The Privacy, Data Protection and Cybersecurity Law Review: United Kingdom
Like other countries in Europe, the United Kingdom (UK) passed legislation designed to supplement the data protection requirements of the EU General Data Protection Regulation (GDPR),2 which came into force on 25 May 2018, repealing the EU Data Protection Directive 95/46/EC (the Data Protection Directive)3 and which regulates the collection and processing of personal data across all sectors of the economy. The UK Data Protection Act 2018 (DPA 2018), which came into force on 23 May 2018, repealed the UK Data Protection Act 1998 (DPA 1998), introduced certain specific derogations that further specify the application of the GDPR in UK law, in addition to transposing the data protection and national security provisions of the EU Law Enforcement Directive 2016/6804 as well as granting powers and imposing duties on the national data supervisory authority, the UK's Information Commissioner's Office (ICO). Importantly, in June 2016, the UK voted to leave the EU, leaving on 31 January 2020. Under the withdrawal agreement agreed between the UK and the EU, EU law, and in turn the GDPR, will continue to apply until the end of the implementation period (more commonly known as the 'transition period') on 31 December 2020. At the end of the transition period, the GDPR will be incorporated into UK law as the 'UK GDPR'. It will therefore be retained into domestic law but the UK will have the independence to keep the framework under review and introduce additional provisions and derogations.
The year in review
The ICO has published a variety of guidance addressing compliance with the GDPR5 and the DPA 2018 including in relation to the impact of Brexit to help organisations prepare for the end of the transition period.6 Further details on the impact of Brexit are provided in Section VII.
Following the entry into force of the GDPR, the ICO has reported receiving large volumes of personal data breach notifications and complaints from individuals. In the 2019/2020 period, the ICO received 11,854 personal data breach notifications, down from 13,840 in the previous year.7 Due to the impact of covid-19, the ICO has had to adapt its regulatory approach, recognising that 'organisations are facing staff and operating capacity shortages' and as a result in relation to personal data breach notifications, it will 'assess these reports, taking an appropriately empathetic and proportionate approach'.8
Naturally, a significant amount of the ICO's regulatory activity this year involved issuing guidance on how to comply with data protection requirements during the ongoing coronavirus covid-19 pandemic, 'Data protection and coronavirus: what you need to know', with advice on contact tracing, testing, surveillance and updates to privacy notices to incorporate new purposes of personal data processing.
i Privacy and data protection laws and regulations
Data protection in the UK is governed by the DPA 2018, which replaced the DPA 1998 on 23 May 2018. The DPA 2018 is split into six main parts: general processing, law enforcement processing, intelligence services processing, the UK data supervisory authority, the Information Commissioners Office (ICO), enforcement, and supplementary and final provisions. This chapter will focus on the general processing sections of the DPA 2018.
On 10 January 2017, the European Commission issued a draft of the proposed Regulation on Privacy and Electronic Communications (the ePrivacy Regulation) to replace the existing ePrivacy Directive.10 The European Commission's original timetable for the ePrivacy Regulation was for it to apply in EU law and have direct effect in Member State law from 25 May 2018, coinciding with the GDPR's entry into force. However, the text is still to be adopted. On 3 June 2020, the Presidency of the Council of European Union published a progress report indicating that substantial progress on the draft ePrivacy Regulation has been limited due to the covid-19 pandemic.11 The ePrivacy Regulation is now not expected to come into force until 2021 at the earliest. As a result, it remains to be seen whether the UK will in any case choose to introduce similar rules and obligations into domestic law since it will not come into force before the end of the transition period.
The key changes in the proposed ePrivacy Regulation will:
- require a clear affirmative action to consent to cookies;
- make consent for direct marketing harder to obtain and require it to meet the standard set out in the GDPR; however, existing exceptions (such as the exemption that applies where there is an existing relationship and similar products and services are being marketed) are likely to be retained.
Key terms under the DPA 2018
The terms used in the DPA 2018 have the same meaning as they have in the GDPR.12 The key terms are:
- controller: a natural or legal person who (either alone, or jointly with others) determines the purposes and means of the processing of personal data;
- processor: a natural or legal person who processes personal data on behalf of the controller;
- data subject: an identified or identifiable individual who is the subject of personal data;
- personal data: any information relating to a identified or identifiable individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that individual;
- processing: any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and
- special categories of data: personal data revealing the racial or ethnic origin of the data subject, his or her political opinions, his or her religious or philosophical beliefs, whether the data subject is a member of a trade union, genetic data, biometric data for the purpose of uniquely identifying the data subject, data concerning the data subject's health or data concerning the data subject's sexual life or sexual orientation.
