Data Protection Officers Myth Buster

September 2024

Why we don't ALL need a DPO!

Most small organisations, and many medium-sized businesses don’t have to appoint a Data Protection Officer. This is only a mandatory requirement under GDPR, and it’s British spin-off UK GDPR, if your organisation’s activities meet certain criteria.

However, this doesn’t mean you can’t voluntarily choose to appoint a DPO. However, it is worth bearing in mind the role of a Data Protection Officer is clearly defined in law. EU/UK GDPR sets out the position of a DPO, specific tasks they’re responsible for, and how the organisation has a duty to support the DPO to fulfil their responsibilities.

The DPO Confusion!

I believe GDPR (perhaps inadvertently, through media coverage and elsewhere) created a degree of confusion about who needed a DPO and what the role actually entails. It led many businesses to voluntarily appoint one, thinking they really should. It led clients to include ‘do you have a DPO?’ in their due diligence questionnaires. Suppliers to think, ‘oh we better have one.’

Some organisations understood the DPO requirements, others perhaps less so. Many will have correctly informed the ICO (or relevant EU data protection authority) who their DPO is, others won’t.

Some DPOs will be striving to fulfil their designated tasks, others won’t have the resources to do this, some may be blissfully unaware of the legal obligations the role carries with it.

When is it mandatory to have a DPO?

The law tells us you NEED to appoint a DPO if you’re a Controller or a Processor and the following apply:

  • you’re a public authority or body (except for courts acting in their judicial capacity); or
  • your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

This raises questions about what’s meant by ‘large-scale’ and what happens if you are found not to have appointed a DPO when you should have.  The truth is many smaller businesses and not-for-profits don’t have to have one.

When it comes to interpreting ‘large-scale’ the European Data Protection Board Guidelines on Data Protection Officers, provide some useful examples.

What are your  options if you don’t fall under mandatory requirements?

The ICO tells us all organisations need to have ‘sufficient staff and resources to meet the organisation’s obligations under the GDPR’. So, if you assess that you don’t fall under the mandatory requirement, you have a choice:

  • voluntarily appoint a DPO, or
  • have a team or individual responsible for overseeing data protection, in a proportionate way based on the size or your organisation and the nature of the personal data you handle.

What is the ‘position’ of the DPO?

If you appoint a DPO, EU/UK GDPR tells us they must:

  • report directly to the highest level of management
  • be given the independence and autonomy to perform their tasks
  • be given sufficient resources to be able to perform their tasks
  • be an expert in data protection
  • be involved, in a timely manner, in all issues relating to data protection.

In short, not just anybody can be your DPO. They can be an internal or external appointment.  In some cases a single DPO can be appointed for represent several organisations. They can perform other tasks, but there shouldn’t be a conflict of interests.  For example a Head of Marketing also being the DPO might be an obvious conflict.

A DPO must also be easily accessible, for individuals, employees and the ICO.  Their contact details should be published (e.g. in your privacy notice – btw this doesn’t have to be their name) and the ICO should be informed who they are.

What tasks should a DPO fulfil?

The DPO role has a formal set of accountabilities and duties, laid down within the GDPR.

  • Duty to inform and advise the organisation and its employees about their obligations under GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations.
  • Duty to monitor the organisation’s compliance with the GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively.
  • Duty to advise on, and to monitor data protection impact assessments (DPIAs).
  • Duty to be the first point of contact for individuals whose data is processed, and for liaison with the ICO.

It’s also worth noting, if you don’t listen to the advice of your DPO you should document why you didn’t follow up on their recommended actions. Also a DPO cannot be dismissed or penalised for performing their duties.

Solving the GDPR puzzle

September 2024

Winston Churchill famously described Russian foreign policy as, ‘a riddle wrapped in a mystery inside an enigma.’

I’m sure those entrusted with data protection for their organisation may harbour similar thoughts about GDPR! Especially small-to-medium sized businesses and start-ups.

