• PL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK

DWF Data Protection Insights July 2022

01 August 2022

Here is our round-up of the top data protection stories, together with practical advice on how to address the legal issues raised.  This month's big story is the introduction of the Data Protection and Digital Information Bill.

In this issue

Top stories

Governmental and Regulatory Activity:

Regulatory Enforcement and Litigation:

Top stories

Our next Tech and Data Leaders Forum webinar on 10th August at 2:00pm UK time will focus on the newly published Data Protection and Digital Information Bill and how the changes to UK data protection law could impact your business in the UK and internationally. We'll review the proposals in depth, and analyse the areas of risk and benefit. You can find out more and sign up for the webinar here

Earlier this month we published DWF Data In-Depth - 1: UK International Data Transfer Agreement and UK Addendum: An Analysis, which covers the data transfers regime applicable to UK regulated transfers of personal data. Click here to read the article – the first in our new series of DWF Data In-Depth articles.

Back to top >

Governmental and Regulatory Activity

UK and South Korea agree data adequacy agreement

On 5 July the UK government announced that it had reached a data adequacy agreement in principle with the Republic of Korea (South Korea). The European Commission has already granted South Korea an adequacy decision, but this does not apply to the UK, as it was made following the expiry of the post-Brexit transition period. UK organisations should wait for confirmation of the "adequacy regulation" from the Government before relying on this method of data transfer. 

DWF Solutions: If you would like any advice on the ever-changing requirements regarding international transfers of personal data (and how the new proposed laws would change this for the UK), please contact one of our data protection specialists.

ICO updates BCR process

The ICO has published updated guidance and forms for organisations seeking UK binding corporate rules (BCRs). BCRs provide a mechanism for multinational groups to make intra-group personal data transfers. The key changes are:

DWF Solutions: Applying for BCRs is fairly complex, but DWF's data protection team has experience of supporting our clients through the process. Please contact one of our specialists on this topic (James Drury-Smith, Tughan Thuraisingam, JP Buckley or Gerard Karp) if you would like advice on whether BCRs are appropriate for your organisation and/or you would like us to manage the application process. There are other, simpler, alternatives too such as our popular Intra-Group Data Transfer Agreement. 

Information Commissioner announces new approach to working with public authorities

The Information Commissioner has published a letter inviting senior leaders in the public sector to proactively engage with the Information Commissioner's Office (ICO) as part of the ICO's revised approach to working more effectively with public authorities. The key points are as follows:

The future of AI in the UK: The government proposals for regulating AI to be the next area of divergence from the EU

The UK Government has released a policy paper that confirms the UK will not follow the EU's proposed approach to regulating AI, instead a lighter-touch 'pro-innovation' approach is proposed that is industry-agnostic, but with the overlay of sector-specific guidelines. Find out more in our article here

DWF Solutions: Please contact Shervin Nahid or any member of our team for further details or to discuss your AI approach.

Information Commissioner speaks at DPPC2022

On 19 July, members of DWF's Data Protection and Cyber Security team attended the ICO's annual Data Protection Practitioners' Conference (DPPC). Shervin Nahid shared on LinkedIn his views on the speech given by the new Information Commissioner John Edwards:

"Interesting perspective from the Information Commissioner, John Edwards this morning at the DPPC2022. It's not all about fines, there are other enforcement tools that can be just as impactful.

When asked whether the number of fines will increase during John's tenure as the Commissioner, Mr Edwards' response was that the ICO are enforcing every day and are using a wide range of regulatory tools to ensure proportionate approaches to enforcement are taken. However, it cannot be said that this will necessarily result in an increase in fines.

Mr Edwards provided an example from the public sector: public authorities may not respond to fines in the same way private sector businesses might, as it is unlikely to affect wages or bonuses, etc. Therefore, in some cases it is more impactful to publicly call out the organisation and/or senior responsible individuals, which is likely to grab the attention of ministers and other key stakeholders, which has a greater deterrent effect.