Data protection authority
The DPA 2018 and the PECR are enforced by the ICO and, the ICO has powers of enforcement in relation to organisations complying with the data protection requirements in the GDPR and PECR. The ICO also enforces and oversees the Freedom of Information Act 2000, which provides public access to information held by public authorities.
The ICO has independent status and is responsible for:
- maintaining the public register of controllers;
- promoting good practice by giving advice and guidance on data protection and working with organisations to improve the way they process data through audits, arranging advisory visits and data protection workshops;
- ruling on complaints; and
- taking regulatory actions.
Discovery and disclosure
The ICO has not published any specific guidance on this topic.61 E-discovery procedures and the disclosure of information to foreign enforcement agencies will, most of the time, involve the processing of personal data. As a result, organisations will have to comply with the data protection principles under the DPA 2018 in relation to e-discovery and must comply with the requirements of the GDPR.
In practice, this will mean informing data subjects about the processing of their personal data for this purpose. Organisations will also have to have a legal basis for processing the data.
A data transfer solution will also have to be implemented if the data is sent to a country outside the EEA that is not deemed to provide an adequate level of protection pursuant to Article 45 of the GDPR.
Public and private enforcement
i Enforcement agencies
The ICO has a range of enforcement powers under the DPA 2018, including monitoring and enforcement of the GDPR and the DPA 2018 in the UK. Such monitoring and enforcement powers include the power to issue:
- information notices: requiring controllers and processors to provide the ICO with information that the Commissioner reasonably requires in order to assess compliance with the GDPR or DPA 2018;
- assessment notices: requiring the controller or processor to permit the ICO to carry out an assessment of whether the controller or processor is in compliance with the GDPR or DPA 2018 (this may include the power of the ICO to conduct an audit, where the assessment notice permits the ICO to enter specified premises, inspect or examine documents, information, material and observe processing of personal data on the premises);
- notice of intent: where, after conducting its investigation, the ICO issues a notice of intent to fine the controller or processor in relation to a breach of the GDPR or the DPA 2018. Such a notice sets out the ICO's areas of concern with respect to potential non-compliance of the GDPR or the DPA 2018 and grants the controller or processor the right to make representations. After such representations have been carefully considered, the ICO reaches its final decision on any enforcement action in the form of an enforcement notice;
- enforcement notices: such notices are issued where the ICO has concluded the controller or processor has failed to comply with the GDPR or the UK DPA 2018, setting out the consequences of non-compliance, which could include a potential ban on processing all or certain categories of personal data; and
- penalty notices: if the ICO is satisfied that the controller or processor has failed to comply with the GDPR or the DPA 2018 or has failed to comply with an information notice, an assessment notice or an enforcement notice, the ICO may, by written notice, require a monetary penalty to be paid for failing to comply with the GDPR or the DPA 2018. Under the GDPR, such monetary penalties can amount to €20 million or 4 per cent of annual worldwide turnover.
As the DPA 2018 came into effect on 23 May 2018, any information notices issued by the ICO to commence possible investigations, assessment notices or enforcement notices served pre-23 May 2018 and thus served under the DPA 1998, continue to have effect under the DPA 2018.
In a speech at the Data Protection Practitioners' Conference on 9 April 2018, the Information Commissioner, Elizabeth Dunham, stated that 'enforcement is a last resort' and that 'hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law' and 'those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action'.
In addition, the ICO is responsible for promoting public awareness and in particular raising awareness among controllers and processors, of their obligations under the GDPR and DPA 2018.
The FCA also has enforcement powers and can impose financial penalties on financial services organisations for failure to comply with their obligations to protect customer data.
ii Recent ICO-led enforcement cases
Following the entry into force of the GDPR, the ICO has taken the following high-profile enforcement actions:
- in October 2018, issuing an enforcement action against a Canadian data analytics firm in relation to its political campaign behavioural advertising techniques;
- on 8 July 2019, the ICO issued a notice of its intention to fine British Airways (BA) £183.39 million for infringements of the GDPR. The proposed fine relates to a cyber-incident that BA notified to the ICO (as BA's lead data protection authority) in September 2018. The incident involved the theft from the BA website and mobile app of personal data pertaining to customers over a two-week period; and
- on 9 July 2019, the ICO issued another statement of its intention to fine Marriott International, Inc over £99 million in relation to a security incident affecting the Starwood reservation database that Marriott had acquired in 2016 and discovered in November 2018. The statement came in response to Marriott's filing with the US Securities and Exchange Commission that the ICO intended to fine it for breaches of the GDPR. The UK Information Commissioner confirmed in a statement that 'organisations must be accountable for the personal data they hold and this includes carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.'