As a piece of legislation, UK GDPR has lots of moving parts. As a consultant dedicated to helping organisations understand data protection, here’s my round up of things we at DPN find most commonly misconstrued.

UK GDPR & Data Protection Act 2018

The UK GDPR and the Data Protection Act 2018 are not the same thing.

UK GDPR was implemented in 2020 and largely mirrors its EU namesake. Post-Brexit, the UK flavour of GDPR was created to make it fit for purpose in a UK-specific context. For example, removing all the bits which referenced ‘member state law’.

The Data Protection Act 2018 supplements UK GDPR. For example, it provides more detailed provisions in relation to special category data, child consent, the public interest lawful basis and individual privacy rights exemptions.

The DPA 2018 also includes distinct provisions for processing by law enforcement and intelligence services.

The Privacy and Electronic Communications Regulations (PECR)

It’s PECR not UK GDPR which sets out the rules for direct marketing by electronic means, and for cookies and similar technologies.

PECR has been around since 2003, and is derived from the ePrivacy EU Directive 2002. In 2011 there was a significant update to this piece of legislation with the so called ‘cookie law’.

UK GDPR and PECR sit alongside each other. Organisations need to comply with both when personal data is collected and used for electronic marketing purposes, or collected and used via the deployment of cookies and similar technologies. UK GDPR, marketing & cookies

There’s further interplay, for example, when consent is required under PECR, the consent collected needs to meet the UK GDPR standard for valid consent. This means, to give one example, the required consent for non-essential cookies must be ‘freely given, specific, informed and unambiguous’ and must be given by a ‘clear affirmative action by the data subject’. Getting consent right

Controller and processor

UK GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.

For example, a sole trader, a charity, a limited company, a PLC or a local authority can be a controller. An individual within an organisation such as a CEO or Data Protection Officer (more on DPOs in a bit) is not a controller – a point some companies get wrong in their privacy notice and internal data protection policies.

A controller decides how personal data is collected and used, and the organisation’s senior management is accountable. Furthermore the controller decides which service providers (aka ‘suppliers’ / ‘vendors’) to use. Which brings me onto….

A processor – which means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

Routinely processors will be companies which provide a service, and in providing this service handle their clients’ data. The key is the processor won’t use this client data for their own business purposes.

To give some common examples of processors – outsourced payroll provider, external cloud services, marketing platforms, communications providers, website hosts, IT support services, software and application providers, and so much more.

Some organisations which primarily act as a processor (service provider) may also act as a controller for certain activities. For example, to handle their own employee’s personal data. Controller or Processor – what are we?

Controller, processor and ‘sub processor’ contracts

A key change ushered in by GDPR was the concept of processor liability flowing right down the data supply chain. The law decrees there must be a contractual agreement between a controller and a processor, and gives very specific requirements for what this should cover. These are often found in a Data Processing Agreement (DPA), which may be an appendix or addendum to an existing or new contract.

The law aims to make sure individuals’ rights are protected at all times as data flows down and back up the supply chain. As well as a contract between a controller and processor, the processor should have similar contractual terms flowing down to other processors they engage to deliver their services – commonly known as sub-processors. For example, the obligation to keep the controller’s personal data secure at all times. A point which can often get overlooked. Supplier contracts

International data transfers include granting ‘access to’ personal data

(aka ‘restricted transfers’ or ‘cross border transfers’)

An international data transfer refers to the act of sending or transferring personal data from one country to another. Crucially this includes when an organisation makes personal data available or accessible to another entity (‘third party’) located in another country. In other words, the personal data can be accessed from overseas.

To give a couple of examples;

⚑  your UK-based organisation engages a website hosting service based in the United States, which also provides support services. Employees of this service provider can access your customer data on the back end of your website.

⚑ Your UK-based organisation provides a payroll service to clients, to provide this service you use a sub-contractor based in India. The sub-contractor can view your clients’ employee payment records.

