Support Centre



Law: Data Protection Act 2018 ('the Act') and the UK General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The Information Commissioner's Office ('ICO')

Summary: The UK data protection regime is regulated by the Act and the GDPR has been written into UK law and tailored to become the 'UK GDPR.' The European Commission has adopted two adequacy decisions for the UK, one under the GDPR (Commission Implementing Decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) and one under the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (Commission Implementing Decision of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the Adequate Protection of Personal Data by the United Kingdom). The UK GDPR and the Act establish that the ICO is the supervisory authority in the UK and detail its functions, including an obligation to prepare codes of practice. The ICO is a particularly active authority and regularly issues guidance on a wide range of topics.

Notably, on 2 February 2022, the Secretary of State laid before Parliament the International Data Transfer Agreement ('IDTA'), the international data transfer addendum to the European Commission's Standard Contractual Clauses ('SCCs') for international data transfers (Addendum) and a document setting out transitional provisions, following a consultation on the same in 2021. If no objections are raised, they will enter into force on 21 March 2022. Exporters will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers and will replace the current SCCs for international transfers. Furthermore, they take into account the binding judgment of the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case').


Ben Dunham and Neil O'Sullivan, from Osborne Clarke LLP, delve into the intricacies of the Online Safety Bill (OSB), highlighting its potential impact on internet services. They explore the OSB's scope, user-generated content, enforcement powers, and more, emphasizing the critical steps providers must take to ensure compliance in this evolving regulatory landscape.

The last year has seen significant advances in the use of chatbots, exemplified by the ChatGPT service developed by OpenAI. The service is underpinned by both a language model and a knowledge base. The language model allows it to generate text by predicting which string of words is most likely to follow on from a user prompt. Peter Church, Counsel at Linklaters LLP, discusses how chatbots can be used, their relationship with legislation, and the issues both developers and users may encounter.

In March 2023, as the world's increasing attention to artificial intelligence (AI) reached unprecedented levels, the Information Commissioner's Office (ICO) updated its previous guidance on AI and data protection to focus on how the long-standing GDPR 'fairness principle' applies in this context. Eduardo Ustaran, Partner at Hogan Lovells, discusses the ICO's guidance, taking a closer look at how fairness can be placed at the center of responsible AI.

On March 8, 2023, the UK Government introduced the Data Protection and Digital Information (No. 2) Bill to Parliament, alongside various statements about what the new law would achieve. In its press release of the same date, the Government advertised the Bill as a simplified framework that will "not be costly to implement," will "reduce the amount of paperwork," and provide "businesses with more flexibility," all while ensuring the regime "maintains data adequacy with the EU."

Can the Bill deliver on its lofty ambitions? Natalie Farmer, Director and Foreign Legal Consultant at Fieldfisher (Silicon Valley) LLP, scrutinizes the impact of some of the Government's core, pro-business changes.

Deepfakes are fake videos or images. There is a blurred line between old photoshopped images and deepfakes; if there is a distinction, it may be that deepfakes are created using artificial intelligence (AI). The term is often used to describe images where the likeness of one person is imposed on a film or photograph of another person. It is also used more generally to describe images of real people created by AI. Finally, some images of totally fake people are termed 'deepfakes.'

In this Insight article, Giles Parsons, Loren Hogetts, and Richard Nicholas​​​​, from Browne Jacobson LLP, lay out some of the current key issues as of April 2023.

Part one of this Insight series analyses the core considerations for HR professionals wishing to process personal data lawfully under the General Data Protection Regulation (Regulation (EU) 2016/679) ('EU GDPR') and its UK equivalent, the UK General Data Protection Regulation ('UK GDPR') (together 'the GDPR').

In part two, Geraldine Scali and Jack Dunn, from Bryan Cave Leighton Paisner LLP, focus on how UK GDPR compliance impacts HR departments in rolling out new systems and initiatives. In particular, this Insight highlights the UK data privacy issues arising in the context of measuring and monitoring diversity and inclusion, and conducting employee monitoring at work.

Headlined by the recently established Department of Science Innovation and Technology ('DSIT') as a bill capable of saving British businesses billions, £4.7bn to be precise, the second version of the Data Protection and Digital Information (No. 2) Bill ('DPDI No. 2') was introduced into Parliament on 8 March 2023. Joanne Bone, Partner at Irwin Mitchell LLP, explores some of the provisions of the DPDI No.2 , such as changes to legitimate interests, cookies, and record keeping requirements.

Immature, prone to bias, and at danger of discriminating against data subjects: according to the Information Commissioner's Office ('ICO'), all these descriptors could apply to emergent biometric technologies. Kelly Hagedorn and Anna O'Kelly, from Orrick, Herrington & Sutcliffe (UK) LLP, explore the ICO's perspective on biometric technologies, their potential, risks, and regulatory avenues for the future.

Artificial intelligence ('AI') is now all around us, but are there areas where we should limit if, and how, AI is used? The development of AI across sectors that require particularly high moral and ethical standards (such as healthcare, education, and defence) has led to important questions around AI ethics as a whole: how can machine learning be, and stay, transparent, fair, moral, and unbiased?

In this Insight article, Charlotte Kingman, Associate at Ashfords LLP, gives an overview of ethical challenges arising from the use of AI and highlights key considerations businesses should take into account for a responsible use of this technology.

Plans for reforming the UK's post-Brexit data protection framework have recommenced with the introduction of the Data Protection and Digital Information (No. 2) Bill ('the Bill')1. In particular, the Data Protection and Digital Information Bill ('Bill No. 1')2 from 18 July 2022 was simultaneously withdrawn, on 8 March 2023. In this Insight, OneTrust DataGuidance Research provides a snapshot of the Bill, along with details on some of the key provisions businesses should to take into account.

The Information Commissioner's Office ('ICO') has updated its guidance on international data transfers, including the publication of a new transfer risk assessment ('TRA') tool which it positions as 'an alternative approach'1 to the assessment methodology established by the European Data Protection Board ('EDPB') in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data2 ('the Recommendations'), which set out its methodology of 'transfer impact assessments' or 'TIAs'. Mark Webber, Managing Partner at Fieldfisher (Silicon Valley) LLP, provides insight into how the ICO's new TRA tool compares to the EDPB's TIA.

The processing of 'personal data' (i.e. 'any information relating to an identified or identifiable natural person', which may include information allowing for either direct or indirect identification) is fundamental to any organisation's human resources ('HR') function, whether in relation to workers (including, for instance, employees and contractors - whether current or former) or job applicants. As a result, organisations subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('EU GDPR') and/or its UK equivalent, the UK General Data Protection Regulation ('UK GDPR') (together 'the GDPR') must comply with a broad spectrum of data privacy rules in their day to day activities.

In part one of this Insight series, Geraldine Scali and Jack Dunn, from Bryan Cave Leighton Paisner LLP, elucidate the core data privacy law considerations for organisations seeking to conduct their HR function in a GDPR-compliant manner. Part two focuses on the top trends impacting HR departments in relation to data protection compliance.