The Fox Williams Five – a look ahead to 2022 in data protection

2022 promises plenty of new challenges as well as the need to tackle many old ones. To help you in the year ahead, we’ve provided a brief overview of five key issues to consider this year.

1. Data security – stay alert and train your staff

If asked to summarise data protection laws in four words, the response most likely would be “don’t lose the data!”. Of course, that’s an oversimplification but it highlights the centrality of data security.

Since May 2018 it has been obligatory to notify the UK regulator, the Information Commissioner’s Office (ICO) if you suffer a data breach. You also have to tell contacts if their data has been compromised if the breach is likely to result in a high risk to them.  

Data security incidents are a major concern for those affected and a key area of action for the ICO – over 25,000 data breach incidents have been reported to them since 2019.

The breach does not have to be a sophisticated hack. Data emailed to the wrong recipient is the most common incident type reported to the ICO. Unthinkingly clicking on a link in an email can trigger a phishing or ransomware attack. In such cases, the incident is often down to simple human error.

While the implementation of technology can help, many incidents reflect a lack of awareness of the risks on the part of employees. With many employees working away from the more controlled environment of the office, the risks can increase.

When reporting a data breach to the ICO, one of the questions you must answer is when employee training was last carried out. Therefore, for 2022, it will be advisable to implement employee wide training (or refresher training) on good data protection practice and cyber risk awareness. There are excellent e-learning programmes where employees can undertake the training online and in their own time, and employers can maintain an audit trail of who has / has not completed the training.

2. International data transfers

The position on international data transfers remains highly complex as a result of the perfect storm of Brexit, the CJEU Schrems II decision in 2020, new EU Standard Contractual Clauses (SCCs) and a proposed new UK international data transfer agreement (IDTA).

So far as transfers from the UK are concerned, the ICO’s consultation on its draft IDTA and guidance, which is intended to replace Standard Contractual Clauses (SCCs) for transfers from the UK, closed on 11 October 2021. We expect to see the new IDTA coming onstream in 2022. The ICO has also proposed a practical solution that the EU SCCs could be used for transfers from the UK with a short Addendum.

There is likely to be a short grace period when we can continue to use the old SCCs for new agreements, and then a 24-month period in which all existing agreements will need to be upgraded to the new format.

In the meantime, so far as transfers from the UK to countries other than in the EU (or other countries with adequacy findings) are concerned, we can continue to use the old (but not the new) EU approved SCCs, although the ICO has issued an adapted version of the EU SCCs which can be used with updated post-Brexit references. 

So far as transfers from the EEA are concerned, we must now use the new (but not the old) EU SCCs. Moreover, all existing agreements based on the old EU SCCs will need to be migrated to the new EU SCCs by the end of 2022.

So, at the moment, if you have transfers from both the UK and the EEA, then a different approach is needed for each.

But it is not enough simply to sign up the IDTA / SCCs. Following Schrems II, you also need to undertake a transfer risk assessment (TRA) and, as needed, implement supplemental measures.

In this respect, the ICO has provided a draft TRA Tool as a guide to the process. This can be a relatively complex exercise but the ICO TRA Tool provides practical support. As the ICO comments, “If you can show that you have used your best efforts in completing a TRA, whether or not you use this TRA Tool, if it later turns out that your decisions were not correct, we will take this into account in our likely approach to any breach of …UK GDPR”.

3. UK data protection reform

Now it is outside the EU, the UK is free to reshape its approach to data protection regulation. Unlocking the power of data is one of the government’s 10 Tech Priorities as set out in the National Data Strategy.

In September 2021 the government launched a consultation on reforms to build “a pro-growth and innovation-friendly regime that maintains its high data protection standards”.

The consultation closed on 19 November 2021 and the responses are being analysed. Key areas being considered include the following:

• Recitals: The GDPR has 173 recitals that act as an explanatory or interpretative guide to the articles of the legislation. The recitals do not, however, form part of the main text in legal terms and their contents are not fully mirrored in the main body of the GDPR. Consequently, organisations can be reluctant to rely on the recitals which leads to ambiguity and potential confusion. To address this, the government proposes to transfer certain recitals into the articles of the legislation itself.
• Consent: Uncertainty about when different lawful grounds for processing personal data should be used has led to an overreliance on seeking consent from individuals. This can lower protections for individuals, who suffer from ‘consent-fatigue’ in the face of a large volume of consent requests which they simply accept rather than take the time to assess the detailed privacy terms.
• Legitimate interests: One factor driving over-reliance on consent is uncertainty about when it is possible to rely on the lawful ground of “legitimate interests”. The proposal therefore is to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without the need to apply a “legitimate interests assessment” balancing test.
• Accountability Framework: The government proposes to remove a number of the components of the accountability framework, including the requirement to appoint a data protection officer, conduct data protection impact assessments, and maintain records of processing. In its place would be a more flexible and risk-based accountability framework, under which organisations would be required to implement a “privacy management programme” tailored to their processing activities and ensure data privacy management is embraced holistically rather than just as a ‘box-ticking’ exercise.
• Data breach reporting: Currently an organisation must inform the ICO of a data breach ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’. This is leading to over-reporting which is costly in terms of time, effort and money for organisations as well as causing a significant workload for the ICO. The government is considering changing the threshold for reporting so that organisations must report a breach unless the risk to individuals is not material. The ICO would publish guidance on the types of incidents that would meet this threshold.
• Subject Access Requests (DSAR): The government acknowledges that processing DSARs can be time-consuming and can take up significant resource. They also acknowledge that in many cases DSARs are used not wholly for privacy reasons but to circumvent disclosure protocols in the context of threatened or prospective litigation. To address this and to prevent organisations being overburdened by requests, the government is considering whether to (re-)introduce a fee for a DSAR, and also a cost ceiling allowing organisations either to refuse to deal with the request or to charge a fee for responding when the cost exceeds a certain limit.
• Privacy and electronic communications: Under the proposal the enforcement regime of the Privacy and Electronic Communications Regulations (PECR) would be brought in line with that under the UK GDPR. This would allow the ICO to issue fines of up to £17.5 million or up to 4% of global turnover. At present, the maximum fine under PECR is £0.5m.
• Cookies: Under current rules, you cannot place a cookie without consent, unless it is ‘strictly necessary’ for delivering an online service. This means that consent is necessary for even low risk activities, such as the use of analytics cookies. People frequently complain about the number of cookie pop-ups on websites and many people simply accept the cookies because they want to access the website. The government is considering two options for tackling this. The first option is to permit organisations to use analytics cookies and similar technologies without the user’s consent. A second option would permit organisations to store information on, or collect information from, a user’s device without their consent for processing that is necessary for the “legitimate interests” of the data controller where the impact on the privacy of the individual is likely to be minimal – such as when detecting technical faults or enabling use of enhanced functionality on websites. The requirement to provide clear and comprehensive information about the use of cookies would still apply.
• Anonymisation: The distinction between anonymised and pseudonymised data is important because it delimits the scope of data protection legislation. Pseudonymised data falls within the scope of data protection legislation, whereas anonymous data is not. Determining when data is truly anonymised is complex and, in the interests of certainty, the government is proposing to clarify the regulation on this.
• International transfers: Standard Contractual Clauses (SCCs) are likely to continue to be available but must be flexible and straightforward to implement. The government is also looking to improve the design of alternative data transfer mechanisms.

One issue with making changes that depart from the EU GDPR is that it puts at risk the EU adequacy decision that allows data to flow from the EU to the UK following Brexit.

The government believes that this can reasonably be maintained on the basis that data adequacy does not mean verbatim equivalence of laws; a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law. However, this will ultimately be for the EU to decide.

The object of reducing the burden of regulation will be welcomed by businesses. But for international organisations operating in the UK and EU having to comply with both EU GDPR and UK data protection laws, rather than reducing it, the proposed reforms are likely to create additional complexity.

4. Covid-19

Ahead of the introduction of mandatory vaccination and COVID status checks in Scotland and Wales, the ICO has made it clear that data protection law does not stand in the way.

Instead, it allows for responsible sharing of personal data where it is necessary to protect public health. Workplaces and venues that implement COVID status checks must ensure compliance with data protection principles, including transparency, fairness, data minimisation and storage limitation, and take a ‘data protection by design’ approach when planning the scheme.

If you are only conducting a visual check of someone’s COVID status (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, data protection laws will not apply. However, if you are (for example) scanning a QR code displayed on a pass, this would constitute “processing” of personal data – even if you do not keep a record of it – and data protection laws will apply.

Remember that a person’s COVID status is “special category data”, as it is their private health information. This means that you need to be able to identify an additional lawful basis for the processing under Article 9. The two you could consider are: the employment condition (for employees); or the public health condition (for visitors).  “Consent” as a lawful basis is rarely appropriate in an employment setting given the imbalance of power between the employer and employee.

In terms of transparency, you must make sure that people understand why you need to collect this information, what you’re using it for, how long you will keep it, with whom you will share it and how you keep it secure. This means being able to give them a privacy notice setting out your policy.

If you record the information, you must ensure that you do not hold the information for longer than is necessary, and do not use the data in ways people would not reasonably expect.

Before implementing COVID checks, it would be good practice (and if checks are carried out on a large scale will be mandatory) to conduct a data protection impact assessment.

5. A new year, a new ICO

As of 4 January, John Edwards became the new UK Information Commissioner for a five-year term. Mr. Edwards spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeds Elizabeth Denham CBE.

Looking ahead to 2022, Mr Edwards will be working on the proposed reforms to the Data Protection Act and the introduction of the Online Safety Bill. He will also prioritise the protection of children online, through the Age Appropriate Design Code, which has already prompted international tech companies to make changes to better respect children’s rights online.

One little known fact: In 1986 – 1987 Mr. Edwards worked as a mountaineer in the Search and Rescue Team at Mount Cook National Park. These skills may come in handy navigating the complex data protection landscape!

Contact us

If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.