Both BA and Marriott had the opportunity to make detailed representations to the ICO as to the proposed findings and sanctions. In early 2020, the ICO issued a statement delaying the issuance of both GDPR fines, which had originally been expected by the end of 2019. It is understood that the delay was agreed between both parties and the ICO respectively in accordance with Schedule 16 of the UK Data Protection Act 2018, which provides that the ICO must give a penalty notice to a person in reliance on a notice of intent within six months of that notice of intent, unless that period is extended by agreement between the ICO and that person. In light of covid-19, the notice of intent to fine in both instances has been extended, and is expected to be announced in late 2020.
iii Private enforcement
Under the GDPR, data subjects are able to claim for 'material or non-material damage' as a result of a breach of the GDPR. In addition, not-for-profit organisations have the right to lodge a complaint on behalf of the data subject. For example, BA is currently involved in group litigation before the UK High Court against over 50,000 BA customers who are seeking damages as a result of the personal data breach. BA had already pledged to cover any losses suffered by its customers, but public estimates of expected compensation to affected individuals vary, ranging from £2,200 to £6,000 each.
In addition, in a recent case in the UK relates to a former employee who copied payroll data of 100,000 employees onto an external drive and subsequently posted the data on a file sharing website. The individual was jailed for eight years under the UK's Computer Misuse Act. The employer was found by the court of first instance and the Court of Appeal to be vicariously liable to approximately 5,000 employees who joined the group litigation for breach of confidence and UK data protection laws because it was held that there was a sufficient connection between the employer having authorised the tasks of the former employee (i.e., he was entrusted with the payroll data) and the wrongful acts committed by him. On 1 April 2020, the UK Supreme Court reversed the ruling, holding that the employer was not vicariously liable for a data breach committed maliciously by a former employee who, acting to satisfy a personal vendetta against the employer, had disclosed employee payroll data online, as the wrongful conduct was not so closely connected with acts that he was authorised to do by his employer that it could be fairly regarded as carried out by him during his ordinary course of employment.62
Further, on 19 August 2020, Martin Bryant, a technology journalist, announced he had filed a data breach representative action in the High Court of England and Wales against Marriott following its data breach, seeking compensation of the loss of control over his personal data as well as on behalf of other claimants.
Considerations for foreign organisations
The DPA 2018 applies to a controller established in the UK and processing personal data in the context of that establishment, regardless of whether the processing takes place in the UK. It also applies to foreign organisations not established in the UK, or in any other EEA state, that process personal data in relation to the offering of goods or services to data subjects in the UK or to the monitoring of data subjects in the UK, as far as their behaviour takes place in the UK. Controllers not established in the UK or any other EEA country and processing personal data of data subjects in the UK must nominate a representative established in the UK and comply with the data principles and requirements under the GDPR and DPA 2018.
Cybersecurity and data breaches
Investigatory Powers Act 2016 (the Investigatory Powers Act)
The Investigatory Powers Act (IPA) received Royal Assent on 29 November 2016. The Act prohibits the interception of communications without lawful authority and sets out the situations in which there is lawful authority. Various law enforcement and intelligence authorities can, under the IPA, make targeted demands on telecommunications operators.
Under the IPA, the Secretary of State may by giving notice require a public telecommunications operator to retain communications data for a period that must not exceed 12 months if he or she considers that this is necessary and proportionate for one or more of the purposes for which communications may be obtained under the IPA. The IPA also expands the data retention requirements in the DRIP Act that it replaces (see below) to a broader range of communications data, such as site browsing histories.
