UK | DataGuidance

UK

Summary

Law: Data Protection Act 2018 ('the Act') and the UK General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The Information Commissioner's Office ('ICO')

Summary: The UK data protection regime is regulated by the Act and the GDPR has been written into UK law and tailored to become the 'UK GDPR.' The European Commission has adopted two adequacy decisions for the UK, one under the GDPR (Commission Implementing Decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) and one under the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (Commission Implementing Decision of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the Adequate Protection of Personal Data by the United Kingdom). The UK GDPR and the Act establish that the ICO is the supervisory authority in the UK and detail its functions, including an obligation to prepare codes of practice. The ICO is a particularly active authority and regularly issues guidance on a wide range of topics.

Notably, on 2 February 2022, the Secretary of State laid before Parliament the International Data Transfer Agreement ('IDTA'), the international data transfer addendum to the European Commission's Standard Contractual Clauses ('SCCs') for international data transfers (Addendum) and a document setting out transitional provisions, following a consultation on the same in 2021. If no objections are raised, they will enter into force on 21 March 2022. Exporters will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers and will replace the current SCCs for international transfers. Furthermore, they take into account the binding judgment of the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case').

Browse more content in UK

All Guidance Notes

All News

All Insights

News

03 October 2023

UK: ICO publishes guidance on employment practices and data protection, focusing on monitoring workers

02 October 2023

UK: ICO launches public consultation on draft Data Protection Fining Guidance

02 October 2023

UK: ICO fines RHAP £65,000 for making over 15,000 unlawful marketing calls

29 September 2023

UK: ICO releases advice to assist organizations in handing personal data appropriately amid surge in data breaches affecting victims of domestic abuse

25 September 2023

UK: ICO fines House Hold Appliances 247 £55,000 for unsolicited direct marketing

25 September 2023

UK: ICO issues opinion on UK Government's assessment of adequacy for UK Extension to EU-US DPF

21 September 2023

International: DSIT announces UK-US Data Bridge effective October 12, 2023

21 September 2023

UK: ICO fines SGS Home Protect £70,000 for unlawful marketing calls

21 September 2023

UK: ICO fines F12 Management £200,000 for unsolicited direct marketing

21 September 2023

UK: Government publishes guidance on end-to-end encryption and child safety

21 September 2023

UK: ICO fines Cover Appliance £200,000 for unlawful marketing calls

20 September 2023

UK: DSIT announces new AI compliance advisory service

Insights

September 2023

UK: Online Safety Bill - who is in scope?

Ben Dunham and Neil O'Sullivan, from Osborne Clarke LLP, delve into the intricacies of the Online Safety Bill (OSB), highlighting its potential impact on internet services. They explore the OSB's scope, user-generated content, enforcement powers, and more, emphasizing the critical steps providers must take to ensure compliance in this evolving regulatory landscape.

September 2023

Europe: Chatbots and the GDPR – is the tension irreconcilable?

The last year has seen significant advances in the use of chatbots, exemplified by the ChatGPT service developed by OpenAI. The service is underpinned by both a language model and a knowledge base. The language model allows it to generate text by predicting which string of words is most likely to follow on from a user prompt. Peter Church, Counsel at Linklaters LLP, discusses how chatbots can be used, their relationship with legislation, and the issues both developers and users may encounter.

June 2023

UK: ICO's helping hand to AI

In March 2023, as the world's increasing attention to artificial intelligence (AI) reached unprecedented levels, the Information Commissioner's Office (ICO) updated its previous guidance on AI and data protection to focus on how the long-standing GDPR 'fairness principle' applies in this context. Eduardo Ustaran, Partner at Hogan Lovells, discusses the ICO's guidance, taking a closer look at how fairness can be placed at the center of responsible AI.

June 2023

UK: Can the new bill deliver on its promise of 'business-friendly' data protection regulation?

On March 8, 2023, the UK Government introduced the Data Protection and Digital Information (No. 2) Bill to Parliament, alongside various statements about what the new law would achieve. In its press release of the same date, the Government advertised the Bill as a simplified framework that will "not be costly to implement," will "reduce the amount of paperwork," and provide "businesses with more flexibility," all while ensuring the regime "maintains data adequacy with the EU."

Can the Bill deliver on its lofty ambitions? Natalie Farmer, Director and Foreign Legal Consultant at Fieldfisher (Silicon Valley) LLP, scrutinizes the impact of some of the Government's core, pro-business changes.

May 2023

UK: Considering deepfakes from a data protection perspective

Deepfakes are fake videos or images. There is a blurred line between old photoshopped images and deepfakes; if there is a distinction, it may be that deepfakes are created using artificial intelligence (AI). The term is often used to describe images where the likeness of one person is imposed on a film or photograph of another person. It is also used more generally to describe images of real people created by AI. Finally, some images of totally fake people are termed 'deepfakes.'

