Data Protection Insights December 2022

In this issue

Top stories

• The ICO issues new guidance on transfer risk assessments – in another development in one of the fastest moving areas in data protection, read our views on the ICO's approach to TRAs and what that means for your international data transfers.  You'll see also that the European Commission is moving towards an EU to US adequacy decision (again!) in our content below. 
• And as a bonus, read right to the end and see our Data Protection New Year's Resolutions! 

Governmental and Regulatory Activity 

• Cyber laws updated to boost UK's resilience against online attacks
• EU launches process towards EU to US adequacy decision 
• Deadline to update Standard Contractual Clauses
• ICO publishes new Artificial Intelligence guidance
• CCS publish Procurement Policy Note 03/22: Updated Guidance on Data Protection Legislation
• ICO and Ofcom strengthen partnership on online safety and data protection
• ICO releases updated direct marketing guidance
• ICO publishes Children's Code design tests

Regulatory Enforcement and Litigation

• Product Security and Telecommunications Infrastructure Act 2022
• UK data adequacy for the Republic of Korea
• ICO fines 5 businesses for making nearly 500,000 unlawful marketing calls

Our recommended data protection new year's resolutions for 2023

• Our top 5 resolutions for your organisation's actions in 2023. 

Top story

The ICO issues new guidance on transfer risk assessments for overseas data transfers 

The UK GDPR requires all restricted transfers (which are transfers of personal data to receivers located outside of the UK, and not exempt) to have an Article 46 transfer mechanism in place, such as the ICOs International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses or Binding Corporate Rules.

In order to rely on an Article 46 transfer mechanism, a transfer risk assessment (TRA) must be carried out. TRAs ensure adequate protection for data subjects where their personal data is transferred to an organisation outside of the UK, which may not be subject to the same level of regulation enforced by the UK GDPR.

The ICO's guidance sets out two ways in which organisations can conduct a TRA:

1. Using the ICO's TRA tool (which focuses more on the risks to data subject rights); or
2. Following the approach of the European Data Protection Board (which focuses more on comparing the safeguards provided by the UK and of the importing country)

When should you carry out a TRA?

A TRA needs to be conducted if you are making a restricted transfer and you wish to rely on an Article 46 transfer mechanism.

• If you are a data controller and your processor is making the restricted transfer - only the data processor needs to complete the TRA (although data controllers will need to still to carry out checks to satisfy themselves that the data processor's restricted transfer is compliant with the UK GDPR).
• If the receiver is sending the data to third parties – you must ensure that this is compliant with the Article 46 transfer mechanism being used.
• If you are making a series of connected, repeated or similar restricted transfers – you can either carry out a TRA for each restricted transfer, or one TRA that covers all of them.
• If your Article 46 transfer mechanism covers repeated restricted transfers or an ongoing flow of restricted transfers to your receiver – you must conduct a regular reassessment of the protection that the Article 46 transfer mechanism provides (as well as any extra steps and protections you took alongside it)

It is important that you ensure that the level of protection does not decrease over time, such as by regularly considering the potential for this to be undermined by changes to the processing by the receiver, changes in legislation in the destination country or technical developments making it easier to by-pass security arrangements.

DWF Solutions: to conduct a TRA, let us know and we'd be delighted to help.

Back to top >

Government and Regulatory Activity 

Cyber laws updated to boost UK's resilience against online attacks

Earlier this year, the Government launched a consultation on proposals for legislation to improve the UK's cyber resilience. In response, on 30 November 2022, the Department for Digital, Culture, Media and Sport confirmed that the Network and Information Systems (NIS) Regulations will be strengthened in order to provide better protection against the increasing threat of cyber attacks.

The NIS Regulations originally derived from the EU's NIS directive but since the UK's withdrawal from the European Union, the UK can now update these laws and tailor them to meet the UK's specific cyber security needs.