In both of the above situations an international data transfer is taking place, and the law tells us specific safeguards are necessary. These rules exist because in the above two cases, customers and employees risk losing control of their personal data when it is ‘transferred’ outside the UK.

For more detail see our International Data Transfers Guide and the ICO International Data Transfer Guidance

Consent should not be your default lawful basis

(aka ‘legal grounds’)

Under UK GDPR there are six lawful bases for processing personal data. No single lawful basis is ’better’ or more important than the other and you must determine your lawful basis for each processing activity. Pick whichever one of the six is most appropriate to the activity.

Sometimes consent will be the most appropriate basis to rely on, but certainly not always and consent should only be used when you can give people a genuine choice. Quick guide to lawful bases

A privacy notice is simply a notification, not something people have to agree to

(aka ‘privacy policy’)

People have a fundamental right to be informed and one of the main ways organisations can meet this is by publishing a privacy notice. All businesses need an external facing privacy notice if they’re collecting and handling people’s personal information. And despite a common misconception, this doesn’t just relate to data gathered via a website.

A privacy notice is a notification about ALL the different ways in which you’ll handle people’s personal details (your processing of ‘personal data’). It’s a method of providing necessary and legally mandated information. Although often still referred to as a ‘privacy policy’ it isn’t really policy (it’s a notification only) and isn’t something people should have to confirm they agree to. Privacy Notices Quick Guide & ICO Right to be Informed Guidance 

Not every organisation must have a Data Protection Officer

Many small organisations, and many medium-sized business don’t fall under the mandatory requirement to appoint a DPO. It’s only mandatory if your activities meet certain criteria;

✓ you’re a public authority or body (except for courts acting in their judicial capacity); or
✓ your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
✓ your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

It can sometimes be difficult to assess whether your organisation falls under the mandatory requirement or not. And of course it’s perfectly acceptable to voluntarily appoint one – a good DPO can be a huge benefit. But if you don’t appoint a DPO you’ll still need someone (or a team) who have responsibility for data protection.

It is worth bearing in mind the role of a Data Protection Officer is clearly defined in law. UK GDPR sets out the position of a DPO, specific tasks they’re responsible for, and how the organisation has a duty to support the DPO to fulfil their responsibilities. DPO Myth Buster

Not all Personal Data Breaches need to be reported

You’ve accidentally sent an email to the wrong person. This included limited personal information about someone else. You’ve apologised. The person you accidentally sent it to is a trusted person and has confirmed it’s been deleted. It’s unlikely this type of minor breach needs to be reported to the ICO.

When a personal data breach has occurred (or is suspected), it’s important to quickly establish the likelihood and severity of risk and potential harms to those affected. You only need to report a breach to ICO if you assess the breach represents a risk to them. It can prove invaluable to have a clear methodology for assessing the risk posed. Data Breach Guide

The right of access (aka DSAR or SAR) is not a right to documentation

People have the right to submit a request to a controller asking for a copy of their personal data – a Data Subject Access Request. They can ask for ALL the personal data you hold about them. But this doesn’t mean the organisation is obliged to provide complete documents just because the individual’s name is referenced at some point. The same applies to emails. Requestees are not entitled to receive the full content of every email their name or email address appears in (unless all of the email content is personal data relating to them). DSAR Guide

Sensitive vs special category data

Certain types of personal data require higher levels of protection. Under the previous DPA 1998 the term ‘sensitive data’ was used, but under GDPR the revised term for this is ‘special categories of personal data’ commonly referred to as Special Category Data.

This includes (but isn’t limited to) racial or ethnic origin, biometrics, political opinions, sexual orientation and data concerning health or sex life. This doesn’t mean other types of data aren’t ‘sensitive’, and shouldn’t be handled securely – such as bank details, national insurance numbers, date of birth and so on.