In this Insight article, Giles Parsons, Loren Hogetts, and Richard Nicholas, from Browne Jacobson LLP, lay out some of the current key issues as of April 2023.

May 2023

UK: Unpacking HR and data protection considerations - Part two

Part one of this Insight series analyses the core considerations for HR professionals wishing to process personal data lawfully under the General Data Protection Regulation (Regulation (EU) 2016/679) ('EU GDPR') and its UK equivalent, the UK General Data Protection Regulation ('UK GDPR') (together 'the GDPR').

In part two, Geraldine Scali and Jack Dunn, from Bryan Cave Leighton Paisner LLP, focus on how UK GDPR compliance impacts HR departments in rolling out new systems and initiatives. In particular, this Insight highlights the UK data privacy issues arising in the context of measuring and monitoring diversity and inclusion, and conducting employee monitoring at work.

April 2023

UK: New year, new department, new bill

Headlined by the recently established Department of Science Innovation and Technology ('DSIT') as a bill capable of saving British businesses billions, £4.7bn to be precise, the second version of the Data Protection and Digital Information (No. 2) Bill ('DPDI No. 2') was introduced into Parliament on 8 March 2023. Joanne Bone, Partner at Irwin Mitchell LLP, explores some of the provisions of the DPDI No.2 , such as changes to legitimate interests, cookies, and record keeping requirements.

March 2023

UK: Biometric technologies - An early warning and picture of the way forwards from the ICO

Immature, prone to bias, and at danger of discriminating against data subjects: according to the Information Commissioner's Office ('ICO'), all these descriptors could apply to emergent biometric technologies. Kelly Hagedorn and Anna O'Kelly, from Orrick, Herrington & Sutcliffe (UK) LLP, explore the ICO's perspective on biometric technologies, their potential, risks, and regulatory avenues for the future.

March 2023

International: The importance of ethical AI - Are your systems biased?

Artificial intelligence ('AI') is now all around us, but are there areas where we should limit if, and how, AI is used? The development of AI across sectors that require particularly high moral and ethical standards (such as healthcare, education, and defence) has led to important questions around AI ethics as a whole: how can machine learning be, and stay, transparent, fair, moral, and unbiased?

In this Insight article, Charlotte Kingman, Associate at Ashfords LLP, gives an overview of ethical challenges arising from the use of AI and highlights key considerations businesses should take into account for a responsible use of this technology.

March 2023

UK: Overview of the Data Protection and Digital Information (No. 2) Bill

Plans for reforming the UK's post-Brexit data protection framework have recommenced with the introduction of the Data Protection and Digital Information (No. 2) Bill ('the Bill')¹. In particular, the Data Protection and Digital Information Bill ('Bill No. 1')² from 18 July 2022 was simultaneously withdrawn, on 8 March 2023. In this Insight, OneTrust DataGuidance Research provides a snapshot of the Bill, along with details on some of the key provisions businesses should to take into account.

February 2023

UK: ICO's TRA tool and guidance for international data transfers - How it compares to the EDPB's TIA

The Information Commissioner's Office ('ICO') has updated its guidance on international data transfers, including the publication of a new transfer risk assessment ('TRA') tool which it positions as 'an alternative approach'¹ to the assessment methodology established by the European Data Protection Board ('EDPB') in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data² ('the Recommendations'), which set out its methodology of 'transfer impact assessments' or 'TIAs'. Mark Webber, Managing Partner at Fieldfisher (Silicon Valley) LLP, provides insight into how the ICO's new TRA tool compares to the EDPB's TIA.

January 2023

UK: Unpacking HR and data protection considerations - Part one

The processing of 'personal data' (i.e. 'any information relating to an identified or identifiable natural person', which may include information allowing for either direct or indirect identification) is fundamental to any organisation's human resources ('HR') function, whether in relation to workers (including, for instance, employees and contractors - whether current or former) or job applicants. As a result, organisations subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('EU GDPR') and/or its UK equivalent, the UK General Data Protection Regulation ('UK GDPR') (together 'the GDPR') must comply with a broad spectrum of data privacy rules in their day to day activities.

In part one of this Insight series, Geraldine Scali and Jack Dunn, from Bryan Cave Leighton Paisner LLP, elucidate the core data privacy law considerations for organisations seeking to conduct their HR function in a GDPR-compliant manner. Part two focuses on the top trends impacting HR departments in relation to data protection compliance.

UK

Summary

Browse more content in UK

News

Insights

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us