2022 was a busy year in terms of data protection and we cannot see it slowing down anytime soon.
The Information Commissioner’s Office (ICO) has been increasingly active, not just in terms of investigations into data protection related complaints and issues, but in terms of the publication of guidance and other documents.
2022 also saw the appointment of the new Information Commissioner, John Edwards, who has big plans for the reform of data protection, international data transfers and online safety during his five-year term.
We have also seen the publication of the International Data Transfer Agreement and Addendum to EU standard contractual clauses, before the Transatlantic Data Privacy Framework was announced after Schrems II rendered the EU-US privacy shield invalid. The Data Protection and Digital Information Bill (DPDI) was also introduced to parliament. The Department for Digital, Culture, Media & Sport (DCMS) also announced plans to replace the UK GDPR. Meanwhile, the ICO issued some of the biggest fines we have seen including over 50 enforcement notices and fines over the year.
What does 2023 look like for data protection?
It does not look like the changing landscape of data protection will slow down anytime soon, we expect to hear more this year on the proposed reforms under Data Protection and Digital Information Bill (after its delay), and we should expect some big changes to current data protection legislation. We have put together a list of some of the changes to look out for:
1. Employee monitoring
Some may recall we wrote about this back in September, after the ICO published its draft, “Employment practices guidance”. The consultation closed on 20 January 2023 and now we are waiting for the outcome of this to be published. The updated guidance is expected to contain details on data relating to recruitment and employment records, with the aim of providing “practical guidance about monitoring workers in accordance with data protection legislation and to promote good practice”. It is the ICO’s first step in bringing the employment code of practice up to date with the UK data protection legislation. We hope this will bring clarification to employers, and in particular in relation to what they can and cannot do, especially in this era of hybrid working.
2. Subject access requests
The ICO have committed to helping people better understand their rights. This year we can expect to see the launch of a subject access request tool, to help people make a request, identify where to send their requests and explain what to expect in terms of the process and the information they receive. The ICO will also provide information to organisations on how to handle requests. Once this support and guidance is available, we expect the ICO to take a stronger stance on this and failures to comply with SARs.
3. International data transfers
As some may recall from our webinar on the “Changing Landscape of Data Protection”, given the proposed changes to the UK data protection legislation in the pipeline, there are concerns about whether the UK will be able to maintain adequacy with the EU. However, the DMCS has confirmed that maintaining adequacy is a priority for them this year to help provide more stability for data flows.
There have also been discussions with the DCMS regarding a UK- US adequacy agreement without jeopardising the UK – EU adequacy agreement. There are hopes that EU – US privacy framework will be finalised by the middle of 2023, although Max Schrems suggested in October that the framework does not meet the requirements of EU law, which could, of course, lead to Schrems III.
International data transfers are currently complicated and given how much data is shared with the US, any changes which make this easier, in our view, would be welcome.
4. EU Standard contractual clauses
The new EU Standard Contractual Clauses were introduced in June 2021 , whilst they are more fit for purpose and easier to use than the old ones, they do not cover transfers from a data exporter (the data provider) to a data importer (the data receiver) who is covered by the GDPR. There is a chance that this could change this year, with the introduction of a new set of EU SCCs. This could lead to changes to the UK addendum being required (depending on how the changes to the EU SCCs are implemented), meaning we see the introduction of a separate addendum, or amendments to the addendum to cover this situation.
5. Ads and cookies
If the DPDI bill goes ahead (see our comments above), we can expect to see changes to the rules on direct marketing and cookies. We might see an extension to the types of cookie, which can be used without consent if they are considered low risk, as well as changes to what constitutes as a strictly necessary cookie. There may also be an increase in limits for beaches of PECR, which will be made to match the UK GDPR. Again, this can be a complicated area, and therefore any changes to clarify this are likely to be welcomed, provided that they do not fundamentally undermine the protections of the UK GDPR and PECR.
6. The ICO
Last year we saw an increase in fines issued by the ICO enforcing regulations; this is not expected to slow down in 2023.
The ICO action plan, which runs from October 2022 to October 2023, makes it clear that they are continuing to focus on the Children’s Code and protecting the most vulnerable, and we can expect them to publish more templates and advice, which will be freely available on their website. This is with the aim of helping to reduce the burden and cost for business to remain compliant. The ICO are expected to produce their next annual report in July 2023, which will allow us to see how they are achieving their objectives.
What do I need to do?
As can be seen from the above, we are expecting to see a raft of changes to data protection in 2023. It is therefore important that those responsible for data protection within an organisation stay up to date with changes and be aware of what is in the pipeline.
The best way to do this is to join our Data Protection Hub, where you will receive the latest news, articles and invitations to our exclusive events. You can sign up by going to https://prettys.co.uk/join-data-protection-hub