It can be helpful to remember the root of special category data lies in human rights and data protection principles which emerged in Europe after World War Two – a war in which individuals were persecuted for their ethnic background, religious beliefs or indeed sexual orientation. Understanding and handling special category data

I’m going to finish off with another, but very different, quote. As Douglas Adams wrote in The Hitchhiker’s Guide to the Galaxy, ‘DON’T PANIC!’ There’s plenty of help available (this article, for starters 😉 ) and the ICO has published plenty of guidance, including a dedicated SME Hub.

AI in the workplace survey report

September 2024

Business grapple with AI governance

AI governance is described as being in its infancy by Data Protection Officers and those who work in data protection related roles. Many are concerned employees are using AI tools for work purposes without telling anyone. This is just one of a number of concerns DPOs have about AI use. Many organisations have yet to decide who should be responsible for governing AI and managing the potential risks.

These are just some of the findings of our 2024 AI in the Workplace Survey. Learn more in our survey report:

privacy notice guide from the data protection consultancy DPN - Data Protection Network

 

Meeting prospective clients’ due diligence demands

September 2024

Proving your data protection and information security credentials

Many businesses provide a service to other businesses, and once the pitch is done and you’re getting closer to signing that vital and lucrative contract, there can be a hurdle to overcome. Namely, meeting the client’s due diligence and supplier set up requirements.

For bigger well-known service providers this can be a breeze, but often small-to-medium sized organisations can find themselves grappling to prove their credentials. Requests can sometimes feel exasperatingly detailed, irrelevant or over-zealous.

Once you’ve got through the questions about sustainability, environmental impact, modern slavery, diversity, equality and inclusion, there will often be the need to answer questions about your approach to data protection and information security.

This will almost certainly be the case where your company’s services involve handling your prospective client’s personal data on their behalf. To use data protection terminology, if the client is the ‘controller’ and your organisation will act as their ‘processor’.

It’s important this relationship is clear, as there are specific contractual requirements for controllers-to-processors relationships under EU/UK GDPRs. Both parties need to meet their obligations. Are we a controller or processor?

So how can you get ahead of the game and be well-prepared? I’ve put together some key questions you may need to cover off. Some of these points will need to be included in any Controller-Processor Data Processing Agreement.

1. Do you have a Data Protection Officer?

Not all businesses need to appoint a DPO (despite most questionnaires expecting you to). If you don’t have a DPO, you may need to explain who in the organisation is responsible for data protection, and may need to be ready to justify why you don’t need a DPO. DPO Myth Buster

2. Do you have a dedicated Information Security team?

As well as being able to provide details of where responsibility for information security rests within your organisation, you’re also likely to be required to provide details of the security measures and controls you have in place to protect client data. This could for example be restricted access controls, use of encryption or pseudonymisation, back-ups, and so on. You may be asked if you have any form of security certification or accreditation.

Note: For contractual terms, such as a Data Processing Agreement/Addendum it’s likely you’ll need to include a summary of your security measures.

3. What data protection related policies do you have?

The most common requirement is being able to demonstrate you have a Data Protection Policy. This would be an internal policy which sets out data protection requirements and your expectations and standards for your staff. A client could ask to see a copy of this. They might also ask if you have more detailed policies or procedures covering specific areas of data protection such as a data retention, individual privacy rights and so on.

4. Where will your processing of client personal data take place?

Many clients will be looking to understand if an international data transfer (what’s known as a restricted transfer) will be taking place. Whether this is happening will be dependent on your client’s location and your own location – including the locations of any servers you’ll process client data on.

The client may want to confirm there are necessary ‘safeguards’ in place for any restricted transfers, to ensure such transfers meet legal requirements. Examples of these include an adequacy decision, Standard Contractual Clauses (with the UK Addendum if relevant) or a UK International Data Transfer Agreement. They may also ask you about Transfer Impact Assessments. International Data Transfers Guide

5. Do you sub-contract services to third-parties?

You need to be prepared to share details of any third-party companies you use to provide your services which involve the handling, including access to, your client’s personal data. These are referred to as ‘sub processors’. They’ll likely ask you to confirm in which country these sub-processors are based.