To consider the matter more holistically, it is essential to not just look at a potential fine from the regulator as your core 'adverse scrutineer'. There are many other angles of scrutiny that your organisation may receive as part of data processing BAU. Taking one example, we are now seeing more and more organisations requiring third parties that they share personal data with to have good data protection compliance as a core part of doing business in a B2B context. Think about due diligence questionnaires (DDQs) and DPA negotiations and how you can prepare for these to make the process as efficient as possible."

You can read more about DPPC 2022 here.

DWF Solutions: We've developed a wide range of due diligence approaches and toolkits for acqusitions, post-merger integration and entering into supply chain data sharing (including DPAs – data processing agreements). Please contact one of our data privacy specialists if you're interested to learn more. 

ICO publishes new strategic plan

On 14 July the ICO published ICO25, its new strategic plan setting out the ICO's priorities, including:

It's clear we are going to see more regulatory change in the coming months – we'll share insights as we have them!

DWF Solutions: To help you assess your regulatory, cyber and practical data protection risks quickly and provide graphical, insightful reporting on key risks, we created DWF RAPID.  Organisations must consider their information, data and cyber security risk positions in order to be confident that they can resiliently deal with disruptive events when, not if, they occur. This tool is designed to help organisations on that journey. Please contact JP Buckley or Shervin Nahid if you'd like a free demo.

Back to top >

Regulatory Enforcement and Litigation

Behind the screens: ICO calls for review into use of private email and messaging apps within government

On 11 July the ICO published a report on its investigation into the use of private correspondence channels, including private email, WhatsApp and similar messaging apps, by ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic. The key points are:

While business use of messaging apps like WhatsApp has increased in the last two years, you must ensure that all such usage complies with data protection law. Your organisation should put in place information security and 'bring your own device' (BYOD) policies to ensure that your employees understand what they are permitted and not permitted to do.

DWF Solutions: we draft policies to deal with social media service use, as well as assist with data collation for data subject access requests which can extend into these services. We can also provide training to all staff remidning them of the consequences of "stream of consciousness" messaging conversations, and the risks for them and their organisation. Please contact one of our data privacy specialists for more details. 

ICO fines NHS Trust for incorrect use of bulk email

The ICO has fined an NHS Trust, which runs a gender identity clinic, £78,400 for sending an email to 1,781 patients, whose email addresses were entered in the "To" field instead of the "Bcc" field. The ICO found that special category data could be inferred, connecting the recipients with a provider of gender identity related services, so the data should have been treated with the utmost care and afforded an elevated level of protection.

The case provides a reminder of the risk associated with sending bulk emails, the importance of putting in place a procedure to ensure that recipients' email addresses are not shared and that all staff should be trained on how to follow this procedure.

DWF Solutions: we can cover this in memorable and insightful training to your organisation – please contact one of our data privacy specialists for more details.

Interim injunction granted to restrain disclosure of CCTV footage

The background to this case is that two parties were negotiating a Share Purchase Agreement under which one party would buy a company partly owned by an individual seller. During the negotiations, two representatives of the buyer attended an in-person meeting with the seller at the target company's offices. While the seller was away from the meeting room, the buyer's representatives had a private conversation about the negotiations, their strategy, plans for the future of the target company and their impressions of the seller. The seller claimed that he could hear what they were saying through the wall and sent the claimants text messages with a screenshot from the CCTV system of them having the conversation and threatened to disclose the information. The buyer's representatives brought claims for breach of confidence, misuse of private information and breach of the GDPR/UK GDPR, and were granted an interim non-disclosure order.

The High Court approved the order and held that the claimants were likely to succeed at trial. Regarding the GDPR claim, the court noted that the screenshot contained the buyer's representatives' personal data that had been compiled and retained without their consent or without the basis of any other legitimate interest of the seller. Although there was a CCTV warning saying "CCTV in operation", this would not assist in showing consent.

This decision provides a reminder that if individuals can be identified from CCTV footage, this is personal data which can only be used in accordance with data protection law, meaning that there must be a lawful basis for all uses made of it.

DWF Solutions: we can provide guidance, policies and training on appropriate CCTV use, sharing and retention. Please contact one of our data privacy specialists for more details.

Back to top >

For advice on any aspect of data protection law, please contact one of our privacy specialists.

Further Reading