The IPA is controversial and like its predecessor, the DRIP Act, which was an emergency piece of legislation and automatically expired on 31 December 2016, it has been criticised for lacking basic safeguards and for granting overly expansive powers for the bulk collection of data. The legality of the IPA has already been called into question following a ruling of the CJEU on the data retention provisions in the DRIP Act. One year after receiving Royal Assent, the English High Court issued a landmark judgment declaring the DRIP Act unlawful. The High Court ruled that a number of the provisions in the DRIP Act were incompatible with EU human rights law. However, the ruling was suspended until 31 March 2016 to give UK legislators time to implement appropriate safeguards. Preliminary questions were referred to the CJEU by the English Court of Appeal. On 21 December 2016, the CJEU issued a landmark ruling that effectively upheld an original decision of the High Court in relation to the validity of the provisions of the DRIP Act.63 Although the ruling concerned the DRIP Act, the IPA does little to address the criticisms of the DRIP Act in the CJEU's judgment and in some cases provides for even more extensive powers than under the DRIP Act. The case was returned to the Court of Appeal, who in January 2018, issued its judgment, ruling the DRIP Act was incompatible with EU law as the DRIP Act did not restrict the accessing of communications data to 'investigations of serious crime' nor did requests by police or other public bodies to access communications data meet independent oversight by way of a 'prior review by a court or independent administrative authority'. The UK government responded that it was making amendments to the IPA to take into account judicial criticisms of the DRIP Act. The UK High Court ruled in April 2018 that the UK government had six months to introduce changes to the IPA to make it compatible with UK law. On 31 October 2018 the Data Retention and Acquisition Regulations 2018 came into force to address the UK High Court's ruling.
The Regulation of Investigatory Powers Act 2000 (RIPA)
The interception powers in Part 1, Chapter 1 of RIPA have been repealed and replaced by a new targeted interception power under the IPA.
UK cybersecurity strategy
In November 2011, the Cabinet Office published the UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, with four objectives for the government to achieve by 2015:
- tackling cybercrime and making the UK one of the most secure places in the world to do business;
- to be more resilient to cyberattacks and better able to protect our interests in cyberspace;
- to create an open, stable and vibrant cyberspace that the UK public can use safely and that supports open societies; and
- to have the cross-cutting knowledge, skills and capability it needs to underpin all our cybersecurity objectives.
In March 2013, the government launched the Cyber-security Information Sharing Partnership to facilitate the sharing of intelligence and information on cybersecurity threats between the government and industry.
The government has also developed the Cyber Essentials scheme, which aims to provide clarity on good cybersecurity practice.
Along with the Cyber Essentials scheme, the government has published the Assurance Framework, which enables organisations to obtain certifications to reassure customers, investors, insurers and others that they have taken the appropriate cybersecurity precautions. The voluntary scheme is currently open and available to all types of organisation.
In June 2015, the government launched a new online cybersecurity training course to help the procurement profession stay safe online.
In July 2015, the government announced the launch of a new voucher scheme to protect small businesses from cyberattacks, which will offer micro, small and medium-sized businesses up to £5,000 for specialist advice to boost their cybersecurity and protect new business ideas and intellectual property.
In January 2016, the government announced plans to assist start-ups offering cybersecurity solutions. Such start-ups will be given help, advice and support through the Early State Accelerator Programme, a £250,000 programme designed to assist start-ups in developing their products and bringing them to market. The programme is run by Cyber London and the Centre for Secure Information Technologies, and is funded by the government's National Cyber Security Strategy programme.
In March 2016, the government announced that the UK's new national cyber centre (announced in November 2015) would be called the National Cyber Security Centre (NCSC). The NCSC, which is based in London, opened in October 2016 and is intended to help tackle cybercrime.
In response to the European Parliament's proposal for a NIS Directive in March 2014, which was part of the European Union's Cybersecurity Strategy, and proposed certain measures including new requirements for 'operators of essential services' and 'digital service providers', the UK government has implemented the NIS Directive into national law in the form of the UK Network and Information Systems Regulations 2018 (the NIS Regulations), which came into force on 10 May 2018.
The NIS Regulations have established a legal framework that imposes security and notification of security incident obligations on:
- operators of essential services, being energy, transport, digital infrastructure, the health sector and drinking water supply and distribution services; and
- on relevant digital service providers, being online marketplace providers, online search engines and cloud computing service providers.
The NIS Regulations also require the UK government to outline and publish a strategy to provide strategic objectives and priorities on the security of the network and information systems in the UK.
The NIS Regulations also impose a tiered system of fines in proportion to the impact of the security incident, with a maximum fine of £17 million imposed where a competent authority decides the incident has caused or could cause an immediate threat to life or a significantly adverse impact on the UK economy.