A summary of the changes that can be expected are:

• Managed service provider (MSP) software will be brought into scope of the regulations
• Essential and digital services will be required to improve their cyber incident reporting to regulators (such notification of incidents that disrupt or are at high risk of disrupting service)
• Establishment of a more transparent and broader cost recovery system for regulators
• The ICO will adopt a more risk-based approach to regulating digital services and will be able to consider how critical providers are to supporting the UK's resilience to cyber threats.

These changes form part of the Government's National Cyber Strategy, which was published on 15 December 2021 in which it has committed to spend £22 billion on research and development and to put technology at the forefront of their plans for national security. As part of its commitment to keeping the UK at the cutting edge on cyber, the Government will be investing £2.6 billion in cyber and legacy IT over the next 3 years, which includes a £114 million increase in the National Cyber Security Programme.

DWF Solutions: for a discussion about the work we're doing now to help clients with NIS, and to look forward to what is coming, get in touch!

EU launches process towards EU to US adequacy decision

Following earlier announcements in the year that the EU and US had agreed in principle to a data transfer regime, and President Biden's executive order in October, the European Commission has announced is now working towards issuing its adequacy decision for EU to US data transfers.  We've reported previously something similar is being undertaken for UK to US transfers.  One of the most common transfers, but seen by some as the most risky, these mechanisms being in place would significantly ease the burden of organisations sending data across the Atlantic. 

There are several steps in the process to follow, so we'll keep you posted on developments.

DWF Solutions: in the meantime, if you'd like our data transfer experts to review your transfers, let us know.

Deadline to update Standard Contractual Clauses

On 4 June 2021, the European Commission adopted two new sets of standard contractual clauses (new EU SCCs) – one for data transfers within European Economic Area (EEA) and another for data transfers to a country outside of the EEA – that must be used for transfers of personal data to third countries in accordance with the GDPR (EU GDPR), unless the processor benefits from an adequacy decision.

Following Brexit, the UK GDPR introduced two sets of standard data protection clauses that can be used as the 'appropriate mechanism' for restricted transfers to a country outside of the UK (unless the processor benefits from the UK's adequacy regulations) – the IDTA, or an International Data Transfer Addendum (Addendum) which allows you to rely on the new EU SCCs, though the Addendum would not otherwise by valid under UK GDPR by themselves, for your restricted transfer. The IDTA and Addendum came into force under the UK GDPR on 21 March 2022.

When is the deadline to update your SCCs?

If you entered into the old EU standard contractual clauses issued by the European Commission under the old Data Protection Directive, prior to 27 September 2021 (old EU SCCs)

• Under the UK GDPR only, the old EU SCCs remain valid for restricted transfers until 21 March 2024 (from this date, if your restricted transfers continue you need to enter into a new contract on the basis of the IDTA or Addendum (both of which would also require you to conduct a TRA), or find an alternative way to make the restricted transfer under the UK GDPR).
• Under the EU GDPR, for data transfer agreements that were based on the old EU SCCs and entered into before 27 September 2021, the deadline to switch to the new SCCs was 27 December 2022. This means that from 27 December 2022, the old EU SCCs can no longer be relied upon as a lawful basis to transfer personal data to third countries, regardless of when the agreement was entered into.

DWF Solutions: if you're needing to update your contracts or are receiving requests from organisations to do so, we can help.

ICO publishes new Artificial Intelligence guidance

The ICO has published its recommendations on the use of artificial intelligence (AI) in its new guidance, 'How to use AI and personal data appropriately and lawfully'.

What is AI?

There is no set definition of 'AI' however broadly speaking, it is an overarching term that refers to non-human technologies that are used to perform tasks that would otherwise require human intervention (for example the development of speech recognition software).

