In this issue of In Perspective, Jackie Barlow, Data Protection Senior Consultant at Xcina Consulting, discusses the UK-US ‘Data Bridge’ which is a new UK extension to the EU-US Data Privacy framework. She also reviews why the ICO have fined two businesses for making unlawful marketing telephone calls and considers the publication of the UK Government cybersecurity breach survey.
We take a look at why this is important and the implications for both businesses and individuals.
Find out more below.
UK - US 'Data Bridge' is agreed in principle
- On the 8th June 2023 the UK Government confirmed it had reached a commitment in principle, to establish a UK extension to the EU-US Data Privacy Framework.
- In 2021 the UK exported more than £79m* of data enabled services to the US. The UK-US ‘Data Bridge’ would make it easier for British businesses to trade internationally, by speeding up processes, reducing costs and increasing opportunities
- This commitment is part of a broader ‘Atlantic Declaration’ between the UK and the US that sets out an action plan for the two countries to cooperate on a number of issues.
- These include AI development, data flows, technology supply chains and research in new technologies.
- If it is successful, the new data bridge will allow organisations to transfer personal data, that is subject to the UK GDPR, to US organisations that participate in the scheme, without the need to rely on other data transfer safeguards or derogations
The UK already has a similar arrangement in place with the Republic of Korea and UK businesses are now able to share personal data securely without restrictions
Why it matters
- Generally, the UK GDPR prohibits the transfer of personal data outside the UK unless (i) the importing country has an adequate level of data protection, (ii) there are safeguards in place between the parties or (iii) certain derogations apply to the transfer
- If a data bridge with the US can act as an ‘adequacy finding’ by the UK Government, this would allow the free flow of data between the UK and the adequate country i.e. the US in this case
- Finalising the data bridge is a key deliverable for UK-US data flows in 2023
- Further technical work needs to be completed over the next few months before a decision can be made to establish the data bridge
The Government’s article can be found at
*UK and US reach commitment in principle over ‘data bridge’ – GOV.UK (www.gov.uk)
The ICO fines two businesses for making unlawful marketing telephone calls
- The ICO has fined Ice Telecommunications £80,000 and UK Direct Business Solutions Ltd £100,000 for making a total of 480,000 unlawful marketing calls to businesses who had signed up to the Telephone Preference Service (TPS)
- More than 120 complaints were received from recipients
- The companies had also made repeat and persistent calls to some businesses, despite having been warned by the TPS
- It is unlawful for organisations to make live marketing calls to any third party that is signed up to the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) – unless the individual has given consent to receive the call
- Even if a telephone number is in the public domain, this does not mean that marketers can use it freely
Why it matters
- Before any marketing calls can be made, telephone numbers must be screened against the TPS and CTPS i.e. the ‘do not call’ registers
- The only exception is if an individual has specifically given consent to receive the calls from you
- Organisations should also check their own ‘do not contact list’ (opt out list) because they must not contact anyone who has stated they do not want to receive marketing calls
- The fines imposed recently by the ICO are a clear message to companies that if you break the law, action will be taken to protect the public and UK businesses
The ICO has provided further information at
The ICO has also provided advice on direct marketing essentials for small organisations at SME web hub – advice for all small organisations | ICO
UK Government publishes its cybersecurity breach survey
- The government has published its 2023 cybersecurity breach survey
- The government’s view is that most cyber threats tend to be unsophisticated and therefore certain cyber hygiene measures must be in place to prevent them
- These measures include firewalls, restricted administrative rights, strong passwords, cloud backups and malware protection
- The survey has revealed that the use of password policies has dropped from 79% (2021) to 70% (2023) and the use of firewalls has dropped from 78% (2021) to 66% (2023)
- It has also shown that the restriction of admin rights has dropped from 75% (2021) to 67% (2023) and the adoption of policies requiring security updates within 14 days has dropped from 43% (2021) to 31% (2023)
- Also noted is that medium/larger businesses consider cyber security to be a high priority (91% of medium businesses and 96% of large businesses) compared with an average of 71% overall
- The same results were found for high income charities (90% with income of £500k or more versus an average of 62% overall)
- Certain sectors have been shown to treat cyber security as a higher priority than others. For example, for finance/insurance businesses, 73% treat cyber risk as a high priority compared with 36% for all businesses
- This research was completed during a time of difficult economic conditions compared with earlier years. Smaller organisations in particular, have faced rising costs and challenges due to high inflation, high energy prices and economic uncertainty
Why it matters
- The results of the survey are concerning at a time when cybersecurity breaches remain a threat globally.
- Just recently, a cyber attack relating to the MOVEit transfer tool, affected a number of major companies including the BBC, Boots and British Airways
- The survey has shown that smaller organisations have not prioritised cyber security in the same way as larger organisations, probably due to rising costs and economic uncertainty
- It has shown that with major changes in home and hybrid working, the percentage of businesses that restrict access to business owned devices has fallen greatly over the past 4 years. This is a concern and the ICO has provided a security checklist for employers (see Working from home | ICO)
- The ICO has also provided guidance for individuals using their own devices for work purposes at
- The survey has also highlighted that many organisations do not have formal processes in place to respond to a cybersecurity incident
- The government has stated that the lack of policies and procedures is an area for ongoing improvement which the study will monitor going forwards
Full details of the survey can be found below