Controllers in the UK may in the event of a data security breach have to notify the relevant authorities both under the GDPR and the NIS Regulations.
Under the GDPR controllers are required to report personal data breaches to the ICO without undue delay, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject. and, where feasible, no later than 72 hours after the controller becomes aware of the breach.64 If a controller does not report the data breach within 72 hours, it must provide a reasoned justification for the delay in notifying the ICO. The controller is also subject to a concurrent obligation to notify affected data subjects without undue delay when the notification is likely to result in a high risk to the rights and freedoms of natural persons.65 Under the GDPR, processors also have an obligation to notify the controller of personal data breaches without undue delay after becoming aware of a personal data breach.66
According to the ICO, there should be a presumption to report a breach to the ICO if a significant volume of personal data is concerned and also where smaller amounts of personal data are involved but there is still a significant risk of individuals suffering substantial harm.67 The ICO have stated the 72-hour deadline to report a personal data breach includes evenings, weekends and bank holidays68 and where a controller is not able to report a breach within the 72-hour deadline, it must give reasons to the ICO for its delay.
As part of the notification, the ICO requires controllers to inform the ICO of:
- the number of data subjects affected by the personal data breach;
- the type of personal data that has been affected;
- the likely impact on the data subjects as a result of the personal data breach;
- steps the controller has taken to rectify the personal data breach and to ensure it does not happen again; and
- the name of the DPO or another point of contact for the ICO to request further information.
The GDPR also imposes a requirement on controllers to inform the data subject where the personal data breach represents a high risk to their rights and freedoms. The ICO, in a webinar in July 2018,69 stated it was of the view that the threshold is higher for informing data subjects of the personal data breach than it is for informing the ICO of the personal data breach. According to the ICO, this is because the aim of informing data subjects is so that they can take action to protect themselves in the event of a personal data breach. Therefore, informing them of every personal data breach, regardless of whether it has an effect on the data subject, can lead to notification fatigue, where the consequences of the breach are relatively minor.
In addition, when notification is given to the ICO of the personal data breach, the ICO can also require the controller to inform the data subjects of the personal data breach.
In addition, under the PECR70 and the Notification Regulation,71 internet and telecommunication service providers must report breaches to the ICO no later than 24 hours after the detection of a personal data breach where feasible.72 The ICO has published guidance on this specific obligation to report breaches.73
In light of the upcoming end to the transition period, negotiations on a UK adequacy decision are expected to continue between the UK government and the European Commission, with the UK government expected to set out further guidance on the UK's data protection framework post-Brexit.
More generally, it is expected the ICO will continue to publish guidance on the DPA 2018 and the impact of Brexit on data protection during 2020 and beyond. We also expect a resurgence in enforcement action from the ICO in the coming months, as well as a steep increase in consumers exercising their privacy rights and a continued growth in privacy litigation.
1 William RM Long is a partner and Francesca Blythe is a senior associate at Sidley Austin LLP.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
4 Directive (EU) 2016.680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
5 ICO, Guide to the General Data Protection Regulation (GDPR) accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
6 ICO, Data Protection at the end of the transition period accessible at https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/.
7 ICO, Information Commissioner's Annual Report and Financial Statements 2019–2020 accessible at https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf.
8 ICO, Regulatory approach during coronavirus, accessible at https://ico.org.uk/media/about-the-ico/policies-and- procedures/2617613/ico-regulatory-approach-during-coronavirus.pdf.
9 Directive 2002/58/EC of the European Parliament and Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
10 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).
11 Council of the European Union, ePrivacy Regulation Progress Report, accessible at https://data.consilium.europa.eu/doc/document/ST-8204-2020-INIT/en/pdf.
12 Section 5 of the DPA 2018.
13 ICO, Guide to the General Data Protection Regulation (GDPR)/ Lawful basis for processing- accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