Note: International data transfers and working with sub-processors are key elements of the GDPR mandated contractual terms between a controller and processor.

6. What procedures do you have in place for handling a personal data breach?

You may be asked if you’ve suffered a data breach in recent years, and to provide details of your procedures for handling a data breach. We’d recommend all businesses have a data breach plan/procedure/playbook. If you’re acting as a processor for your client, you’ll need to inform them ‘without undue delay’ (often within 24 or 48 hours of becoming aware of the breach). Plus be ready to provide them with all relevant information about the incident rapidly, so they can assess their own data risks and report it to the relevant Data Protection Authority (such as the Information Commissioner’s Office) if appropriate.

7. Do you have a disaster recovery plan and backups?

The GDPR doesn’t detail specific requirements around resilience and disaster recovery – this will depend on the nature and sensitivity of the processing. But if you suffer a data breach (particularly a ransomware attack) you’ll want to make your systems have integrity and are fully operational again very quickly after the event. Your clients will expect this if their data could be affected, so expect to be asked tricky questions.

8. Do you have a Record of Processing Activities?

Organisations with more than 250 employees, or smaller organisations which handle large volumes of special category data or data related to criminal convictions are required under EU/UK GDPRs to have a Record of Processing Activities (RoPA). This requirement applies to both controllers and processors.

You may be asked to confirm you have a RoPA and might be asked more detailed questions about your record keeping. If you don’t fall under the RoPA requirement, you may still need to demonstrate a degree of record keeping relating to use of your client’s data.

9. Procedures for handling client individual privacy rights requests

If you are a processor, handling personal data on behalf of your client, it won’t be your responsibility to respond to privacy rights requests (such as Data Subject Access Requests or erasure requests). However, you may need to assist your client in fulfilling requests relating to the client data you hold. And if you receive a request relating to client data, this must be swiftly sent on to the client.

10. Privacy information

Don’t forget your Privacy Notice (aka Privacy Policy). Before a prospective client works with you, they may look at your website and take a peek at the privacy information you provide. If this is off the mark and fails to meet the key requirements, it could be a warning sign for them that you don’t take your data protection obligations seriously. Privacy Notices Quick Guide

The above is by no means an exhaustive list but should help you to be prepared for some of the key areas you may be questioned about.

At DPN, we often suggest processors prepare a factsheet or FAQ in advance of receiving these due diligence questionnaires. This can really help put your business on the front foot and demonstrate to your clients you’re on the ball for both data protection and information security. Crucially it speeds up the decision-making and onboarding process, as by being well prepared you no longer have to scrabble around at the last minute. So you can start work for your new client more quickly.

How to prevent DSAR complaint escalation

September 2024

Nearly forty thousand complaints were received by the Information Commissioner’s Office in the past year. Staggeringly, 39% of them concerned people’s Right of Access according to the ICO’s Annual Report 2023/24.

Handling Data Subject Access Requests (aka DSARs or SARs) can be fraught. Often those requesting a copy of their personal data are already disgruntled, be it an employee going through a grievance procedure or a dissatisfied customer.

This means requestees are often quick to react if the statutory deadline is missed. They may also closely scrutinise your response, looking for any mistakes or omissions. Or their solicitor will.

Any requestee has the potential to become dissatisfied and escalate matters to the ICO. More than a decade ago, I was handling a request and missed the deadline by 24 hours. Much to my frustration they’d had already fired off their complaint to the ICO, and this was pre-GDPR!

I know of many businesses who’ve received letters from the ICO following a DSAR complaint. These will usually ask you to address the issues raised directly with the individual – and quickly! However, if your organisation racks up too many ICO complaints, the regulator is likely to delve deeper. This delving has led to a number of ICO DSAR-related reprimands being issued.