Top tips from the ICO

1. Take a risk-based approach when developing and deploying AI – consider whether using AI is necessary in the circumstances and the risks that may be associated with it (for example, consulting with those who may be affected and carrying out a data protection impact assessment)
2. Think about how you can explain the decisions made by your AI system to those affected by it – assess what level of detail your explanation needs to include based on the context
3. Collect only the data you need to develop your AI system and no more – bear in mind the UK GDPR principle of 'data minimisation'
4. Address risks of bias and discrimination at an early stage – ensure that your data is accurate, representative, reliable, relevant and up to date and assess the effects of the decisions made by the AI system are acceptable
5. Take time and dedicate resources to preparing the data appropriately
6. Ensure that your AI system is secure – UK GDPR requires security measures to be appropriate and proportionate to the risk associated with the activity
7. Ensure that any human review of decisions made by AI is meaningful – such as ensuring the human reviewer has sufficient training and have the authority to overrule an automated decision
8. Work with the external supplier to ensure your use of AI will be appropriate – developing an AI system will most likely mean that you are a data controller and consequently, you remain responsible for ensuring that it complies with data protection legislation.

CCS publish Procurement Policy Note 03/22: Updated Guidance on Data Protection Legislation

On 30 November 2022, the Crown Commercial Service (CCS) published Procurement Policy Note 03/22 (PPN 03/22) concerning updated data protection legislation. It replaces the previous PPN (PPN 02/18) to reflect the UK's withdrawal from the European Union.

The PPN 03/22 applies to all central government departments, their executive agencies and non-departmental public bodies, and includes:

• New Generic Standard UK GDPR Clauses – these should be included in all contracts that involve a substantial amount of personal data or are deemed high risk; and
• Guidance on Crown to Crown data agreements, non-compliance, liabilities and data processing outside of the UK.

ICO and Ofcom strengthen partnership on online safety and data protection

The ICO and Ofcom, co-founders of the Digital Regulation Cooperation Forum, have produced a joint statement confirming that they are strengthening their partnership in order to deliver the Government's 'manifesto commitment to make the UK the safest place in the world to be online whilst defending free expression'.

The Online Safety Bill (Bill) is still in its early parliamentary stages before it can be introduced as law. The Bill is expected to introduce stricter rules for organisations that host user-generated content and search engines to protect its users from harmful and illegal content, particularly relating to terrorism and child sexual exploitation and abuse. A failure to comply with the rules will require the platform to answer to the regulator and they could face fines of up to 10% of their revenues, or may even get blocked. For those platforms that are likely to be accessed by children and young people, they will have a duty to protect them from harmful material such as self-harm or eating disorder content. The ICO has also published design tests to help assess products or services, that are likely to be used by children or young people, on their compliance with the Children's Code.

The Bill still aims to protect the principle of 'freedom of expression' (Article 10 of the Human Rights Act 1998) as its focus is on ensuring that organisations have sufficient systems and processes in place to protect the safety of their online users.

In preparation of the Bill entering into force, which is not expected any time soon, the ICO and Ofcom aim to encourage online users to have confidence that their safety and privacy is protected when they are online, and to ensure the providers of online services can comply with their obligations without hindering the development of their business. In order to do this, they will be:

• Maximising coherence between each other's policies and regulatory requirements; and
• Promoting compliance by setting out clear expectations on how to meet the online safety and data protection requirements.

ICO releases updated direct marketing guidance

Under the Privacy and Electronic Communications Regulations 2003, live marketing calls to anyone who is registered with the Telephone Preference Service (TPS) is prohibited, unless they have informed that organisation that they do not object to receiving their calls.

In light of recent breaches, the ICO has published updated direct marketing guidance to help organisations manage their marketing activities. Their guidance includes the following steps:

1. Identify – identify whether your activity constitutes direct marketing (this is defined by the Data Protection Act 2018 as 'the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals')
2. Plan – plan how you will protect the personal data by thinking about the information that you want to use, the method of direct marketing you intend on using and the 'lawful basis' for doing so
3. Collect – collect the information fairly and clearly explain to people how you plan to use their information
4. Respect – respect people's right to object to or opt out of direct marketing at any time by providing them with an opportunity to do so

DWF Solutions: to discuss the compliance of your direct marketing approach, get in touch for our helpful analysis.