14 ICO, Sample LIA template.
15 Articles 9 and 10 of the GDPR, Sections 10 and 11 and Schedule 1 of the DPA 2018.
16 Section 3, Part 2 of Schedule 3 to the DPA.
17 Section 4, Part 2 of Schedule 3 to the DPA.
18 Section 2(2), Part 2 of Schedule 3 to the DPA.
19 Section 37(1)(b) and (c) of the GDPR.
20 Article 37(5) of the GDPR.
21 Data Protection (Charges and Information) Regulations 2018/480.
22 Article 30 of the GDPR.
23 ICO, Guide to the General Data Protection Regulation (GDPR)/Individual Rights/ Right to be Informed – accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
24 ICO, Guide to the General Data Protection Regulation (GDPR)/ Accountability and Governance- accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
25 ICO, Guide to the General Data Protection Regulation (GDPR)/Principles/Purpose limitation, accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
26 ICO, Guide to the General Data Protection Regulation (GDPR)/Principles/Data minimisation, accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
28 ICO, Guide to the General Data Protection Regulation (GDPR)/Principles/Accuracy, accessible at
29 ICO, Guide to the General Data Protection Regulation (GDPR)/Principles/Storage limitation, accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
30 ICO, Guide to the General Data Protection Regulation (GDPR)/Principles/Storage limitation, accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
32 ICO, Guide to the General Data Protection Regulation (GDPR)/Security, accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
36 ICO, Guide to the General Data Protection Regulation (GDPR)/Accountability and governance, accessible at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
38 In November 2012, the ICO published a code of practice on managing data protection risks related to anonymisation. This code provides a framework for organisations considering using anonymisation and explains what it expects from organisations using such processes.
39 ICO, Guidelines on Big Data and Data Protection, 28 July 2014 and revised 18 August 2017.
40 ICO, Summary of Feedback on Big Data and Data Protection and ICO Response, 10 April 2015.
41 FCA, FS16/5, Call for Inputs on Big Data in retail general insurance.
42 ICO, Guidance on AI and data protection, accessible at https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/guidance-on-ai-and-data-protection/.
43 ICO, Guidelines on Bring Your Own Device (BYOD), 2013.
44 ICO, Guidance on the Use of Cloud Computing, 2012.
45 See the European Union Overview chapter for more details on cloud computing.
46 PECR Regulation 6.
47 See the European Union Overview chapter for more details on the proposed ePrivacy Regulation.
48 ICO, Guide to Data Protection, Key DP Themes, Age Appropriate design: a code of practice for online services, accessible at https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/#:~:text=The%20code%20is%20a%20set,designing%20and%20developing%20online%20services.
49 ICO, The Employment Practices Code: Supplementary Guidance, November 2011.
51 Article 29 Data Protection Working Party Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is 'likely to result in a high risk' for the purposes of Regulation 2016/679 – Adopted on 4 April 2017 – As last Revised and Adopted on 4 October 2017.
52 WP 249: Opinion 2/2017 on data processing at work, adopted 8 June 2017.
53 ICO, 'Disclosures from whistleblowers', 2 June 2017.
54 For guidance on how to comply with data protection principles under the DPA see WP 117: Opinion 1/2006 on the application of EU data protection rules to internal whistle-blowing schemes in the fields of accounting, internal accounting controls, auditing matters, and the fight against bribery, banking and financial crime adopted on 1 February 2006.
55 ICO, Guide to the Privacy and Electronic Communications Regulations, 2013, and Direct Marketing Guidance, V.2.2.
56 PECR Regulation 22(2).
57 Guide to PECR/ Electronic and telephone marketing/ electronic mail marketing- accessible at https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/.
58 PECR Regulation 23.
59 ICO, For organisations/Marketing/The rules around business to business marketing, the GDPR and PECR, accessible at https://ico.org.uk/for-organisations/marketing/the-rules-around-business-to-business-
60 SYSC 3.
61 The Article 29 Working Party has, however, published a working document on this topic. See the European Union Overview chapter for more details.
62 WM Morrison Supermarkets PLC v. Various Claimants  UKSC 12.
63 Case C-698/15 Secretary of State for the Home Department v. Tom Watson, Peter Brice and Geoffrey Lewis.
64 Article 33(1) of the GDPR.
65 Article 34 of the Regulation.
66 Article 33(2) of the Regulation.
67 ICO, Guidance on Notification of Data Security Breaches to the Information Commissioner's Office, 27 July 2012.
68 ICO, Personal Data Breach Reporting Webinar, 19 July 2018.
70 PECR Regulation 5A(2).
71 Commission Regulation No. 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (the Notification Regulation), which entered into force on 25 August 2013.
72 Article 2 of the Notification Regulation. The content of the notification is detailed in Annex 1 to the Notification Regulation.
73 ICO, Guidance on Notification of PECR Security Breaches, 26 September 2013.