Most recently, the Labour Party has been in the spotlight for ‘repeatedly failing to respond to people who asked what personal information the party held on them’. A backlog of requests mounted up after a cyber attack in October 2021, with the ICO receiving 150 complaints. During its investigation, the ICO discovered 78% of people had not received a response within the maximum extended timescale of three months and more than half were delayed by over a year. They also found an unmonitored ‘privacy inbox’ was overflowing with hundreds of DSAR and erasure requests – none of which received any form of response whatsoever.

Hopefully most organisations will avoid such a catalogue of problems, but it’s still worth remembering certain factors can prompt a spike in DSAR requests. In this case a cyber attack, but a non-cyber data breach could also create a surge. Similarly, a business restructure might prompt a rise in employee-related requests. And let’s not forget the random factor – like Mr Farage’s very public DSARs to NatWest, which not only led to NatWest getting an increase in requests, but reportedly had a knock-on effect on other banks too.

Here are my tips for getting on the front foot and mitigating the risk of complaint escalation.

6 golden rules for managing DSARs

1. Staff awareness & a sense of urgency

A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them (and other privacy rights, such as erasure), and know what to do if they receive or spot one. Failing to do so puts you on the back foot straight away.

Everyone needs to be aware time is of the essence, so training and clear guidance is essential. Refresh it too, with friendly reminders.

Quick checklist:

Individual privacy rights are covered in new starter and refresher training.
Ongoing awareness via posters, intranet posts, newsletters etc.
Specialist training for those involved in the process of fulfilling requests.

2. Robust procedure

A clear procedure which walks relevant staff through the key steps and considerations is invaluable, especially for times when key people aren’t available and someone else has to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on.

Without this, a lot of knowledge could walk out the door when a key person leaves the business or is not available in cases of long periods of absence like maternity or sickness leave.

3. Adequate resourcing

Businesses receiving a significant volume of requests are likely to have a dedicated person or team to handle them. They might also have sophisticated software to help speed up the process. But for those who have low or fluctuating volumes, it can be tricky to judge how many people need to understand the process and manage requests.

In my experience, often the one or two people who have to handle requests end up snowed under for weeks and completely distracted from their day jobs when a DSAR lands on their desk with an ominous thump.

What happens if your go-to DSAR person is not available? The clock is ticking. You also need to factor in how to handle any spike in requests – seen or unforeseen. Have you got other adequately trained staff, or alternative resources on standby to cover higher volumes?

There was a case in Belgium where the Data Protection Authority ruled the person who normally handled DSARs being on long-term absence was no excuse for a late response. I think the UK’s ICO would take a similar stance.

4. Assigned responsibilities

While one person or a team may have ultimate responsibility for managing DSARs and responding to them on time, it’s likely others across the business will need to support them. For example, your IT team may play a significant role in retrieving the data, or HR may need to be closely involved in an employee-related DSAR.

It helps to make sure it’s clear who’s responsible for retrieving the data, reviewing the data, applying exemptions, apply redactions, reviewing the response, approving it and sending it out securely.

5. Managing expectations and communicating

This is my personal favourite; quite often requestees don’t quite understand what a DSAR really entitles them to, so it pays to set out your stall from the start. Explain what the right is and what they can expect to receive. Tell them you have a duty to protect the privacy of others, that it’s not a right to documentation and that exemptions may apply.

Keep in touch with requestees, and dare I say it, even pick up the phone and talk things through. Confrontation can sometimes be defused – I’ve known of DSARs being withdrawn after a decent chat (and with no pressure whatsoever applied).

6. Polished response

A good covering letter can go a long way to satisfying the individual that you’ve made every effort to fulfil their request. This can for example explain;

The personal data being provided
Some of the internal processes (where appropriate)
Redactions have been applied to protect the privacy of others (if relevant)
Why an exemption has been applied (if relevant)
Legally necessary supplementary information, (or a link to a Privacy Notice if this covers matters sufficiently)

The above is by no means an exhaustive list and I’m a big fan of a template response letter which can be adapted as needed.