ICO publishes Children's Code design tests

As aforementioned, these design tests have been created to help assess products or services, that are likely to be used by children or young people, on their compliance with the Children's Code. The Children's Code is a Code of Practice that sets out how children should be protected when they are online. 

The ICO emphasises that their design tests are not an official assessment and should be used as a guide only. At present there are 4 design tests which are as follows:

• Find the best moments to engage children with privacy information
• Design meaningful carer-child interactions
• Protect children's privacy by default
• Meet children's needs as they change over time

Back to top >

Regulatory Enforcement and Litigation

Product Security and Telecommunications Infrastructure Act 2022

As part of the Queen's Speech in 2021, the Government announced its intentions to introduce a Product Security and Telecommunications Infrastructure Bill that would ensure that smart consumer products are secure against cyber attacks to protect individual privacy and security. This bill received Royal Assent on 6 December 2022 and amends the 2017 Electronic Communications Code.

The Act is split into 2 parts:

• Part 1 concerns the product security requirements to make these products more cyber-attack resistant; and
• Part 2 relates to the installation, expansion and use of telecommunications infrastructure

Part 1 of the Act largely remains unchanged. At present, the Secretary of State is yet to agree and introduce the relevant security standards which manufacturers, importers and distributors will need to comply with. So far, there has been no indication of when we can expect them to be introduced however, the explanatory note states that they will be intended to at least align with the following standards in the 2018 Code of Practice:

• Ban universal default passwords
• Implement a means to manage reports of vulnerabilities
• Provide transparency on for how long, at a minimum, the product will receive security updates.

UK data adequacy for the Republic of Korea

On 23 November 2022, the Department for Digital, Culture, Media and Sport laid adequacy regulations that determined that the Republic of Korea provides an adequate level of protection in respect of transfers of personal data under the UK GDPR. This means that personal data can flow freely between the UK and Republic of Korea without the need for a transfer mechanism to be in place.

ICO fines 5 businesses for making nearly 500,000 unlawful marketing calls

As we mentioned earlier in this article, it is illegal to make live marketing calls to anyone who is registered with the TPS unless they have told that organisation that they do not object to receiving calls from them.

The ICO has recently fined 5 companies were fined a total of £435,000 for making nearly half a million unlawful marketing calls in an attempt to get them to sign up for white goods insurance. The ICO's investigation found that in some cases, the companies deliberately targeted a specific demographic: including homeowners, those over 60 and those who had a landline. The investigation also found that pressure tactics had been used with a view to obtaining payment details from people. 

Back to top >

Our recommended data protection new year's resolutions for 2023

1. Dig in deep – the better and deeper your early analysis of data protection, marketing and cyber issues – the better your assessment of the risks and opportunities and the more time you have to deal with them. Spread this message around your organisation.
2. Prepare for more frequent cyber attacks – readiness is key, as well as intensive patch applications and threat monitoring. Role plays are just one way of doing that – ask us if you'd like one!
3. Keep track of law changes coming – we've not heard much about the UK's Data Protection and Digital Information Bill for a few weeks, but it looks like it will be coming back soon in some form or other, with potentially the significant direct marketing fines still in there. There are many other law changes to watch for too.
4. Assess your risk profile, and determine your preferred risk level. This is one of the questions I often ask when engaging with clients, as attempting to do everything will lead to the hamster wheel effect of BAU work and not strategically moving on to vital high level compliance matters. 
5. Peer review – take a step back and see how your peers do things. What do they do vs what do they say they do?  How does that change your view of your organisation?

Please contact us if you have any data protection issues or queries that you would like our advice on. You can read more about our team's extensive expertise here – Data Protection and Cyber Security.