On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) opened a public consultation to solicit stakeholder input regarding the UK’s approach to regulating international transfers of personal data under the UK General Data Protection Regulation (“UK GDPR”) (see here).  To kick off this initiative, the ICO published a consultation paper setting out various policy options that the UK is considering, as well as:

  • a draft set of contractual templates to facilitate transfers of personal data outside the UK, including: (1) a draft international data transfer agreement (“IDTA”); and (2) a draft international transfer addendum to be appended to the recently approved EU standard contractual clauses (“EU Addendum”); and
  • a draft transfer impact assessment tool designed to help controllers and processors transferring personal data under the UK GDPR satisfy the requirements articulated by the Court of Justice of the European Union (“CJEU”) in the Schrems II decision (see here).

The ICO has requested that interested stakeholders submit their feedback by no later than October 7, 2021.  In this blog post, we summarize these documents and tools, and identify topics that interested stakeholders may want to address when preparing their submission to the public consultation.


Continue Reading UK Information Commissioner’s Office Opens Public Consultation on Policy Proposals and Documentation for International Transfers

On July 30, 2020, the UK Information Commissioner’s Office (“ICO”) published its final guidance on Artificial Intelligence (the “Guidance”).  The Guidance sets out a framework for auditing AI systems for compliance with data protection obligations under the GDPR and the UK Data Protection Act 2018.  The Guidance builds on the ICO’s earlier commitment to enable good data protection practice in AI, and on previous guidance and blogs issued on specific issues relating to AI (for example, on explaining decisions on AI, trade-offs, and bias and discrimination, all covered in Covington blogs).

Continue Reading UK ICO publishes guidance on Artificial Intelligence

On May 11, 2020, the UK Information Commissioner’s Office (“ICO”) published guidance on how employers should handle data in the event they choose to test their employees for COVID-19.

The guidance provides a clear reminder that employers must comply with both the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”), and that health data, in particular, attracts additional protections.
Continue Reading ICO Issues COVID-19 Guidance for Employers

 On March 12, 2020, the UK Supervisory Authority (“ICO”) issued a statement on data protection and coronavirus (“COVID-19”).  The statement makes clear that the ICO will take a “reasonable and pragmatic” approach regarding compliance with the GDPR in light of the current health emergency.

Similar to the Irish Supervisory Authority (see our previous blog here