Data Protection – November/December 2019

A keyboard key with a padlock graphic on it Print publication


Latest from the ICO, including guidance on special category data; cybersecurity update; and more.

The past couple of months has seen a flurry of activity from the ICO:

  • On 14 November 2019, detailed guidance was published on special category data under the General Data Protection Regulation (GDPR). The ICO expects data controllers to take all necessary precautions to protect this data. See the blog post with a link through to the guidance, which is aimed at Data Protection Officers and those with specific data protection responsibilities in larger organisations.
  • On 22 November 2019, the Information Commissioner submitted to government the final version of the Age Appropriate Design Code of Practice, dubbed the “Kids Code”. See the blog post for details. The code will need to be laid in Parliament before it takes effect.
  • The Information Commissioner invited views on her office being granted access to investigation and other associated powers under the Proceeds of Crime Act 2002.
  • According to the ICO, organisations are increasingly using artificial intelligence (AI) to support, or to make decisions about individuals. It is consulting until 24 January 2020 on guidance which aims to give organisations practical advice to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them. See the blog post for details.
  • On 3 December 2019, a campaign was launched to contact all registered companies in the UK reminding them of their legal responsibility to pay a data protection fee. See the blog post for details.
  • The ICO is consulting until 12 February 2020 on draft guidance on the right of access, a fundamental right under GDPR. This new draft guidance explains in greater detail the rights that individuals have to access their personal data and the obligations on data controllers. It also explores the special rules involving certain categories of personal data, how to deal with requests involving the personal data of others, and the exemptions that are most likely to apply in practice when handling a request.
  • And finally, a data protection web hub has been launched for small and medium organisations and sole traders.

Cybersecurity update

The government issued a call for evidence as part of its Cyber Security Incentives and Regulation Review 2020. It says that it wants all organisations to be effectively managing their cyber risks, with the appropriate investments in place to improve their resilience – but despite significant government and industry action over the course of the National Cyber Security Strategy, including the world-class guidance and support developed by the National Cyber Security Centre (NCSC), research shows that many businesses of all sizes are still failing to adequately protect themselves against cyber attacks and data breaches, with over a third of UK businesses suffering a cyber breach or attack in 2018. It says that it needs to understand what more can be done to improve and incentivise investment in effective cyber risk management across the UK economy.

On 5 December 2019, the NCSC re-issued its advice on how to reduce the risk of becoming a victim of malware attacks. See the blog post.

Over in Europe

At its November 2019 plenary session, the European Data Protection Board (EDPB) adopted a final version of its guidelines on the territorial scope of GDPR. The guidelines seek to ensure a consistent application of GDPR across the EU when assessing whether particular processing by a data controller or processor falls within its scope. They stress that it is essential that controllers and processors, especially those offering goods and services internationally, undertake a careful and concrete assessment of their processing activities, in order to determine whether the related processing of personal data falls under the scope of GDPR. The guidelines also provide clarification on the process for designating a European representative under GDPR, and the representative’s responsibilities and obligations. The ICO’s Guide to the GDPR says that it will be providing guidance “later this year” on where the GDPR applies.

The EDPB is consulting until 16 January 2020 on guidelines on data protection by design and by default under GDPR. The proposed guidelines include practical guidance on how to effectively implement the key data protection principles which underpin GDPR, with a list of key design and default elements and examples for each one. The ICO’s Guide to the GDPR says that it will produce further guidance soon on how organisations can implement data protection by design.

Progress on moving forward with a new ePrivacy Regulation continues to stall in Europe, with the EU Council failing to come to an agreement on the latest compromise text. The purposes of the proposed legislation include enhancing security and confidentiality of communications, and defining clearer rules on tracking technologies such as cookies, as well as on spam. Walker Morris will continue to monitor and report on developments.

Other news

The Joint Committee on Human Rights reports “serious grounds for concern about the nature of the “consent” people provide when giving over an extraordinary range of information about themselves, to be used for commercial gain by private companies”. See the press release with a link through to the report, ‘The Right to Privacy (Article 8) and the Digital Revolution’. The Committee is “deeply frustrated” that the government’s recently published Online Harms White Paper explicitly excludes the protection of people’s personal data. Its view, based on the evidence heard, is that “the consent model is broken. It puts too much onus on the individual to educate themselves on how the technology companies work rather than setting a high standard of protection by default”. The Committee’s conclusions and recommendations can be found on page 33 onwards.