UK Information Commissioner's Office (ICO)

On December 13, 2018, the Information Commissioner’s Office (“ICO”) in the United Kingdom issued guidance on the state of UK data protection law should the country leave the European Union (“EU”) without having reached an agreement on the terms of its withdrawal.  Much of this latest guidance is consistent with the ICO’s earlier guidance on the topic, published in September 2018.  But as the UK’s expected withdrawal from the EU on March 29, 2019, inches closer, organizations that process the personal data of individuals resident in the UK or in other countries in the European Economic Area (EEA) should now take steps to prepare themselves for the possibility of a “no-deal” scenario.
Continue Reading Information Commissioner’s Office Issues Guidance on UK Data Protection Law in the Event of a “No-Deal” Brexit

Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced.  Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging.  Enforcement appears to be ramping up significantly. 

Designing data-driven products and services in compliance with privacy requirements can be a challenging process.  Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR).  These challenges are often particularly acute for companies providing products and services leveraging artificial intelligence technologies, or operating with sensitive personal data, such as digital health products and services.

Recognising some of the above challenges, the Information Commissioner’s Office (ICO) has commenced a consultation on establishing a “regulatory sandbox”.  The first stage is a survey to gather market views on how such a regulatory sandbox may work (Survey).  Interested organisations have until 12 October to reply.

The key feature of the regulatory sandbox is to allow companies to test ideas, services and business models without risk of enforcement and in a manner that facilitates greater engagement between industry and the ICO as new products and services are being developed.

The regulatory sandbox model has been deployed in other areas, particularly in the financial services sector (see here), including by the Financial Conduct Authority in the UK (see here).

Potential benefits of the regulatory sandbox include reducing regulatory uncertainty, enabling more products to be brought to market, and reducing the time of doing so, while ensuring appropriate protections are in place (see the FCA’s report on its regulatory sandbox here for the impact it has had on the financial services sector, including lessons learned).

The ICO indicated earlier this year that it intends to launch the regulatory sandbox in 2019 and will focus on AI applications (see here).

Further details on the scope of the Survey are summarised below.Continue Reading ICO consults on privacy “regulatory sandbox”

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”).  The ICO is consulting on the Guidance until 10 October.  We summarize the key aspects of the Guidance below.
Continue Reading GDPR Contracts and Liabilities Between Controllers and Processors

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

On April 2, 2017, the Information Commissioner’s Office (“ICO”) released a consultation paper for UK organizations to comment on how the new profiling provisions under the General Data Protection Regulation (“GDPR”) could be interpreted and applied when the GDPR comes into force in May 2018.

The public consultation on what is described as “initial thoughts on some key issues” which require “further debate” expires on April 28, 2017.  Stakeholders and the public can review the paper and provide their views on the ICO’s website.  The ICO will then publish a summary of the feedback it receives.  Guidance on profiling is anticipated from the Article 29 Working Party, which has prioritized it for release in 2017.

Profiling under the GDPR is the automated processing of personal data  to evaluate personal aspects of an individual, in particular to analyze or predict professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.  In interpreting this definition, the ICO has asked for feedback on whether stakeholders agree that there must be “a predictive element, or some degree of inference for the processing to be considered profiling.” 
Continue Reading The Information Commissioner’s Office Publishes a Consultation Paper on Profiling and Automated Decision-Making under the GDPR

On March 2, 2017, the Information Commissioner’s Office (“ICO”) released draft guidance for UK organizations on how the notion of consent will be interpreted and applied when the General Data Protection Regulation (“GDPR”) comes into force in May 2018.

The ICO is currently engaging in a public consultation on the draft guidance, which expires on

On October 5, 2016, the UK Information Commissioner’s Office (“ICO”) fined telecoms company TalkTalk a record £400,000 for failing to put in place appropriate data security measures and allowing a cyber-attacker to access TalkTalk customer data “with ease.”  The ICO highlighted several  technical and organizational deficiencies as justification for issuing its largest fine to-date.  Many of these failings are unlikely to be unique to TalkTalk; organizations across all sectors should take note.


Between October 15 and 21, 2015, a cyber-attacker took advantage of technical weaknesses in three of TalkTalk’s webpages.  As is often the case with weaknesses in cyber defences, the relevant infrastructure had been inherited as part of a previous acquisition.

The attacker accessed the personal data of over 150,000 customers, including their names, addresses, dates of birth, phone numbers and email addresses.  The attacker also accessed bank account details and sort codes in over 15,000 cases.

The attack has been subject to widespread media and even led to a Parliamentary inquiry and report.  TalkTalk decided to go public early.  Its CEO, Baroness Dido Harding, appeared on major news outlets globally, including the BBC’s flagship evening program, to warn customers about the potential attack.  (This was a risky strategy: Baroness Harding initially suggested the attack may have impacted over 4,000,000 customers — this turned out to be a 95% over-estimation — and came under fire for not knowing whether the data had been encrypted.)
Continue Reading Inherited Infrastructure, Outdated Software, And Other Failings That Led To TalkTalk’s Record Fine

On August 30, 2016, a major UK telecoms company (TalkTalk) lost its appeal against a fine imposed on it for failing to report a personal data breach to the UK national data protection authority (the Information Commissioner) within 24 hours of its receipt of a customer’s complaint.

Commission Regulation No 611/2013 (“the Notification Regulation”) and the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), require telecommunication service providers to report personal data breaches within 24 hours of their “detection.”  TalkTalk’s appeal focused on the extent to which an internal investigation can take place before it is deemed to have “detected” a breach.Continue Reading UK Telco Loses Appeal; Should Have Reported Data Breach Within 24 Hours Of Customer Complaint, Not Fuller Investigation