDPR/UK GDPR: failing to have appropriate technical and organizational measures in place to protect personal data. A breach of Article 32 of the GDPR or UK GDPR technically only attracts the “standard maximum” fine of €10/£8.7 million or 2% of global annual turnover, however the offence is often coupled with other transgressions, which has led to fines over €20 million.
Continue Reading Data Protection: The Increasing GDPR/ UK GDPR Focus on Security
On 17 June 2022, the UK government released its much anticipated response to the consultation on the reform of the UK data protection regime. As part of the UK’s post-Brexit national data strategy, the consultation gathered responses on proposals aimed at reforming the UK’s data protection regime to boost the UK economy. In its response, the UK government has signalled which of the proposals it will be proceeding with and are likely to appear in an upcoming Data Reform Bill.
Overall, these reforms do not overhaul the existing UK data protection compliance regime, which is derived from EU legislation such as the General Data Protection Regulation and ePrivacy Directive. Instead, the proposals are incremental and largely modify obligations that organizations will be familiar with under the existing regime. As expected, these reforms are largely business-focused, with an overall aim of reducing compliance burdens faced by businesses of all sizes and facilitating the use (and re-use) of data for research.
Continue Reading UK Government Publishes Its Response on the Reform of the UK Data Protection Regime
The UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).
The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’.
Continue Reading UK Information Commissioner Launches Data Analytics Toolkit
On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers. The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount. Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
Continue Reading British Airways Fined £20 Million by ICO for Data Breach