Finally, don’t forget to inform people about their privacy rights such as the right to object, erasure, rectification and access. Privacy notices should set out these rights, and it should be clear how people can submit a request. And of course, tell them they have the right to raise a complaint with the ICO (with fingers firmly crossed they don’t).

Check out our DSAR Guide for more tips on seeking clarification, retrieving the data, complex requests and applying redactions.

Data Protection Impact Assessments Guide

August 2024

A quick guide to managing DPIAs

This short guide to Data Protection Impact Assessments covers what a DPIA is and when it’s mandatory to conduct one under UK GDPR and EU GDPR. It also includes helpful tips on how to manage the process.

DPIAs not only help to protect people’s data, they also help to protect the business.

Google abandons plans to phase out third-party cookies

In big news for both digital advertising and online privacy Google has announced it won’t be phasing out third-party cookies.

Google had been working on ways to phase out third-party tracking cookies from it’s Chrome browser for 4 years. The idea was that instead of user’s personal data being shared with hundreds of third-party advertisers, Google would take control and do the tracking within the Chrome browser.

The so-called ‘Privacy Sandbox’ is Google’s initiative to develop technologies that protect privacy while also providing tools for digital businesses. But they’ve faced numerous challenges in developing an acceptable alternative to third party cookies which satisfies all parties involved. The advertising sector has been nervous about the effectiveness of the initiatives and their impact on campaign performance. On the other side of the equation Data Protection Authorities have and raised concerns around privacy and transparency. This very delicate balancing act now appears to have fallen from its tightrope!

Google has now decided to keep third party cookies, but give users enhanced privacy options, which could apply across all their Google browsing. In all of this let’s also remember 3rd party cookies cannot be used in Safari or Firefox.

What does this mean for advertisers and publishers?

Over recent years, enlightened advertisers have been looking to start to diversify their activities to reduce reliance on third-party cookies. Life after cookies

Some advertisers may feel a sense of relief this long-running saga is over (for the time being), and revenue streams which were in question before this announcement now look healthier. But there may also be frustration at the time and effort spent looking for privacy-friendly advertising solutions with limited success.
The Privacy Sandbox will continue to evolve and given time may still yield more benefits for advertisers and publishers, as well as consumers and regulators.

Publishers may see changes in how they monetise their content with ads. The emphasis could shift towards leveraging first-party relationships and potentially new advertising models yet to emerge from Google’s Privacy Sandbox.

What does this mean for consumers?

Consumers are increasingly seeking control over their personal data and how they are tracked online. In our daily browsing we face a plethora of cookie banners of differing types – some far less clear and transparent than others.
Whilst there’s a genuine weariness of cookie banners, there’s also been an increase in users choosing to opt out of cookies used for tracking and ad targeting. We may be set for more of the same in the short term. Although regulators may decide now is the time to start to enforce against non-compliant use of cookies.

Charles Ping, Managing Director, Europe at Winterberry Group says the road ahead is not straight-forward:

“Google’s decision to take a different path on the elimination of third-party cookies is an acknowledgment that this stuff is really hard. Making unilateral changes when you have Google’s level of market dominance will always create winners and losers, and the most recent CMA report demonstrated the journey set out in early 2020 had become a Sisyphean task.

However, the success of the mooted solution to give consumers choice, whilst delivering a degree of “cover” to Google that has been absent in recent times, won’t be plain sailing. We have learnt through many years of data collection statements and through the improving opt in rates in world of Apple’s App Tracking Transparency (ATT), that the type of questions asked and how they are actually presented will make a massive difference to the outcome. The devil, as always, is in the detail, but giving consumers choice is, in principle, a great move forward”

Labour’s plans for data protection, cyber security and AI

July 2024

What we know so far about the Government’s agenda

Of the forty or so Bills announced in the Government’s first King’s Speech, some are specifically relevant for those working in the data protection, digital information and data security space. In a significant move, the Government has specifically appointed a Minister of State for Data Protection and Telecomms.

