With many having observed International Data Privacy Day over the weekend, it doesn’t stop there. This is a good time to reflect on the progress of the Data Protection and Digital Information Bill. Will 2023 be the year that we see the announced reforms to UK data protection law? In other updates, the UK marks a key milestone since it left the European Union. In earlier blogs we posted, we wrote about AdTech and we are expecting this technology to be scrutinised by regulators this year due to data privacy concerns. Lastly, the ICO ‘reprimand register’ is expected to grab attention, but what can we learn from this? In our latest edition of the ‘In Perspective’ blog from the Data Protection team, Jackie Barlow reviews the developments and explains why they matter.
The Data Protection and Digital Information Bill (DPDI Bill)
The Data Protection and Digital Information Bill was introduced as a result of the ‘Data: A New Direction’ consultation (in September 2021). The Bill was laid before Parliament in July 2022 and it proposed various amendments to several laws (UK GDPR, The Data Protection Act 2018 and The Privacy and Electronic Communications Regulations).
Much of the Bill expands on the UK’s existing data protection framework (based on EU GDPR) but it sets out some significant changes.
- The intention is to update and simplify the UK’s data protection framework and reduce burdens on organisations, promote innovation and reform the ICO.
- The Bill is also expected to get rid of ‘red tape’ and provide a more flexible environment while maintaining high data protection standards.
- Proposed amendments have included removing the need for a mandatory Data Protection Officer, changing records of processing activities obligations and changing requirements for data protection impact assessments.
- Greater flexibility is also proposed, such as making it easier to refuse to comply with subject access requests in certain circumstances and expanding the types of cookies where positive consent is not required.
In September 2022 the Bill’s progress was delayed by the Truss government to consider more wide-reaching reforms to UK GDPR.
Why it matters
The changes will be relevant for organisations in the UK as well as those outside the UK that offer goods or services to individuals in the UK or monitor their behaviour. The ICO’s aim is to reduce the burden or cost of compliance with the data protection laws and it intends to achieve this through a series of services, tools and initiatives so that organisations can benefit from the ICO’s advice and support when managing information risk.
It is important that the new regime meets the adequacy requirements of the EU and it is essential that personal data can continue to flow freely between the EU and the UK.
The Bill is expected to re-enter the legislative process in due course, once the Department for Digital, Culture, Media & Sport (DCMS) has had time to engage with businesses and civil society in relation to possible amendments.
The UK’s first adequacy decision is now in place with South Korea
Over a year has passed since we first wrote about the UK announcing that South Korea would be a priority country for data adequacy – in our earlier blog. On 19 December 2022 the UK’s first adequacy decision came into effect – with South Korea.
The UK GDPR sets out restrictions on transferring personal data outside the UK and any transfers need to have adequate ‘safeguards’ in place.
The UK considers that South Korea can provide an adequate level of data protection, and intends to progress more agreements with third countries so that transfers of data across borders will become much easier.
Why it matters
Personal data can flow freely between the two countries, and it marks the first step from the UK in making this type of formal arrangement with another country, since it left the EU.
Having an adequacy decision, is the least burdensome option if the UK wishes to transfer personal data to a third country.
Organisations in the UK can now transfer personal data between the UK and South Korea without completing a transfer impact assessment and without a data transfer mechanism (as set out in Article 46 UK GDPR).
The Consumer sector – ‘Adtech’ and data security risks - Ransomware
Consumer businesses using ‘adtech’ (advertisement technology) face many risks but they are at particular risk from data security breaches and malicious attacks. See case study on Adtech company Criteo. ‘Adtech’ refers to technologies that connect advertisers with audiences. Adverts can be in the form of banners on websites, paid for searches or online video adverts.
In 2023 it is likely that ‘adtech’ will be scrutinised by regulators due to data privacy concerns. Ransomware attacks in particular, have been on the increase in the last few years and this is expected to continue in 2023 as evidenced in recent cases. Ransomware is a type of security breach where malware (a malicious software) is used to encrypt the electronic files of its victims. Usually an attack will be accompanied by a ransom demand and the demand will offer a key that will unencrypt the data for a payment. Sometimes, as well as holding the data for ransom, the attackers threaten to publish it online and this enables them to ask for two payments (known as ‘double extortion’ attacks).
Whether to pay? – many experts believe that by paying a ransom this will encourage these types of attacks to continue and that it will also provide funds to attackers.
‘Triple extortion’ attacks are also on the rise – as well as asking for a ransom and threatening to publish the data online, the attacker might target individuals or organisations whose data might have been compromised.
Why it matters
The looming global economic recession is likely to increase the risk of a ransomware attack as financial hardship might lead to more hackers being hired who are willing to launch attacks for money.
So called ‘double extortion’ attacks are on the increase and it is expected that many ransomware attacks in 2023 will include the threat of a data leak. It is expected that as cybercriminals become more sophisticated, ‘triple extortion attacks’ might also rise.
Organisations need to be aware of these types of attacks and know how to prevent them. They need a plan in terms of what steps need to be taken in the event of an incident, including how to prevent the spread of ransomware, how to recover from backups and how to communicate with stakeholders. It is also important that cyber risk policies and procedures are regularly updated.
Organisations using ‘adtech’ must operate transparently and ensure they obtain consent where required. A ‘cookie audit’ is a key means of assessing which cookies and tracking technologies are being used on websites or platforms. Websites/platform design should also be reviewed to ensure compliance with relevant laws so that users are not manipulated into providing consent.
The ICO to routinely publish reprimands issued to organisations
The ICO will now routinely publish reprimands that it issues to organisations, and this will include reprimands issued from January 2022, unless there is a good reason not to (e.g. matters of national security or the risk of an ongoing investigation being threatened).
The ‘reprimand register’ will contain the formal reprimand letter sent by the ICO, the organisation’s name, details of the issue, the ICO’s views, details of the reprimand and recommended actions. Certain details will be redacted where appropriate. The ICO already publishes enforcement notices, fines and summaries of audit reports on its website
The ICO knows that fines grab attention, but by publishing all reprimands issued, this will highlight that actions have been taken to raise data protection standards. The independent body for data protection wants organisations to learn from the reprimands issued and it believes that this will give businesses certainty about what is expected, to ensure preventative measures are taken. Organisations might also be required to report back to the ICO once they have taken steps needed to be compliant.
Reprimands have been issued for a variety of reasons but they usually relate to smaller data breaches or for non-compliance with data subjects’ rights. Often a formal reprimand does not make an organisation pay or take any action but it has a deterrent effect by highlighting a lack of compliance and will likely discourage other organisations from doing the same thing. Reprimands are frequently used against public sector organisations instead of penalties – usually where the ICO does not believe that penalties are useful as they take money from the ‘public purse’.
Why it matters
Until now, reprimands were confidential and not made public. The impact this may have can vary between each organisation.
- This may result in reputational impact
- It may lead to compensation claims from individuals.
- Individuals might rely on a published reprimand as evidence of wrongdoing and the reprimand might also be reported in the media.
- An organisation might be served with a reprimand without any warning and without an effective route to challenge it.
The ICO’s article on this can be viewed at Providing certainty on how we enforce the laws we regulate