• 3 min read

Data Protection Quarterly News Roundup (October to December 2022)


The last quarter of 2022 remained a busy time for anyone keeping an eye on the UK data protection landscape. In this, the first of our quarterly news roundups, we bring you our news highlights of the last three months.

As reported in our first ever news alert, the ICO has started publishing details of reprimands issued to organisations it has investigated. Reprimands going back to the beginning of 2022 can now be viewed via the ICO website.

Direct marketing
The ICO has published new guidance and resources on direct marketing with the aim of providing greater clarity to organisations in respect of the complex requirements for carrying out direct marketing lawfully. You can view the guidance and resources via the ICO website.

International transfers
In the realm of international data transfers general uncertainty has continued but there have been some highlights:

  1. Progress is being made between the EU and the US (and the UK and the US) on a replacement for the failed privacy shield which should make transatlantic personal data transfers easier. There is a “but” however as privacy lobbyists are already making noise about challenging these new measures.
  2. The UK finalised legislation for its first independent adequacy decision allowing for the secure transfer of personal data to the Republic of Korea.
  3. The UK government and Dubai International Financial Centre Authority (DIFC) issued a joint statement stating: “We have made significant progress, including obtaining feedback from the UAE government, towards building a robust data bridge: a framework which will facilitate the free and secure flow of personal data following an assessment of the laws and practices that protect data to high standards”.
  4. Earlier in 2022 the ICO published the International Data Transfer Agreement (the UK equivalent of the EU standard contractual clauses) and the Addendum to the European Union Standard Contractual Clauses (a document which allows UK organisations to use the EU standard contractual clauses). More recently though the ICO has updated its guidance on international transfers with a new section on transfer risk assessments (TRAs) and a TRA tool which you can view on the ICO website.

ICO enforcement action
ICO enforcement action has followed the recent trend with the majority of fines resulting from breaches of PECR (the Privacy and Electronic Communications Regulations) rather than the UK GDPR. For example, in December 2022, the ICO fined two lead generation companies for their involvement in sending unsolicited marketing messages (a total of 3.4 million texts between them) to individuals without their consent.

That said we did see two large fines for breaches of the UK GDPR in October 2022:

  1.  Easylife Ltd was fined £1.35 million for using personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent. The company also received a PECR fine for predatory direct marketing calls.
  2. Interserve Group Ltd was fined £4.4 million for failing to take critical measures needed to keep personal data safe and prevent a cyber-attack.

Data subject access requests
Anyone who has had to deal with a data subject access request (DSAR/SAR) will firstly know what a headache they are for organisations to deal with and secondly that there are strict timescales in which a response is required. The ICO highlighted at the end of September 2022 the importance of those statutory timescales when it took action against 7 organisations (mostly, but not all, public bodies) for failing to respond to information access requests from members of the public.

Employee monitoring
In October the ICO published two pieces of draft guidance relating to:

  1. Monitoring of workers when they are at work e.g. via CCTV or in vehicle cameras. View the draft guidance here.
  2. Handling and use of workers health information. View the draft guidance here.

The draft guidance aims to provide practical guidance to employers but at this stage the guidance is only in draft form and the ICO is open to feedback.

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please click below.

Answers are just a click away

Make an enquiry