Support Centre



Law: Data Protection Act 2018 ('the Act') and the UK General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: The Information Commissioner's Office ('ICO')

Summary: The UK data protection regime is regulated by the Act and the GDPR has been written into UK law and tailored to become the 'UK GDPR.' The European Commission has adopted two adequacy decisions for the UK, one under the GDPR (Commission Implementing Decision of 28 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) and one under the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (Commission Implementing Decision of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the Adequate Protection of Personal Data by the United Kingdom). The UK GDPR and the Act establish that the ICO is the supervisory authority in the UK and detail its functions, including an obligation to prepare codes of practice. The ICO is a particularly active authority and regularly issues guidance on a wide range of topics.

Notably, on 2 February 2022, the Secretary of State laid before Parliament the International Data Transfer Agreement ('IDTA'), the international data transfer addendum to the European Commission's Standard Contractual Clauses ('SCCs') for international data transfers (Addendum) and a document setting out transitional provisions, following a consultation on the same in 2021. If no objections are raised, they will enter into force on 21 March 2022. Exporters will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers and will replace the current SCCs for international transfers. Furthermore, they take into account the binding judgment of the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case').


Part one of this Insight series analyses the core considerations for HR professionals wishing to process personal data lawfully under the General Data Protection Regulation (Regulation (EU) 2016/679) ('EU GDPR') and its UK equivalent, the UK General Data Protection Regulation ('UK GDPR') (together 'the GDPR').

In part two, Geraldine Scali and Jack Dunn, from Bryan Cave Leighton Paisner LLP, focus on how UK GDPR compliance impacts HR departments in rolling out new systems and initiatives. In particular, this Insight highlights the UK data privacy issues arising in the context of measuring and monitoring diversity and inclusion, and conducting employee monitoring at work.

Headlined by the recently established Department of Science Innovation and Technology ('DSIT') as a bill capable of saving British businesses billions, £4.7bn to be precise, the second version of the Data Protection and Digital Information (No. 2) Bill ('DPDI No. 2') was introduced into Parliament on 8 March 2023. Joanne Bone, Partner at Irwin Mitchell LLP, explores some of the provisions of the DPDI No.2 , such as changes to legitimate interests, cookies, and record keeping requirements.

Immature, prone to bias, and at danger of discriminating against data subjects: according to the Information Commissioner's Office ('ICO'), all these descriptors could apply to emergent biometric technologies. Kelly Hagedorn and Anna O'Kelly, from Orrick, Herrington & Sutcliffe (UK) LLP, explore the ICO's perspective on biometric technologies, their potential, risks, and regulatory avenues for the future.

Artificial intelligence ('AI') is now all around us, but are there areas where we should limit if, and how, AI is used? The development of AI across sectors that require particularly high moral and ethical standards (such as healthcare, education, and defence) has led to important questions around AI ethics as a whole: how can machine learning be, and stay, transparent, fair, moral, and unbiased?

In this Insight article, Charlotte Kingman, Associate at Ashfords LLP, gives an overview of ethical challenges arising from the use of AI and highlights key considerations businesses should take into account for a responsible use of this technology.

Plans for reforming the UK's post-Brexit data protection framework have recommenced with the introduction of the Data Protection and Digital Information (No. 2) Bill ('the Bill')1. In particular, the Data Protection and Digital Information Bill ('Bill No. 1')2 from 18 July 2022 was simultaneously withdrawn, on 8 March 2023. In this Insight, OneTrust DataGuidance Research provides a snapshot of the Bill, along with details on some of the key provisions businesses should to take into account.

The Information Commissioner's Office ('ICO') has updated its guidance on international data transfers, including the publication of a new transfer risk assessment ('TRA') tool which it positions as 'an alternative approach'1 to the assessment methodology established by the European Data Protection Board ('EDPB') in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data2 ('the Recommendations'), which set out its methodology of 'transfer impact assessments' or 'TIAs'. Mark Webber, Managing Partner at Fieldfisher (Silicon Valley) LLP, provides insight into how the ICO's new TRA tool compares to the EDPB's TIA.

The processing of 'personal data' (i.e. 'any information relating to an identified or identifiable natural person', which may include information allowing for either direct or indirect identification) is fundamental to any organisation's human resources ('HR') function, whether in relation to workers (including, for instance, employees and contractors - whether current or former) or job applicants. As a result, organisations subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('EU GDPR') and/or its UK equivalent, the UK General Data Protection Regulation ('UK GDPR') (together 'the GDPR') must comply with a broad spectrum of data privacy rules in their day to day activities.

In part one of this Insight series, Geraldine Scali and Jack Dunn, from Bryan Cave Leighton Paisner LLP, elucidate the core data privacy law considerations for organisations seeking to conduct their HR function in a GDPR-compliant manner. Part two focuses on the top trends impacting HR departments in relation to data protection compliance.

During the Conservative Party Conference 2022, the Department for Digital, Culture, Media and Sport ('DCMS') announced its plans to replace the UK General Data Protection Regulation (Regulation (EU) (2016/679) ('UK GDPR') with a new bespoke data protection regime built from scratch1. Michelle Donelan, the Secretary of State for DCMS, announced that the planned bespoke regime is aimed to further simplify the UK data protection regime due to the UK GDPR 'limiting the potential' of UK businesses. It was also stated that the Government believes it can maintain data adequacy in accordance with regimes similar to Israel, Japan, South Korea, Canada, and New Zealand.

JP Buckley, Partner at DWF, will provide insight into the DCMS' announcement and analyse how those countries listed above achieve data adequacy.

As the global development of artificial intelligence ('AI') surges ahead, national approaches to its governance are taking shape. Central to the regulatory frameworks of the UK and EU is the need to ensure that AI systems comply with data privacy laws, given the extensive and potentially intrusive use of personal data involved in training and operating AI systems. The increasing complexity of these systems presents significant challenges for market participants seeking to operate in a UK GDPR and General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') compliant manner.

Geraldine Scali, Pierre-Emmanuel Froge, and Jack Dunn, from Bryan Cave Leighton Paisner LLP, compare the UK and EU proposals for regulating AI, which differ markedly in terms of their scope and approach, and also consider the steps that organisations deploying AI systems can take to ensure that these comply with the GDPR from the earliest stages.

In 2015, the UK Government enacted new modern slavery legislation in the form of the Modern Slavery Act 2015 ('the MSA'). Katherine Tyler, Legal Counsel at Kingsley Napley LLP, discusses offences under the MSA, breaks down the significance and challenges of the slavery and human trafficking statement, and gives an overview over possible next steps.

The introduction of the Data Protection and Digital Information Bill ('Bill 143')1 to the House of Commons on 18 July 2022 marks an important step towards achieving the planned reform of the UK's post-Brexit data protection framework, with many significant proposed changes for organisations to be aware of. In this Insight, OneTrust DataGuidance Research discusses Bill 143 and provides a snapshot of some of the key provisions to take into account.

The Biometrics and Surveillance Camera Commissioner ('BSCC'), Fraser Sampson, announced, on 11 February 2022, that the updated Surveillance Camera Code of Practice ('COP')1, which was laid before Parliament on 16 November 2021 pursuant to Section 31(3) of the Protection of Freedoms Act 2012 ('PoFA'), came into force on 12 January 2022. More specifically, the BSCC stated that the COP was updated to provide guidance on the appropriate use of surveillance camera systems by local authorities and the police in light of the changes stemming from the Data Protection Act 2018 and the R (Bridges) v South Wales Police [2020] EWCA Civ 1058 judgment.2

In this article, OneTrust DataGuidance Research breaks down the key points and scope of the COP, focusing on its impact and guiding principles.