A Look Back At The Past 100 Days In The Land Of Data Protection

By Myles Dacres

Way back in September the ICO issued its Accountability Framework and the age-appropriate design code of conduct took effect giving operators of information society services until September 2nd 2021 to ensure that their services complied with the 15 principles.  The Accountability Framework.  The ICO’s Regulatory Action Policy was published setting out its approach to determining how to levy fines.  This is a common theme right across the EU with supervisory authorities trying to establish some common basic principles and parameters.  The BA fine was ratified and drastically reduced from the initial estimate as was the Marriott fine.  Both organisations successfully lobbied for the fines to be reduced and succeeded.  Whilst they are still large fines, they pale into relative insignificance considering what they could have been and what we were told would be mega-fines prior to the GDPR taking effect.  Considering the damage and disruption caused by the Marriott breach, it’s a small price paid.  As was the Ticketmaster fine which affected a very large number of people in a material way and continued for several weeks despite customers, banks and others telling them that they had vulnerabilities on their website.

The ICO published a report on the use of personal data in political parties.  A large part of the report considered the role of data brokers and social media providers in providing information to augment what the data controllers knew about data subjects through analytics and modelling.  Plaid Cymru used publicly available census data to identify Welsh speakers so that they could target their campaigning activities at those individuals or demographic areas.  An enforcement notice was issued to Experian with a 2-year remediation window.  The impact of this may not only be felt in the credit referencing industry but also in the many other uses of Experian-supplied data.

A new Subject Access Request Code of Practice was issued by the ICO – a useful document but seemingly at odds with some rulings of the courts particularly in respect of the duty to perform a search for information requested.  This area is bound to be tested several times in the future to tease out exactly what a data controllers legal duty is in terms of proportionality: a concept not really fully recognised in the GDPR; recognised to some extent by the ICO, but recognised as a concept underpinning the law by the courts.

And finally, we come to international transfers.  Schrems, Safe Harbor and Privacy Shield are old hat now given the speed that data protection law and practice is evolving, The European Data Protection Board recently issued a paper setting out supplementary measures that should be implemented where a controller is relying on standard contractual clauses to ensure that sufficient safeguards are in and remain in place.  In addition to that, the European Commission issued new model standard contractual clauses (SCCs) for public consultation with a short consultation window that closes on 10th December.  It looks like the existing three model clauses are on their way out and a new set are on their way in.  Given that the UK seems unlikely to be granted adequacy by the European Commission, transfers from the EU to the UK from January 1st will be subject not only to the new SCCs but also to the supplementary measures.  It seems safe to assume that UK controllers will also have to implement the same arrangements for data transfers they make to the US and other non-“approved” territories.

It’s been a full-time job keeping up with developments these last few months – but of course, the real work is in checking how they affect your organisation and changing businesses practices to meet this revised regime.

What you need to do is:

  • Assess if you are affected by the AADCOP
  • Revise your SARs procedure and training to meet the new guidance
  • Check all your data sharing and disclosures to see how they may be affected by the change in international transfers
  • Check your sources of data to determine what you obtain from data brokers and credit reference agencies
  • Update your data protection compliance management record-keeping to fall in line with the accountability framework

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021