Data Protection – February 2019

three unlocked red lock icons and one locked lock icon in the middle Print publication


‘No deal’ Brexit guidance; latest from the ICO, including recent enforcement action; news from Europe; and more.Walker Morris risk series stamp

Latest ‘no deal’ Brexit guidance

  • On 6 February 2019, the government issued guidance on using personal data post-Brexit.
  • The Information Commissioner’s Office (ICO) published guidance for law enforcement authorities on preparing for data protection compliance in the event of a no deal Brexit.
  • Amendments were made to the relevant draft Brexit legislation to reflect arrangements made for personal data to continue to be transferred from the UK to US organisations participating in the Privacy Shield Framework, where the participating organisation’s privacy policy includes personal data transferred from the UK in its Privacy Shield commitments. UK companies will need to ensure that their US counterparts have made the necessary changes. Further details can be found in the ‘international data transfers’ section of the ICO’s no deal Brexit guidance and in the Privacy Shield and the UK FAQs section of the official Privacy Shield website.
  • The European Data Protection Board (EDPB) published information notes on data transfers under the General Data Protection Regulation (GDPR) in the event of a no deal Brexit and on Binding Corporate Rules (BCRs) for companies which have the ICO as their BCR Lead Supervisory Authority. Using BCRs is one of the ways in which personal data can be transferred to the UK from the European Economic Area.

More news from Europe…

  • Towards the end of January 2019, the Committee of the Council of Europe’s data protection treaty “Convention 108” published Guidelines on artificial intelligence and data protection. They contain: general guidance; guidance for developers, manufacturers and service providers; and guidance for legislators and policy makers. The UK was among the 21 states that signed up to a modernised version of Convention 108 – the only legally binding international agreement on data protection – on 10 October 2018.
  • On 6 February 2019, the European Commission presented a set of recommendations for the creation of a secure system that will enable citizens to access their electronic health files across EU Member States. See the press release for more details and a link through to a fact sheet.
  • The EDPB is consulting until 2 April 2019 on guidelines on codes of conduct and monitoring bodies under GDPR. See the relevant section of the ICO’s Guide to the GDPR for useful summary information on this topic.
  • The EDPB is also consulting until 29 March 2019 on Annex 2 to its guidelines on certification under GDPR (adopted on 23 January 2019). Annex 2 identifies topics that a data protection supervisory authority (such as the ICO) and the EDPB will consider and apply for the purpose of approval of certification criteria of a certification mechanism. See the relevant section of the ICO’s Guide to the GDPR for useful summary information on this topic. The ICO says that it has no plans to accredit certification bodies or carry out certification at this time.

…and back in the UK

  • The Phone-paid Services Authority, the UK regulator for content, goods and services charged to a phone bill, is consulting until 3 April 2019 on guidance on the retention of data.
  • On 13 February 2019, the Institute of Fundraising published a free guide for charities and fundraisers providing information on telephone fundraising. It includes guidance on data protection compliance, with helpful flowcharts and links to the relevant resources.

Latest from the ICO, including recent enforcement action

  • EU referendum campaign Leave.EU and Eldon Insurance were fined a total of £120,000 after they committed serious breaches of electronic marketing laws. The Information Commissioner said: “It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened. We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information”.
  • A housing developer was fined after it ignored a data subject access request and failed to comply with an enforcement notice issued by the ICO.
  • A former senior local government officer, whose partner was applying for an administrative job at the council where he worked, was fined after he emailed the personal information of nine rival shortlisted candidates to his work address and to his partner’s Hotmail account.
  • The ICO reports that investigations into nuisance marketing have resulted in 16 company directors being banned from running a company for more than 100 years in total.
  • A recent ICO blog post explains to small businesses why they need to pay the data protection fee.
  • The ICO has made a short film setting out how organisations can benefit from its regulatory sandbox. See the blog post for details.
  • Finally, in another recent blog post, the ICO’s Executive Director for Technology Policy and Innovation talks about how technology has completely transformed the way advertising is bought, sold and delivered. He says that, in respect of adtech, the ICO is currently concentrating on programmatic advertising and real-time bidding. The three key areas of interest are: transparency and personal data; lawful basis for processing personal data; and security. A fact-finding forum will take place on 6 March 2019.