At this stage, the full scope of the Government’s plans is not known. However, the background briefing notes to the King’s Speech give us a little insight into what these Bills may cover.

Digital Information and Smart Data Bill (DISD)

Ready for a new acronym? The DISD Bill appears to resurrect some of the provisions in previous Government’s Data Protection and Digital Information Bill (DPDI) which was abandoned when the snap election was called. But those hoping for significant reform of UK GDPR and less onerous data protection obligations may be disappointed. It looks like the Government will take a different approach, focusing on enabling data sharing with the aim of facilitating economic growth.

The background briefing paper says the Bill “will enable new innovative uses of data to be safely developed and deployed and will improve people’s lives by making public services work better by reforming data sharing and standards; help scientists and researchers make more life enhancing discoveries by improving our data laws; and ensure your data is well protected by giving the regulator (the ICO) new, stronger powers and a more modern structure”. The Bill looks likely to focus on:

Digital identity verification (aka digital ID cards) aimed at enabling people to use digital identities to ease processes such as moving house, buying age-restricted products and pre-employment checks.

‘Smart data’ measures designed to facilitate the ability to share personal data across platforms and with third parties. This is likely to expand on the success of Open Banking which allows customers to easily share their account information with third parties to facilitate payments.

ICO reform to introduce a national Information Commission and move away from having all powers and functions resting with one Commissioner. A move supported by John Edwards, the current Information Commissioner.

■  Consent provisions for scientific research to enable scientists to ask for broad consent for legitimate scientific research.

It will be interesting to see whether industry lobbying can influence the shape of this Bill. The Data & Marketing Association (DMA) is advocating for twelve reforms which it says will make a difference to businesses and charities. These include greater certainty around the use of the Legitimate Interests lawful bases, reducing bureaucracy for small businesses, reducing the consent requirements for non-intrusive cookies and extending the use of the email soft opt-in for non-commercial organisations. Read more in the DMA statement  techUKuJ has also published an open letter to the Government on the need for data protection legislation to be modernised.

Cyber Security and Resilience Bill

The ‘Cyber Bill’ aims to introduce measures to strengthen the UK’s cyber defences. It’s likely to give regulators more powers to push organisations to bolster their cyber defence measures and we could see some form of mandatory cyber incident reporting. It’s likely this this Bill will expand on the existing Network and Information Systems Regulations 2018 and introduce rules which apply beyond essential services to include digital services and supply chains. In the EU, we’ve already seen NIS Regulations updated to NIS2, so this could be mirrored in the UK.

AI Approach

There was no official announcement of an AI Bill, in fact there was surprisingly little reference to AI in the speech itself, other than to state the Government will “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. It was widely predicted there would be an AI Bill announced in the King’s Speech and that we’d see a Labour Government wanting to more closely align with the EU’s approach. The EU AI Act comes into force this year, but it’s now clear a comprehensive approach to regulating AI does not seem to be on the cards in the UK, at least not for the time being.

Meet the Ministerial Team

The Government has announced the following ministerial team:

□ Peter Kyle MP, Secretary of State for Science, Innovation and Technology
□ Lord Patrick Vallance KCB, Minister of State for Science, Research and Innovation
□ Sir Chris Bryant MP, Minister of State for Data Protection and Telecomms
□ Feryal Clark MP, Parliamentary Under-Secretary of State for AI and Digital Government
□ Baroness Jones, Parliamentary Under-Secretary of State for the Future Digital Economy and Digital Safety.

It’s noteworthy the Government has created a Minister of State for Data Protection and Telecomms, a move which may signal a greater emphasis on data protection matters and people’s privacy rights? Chris Bryant will have responsibility for digital infrastructure and telecomms, Building Digital UK, data protection, the ICO, digital inclusion, space sector growth and the UK Space Agency.