• 2 min read

Data Protection Quarterly News Roundup (October to December 2023)

dp qr

New Year is nearly upon us so it is time for us to look back on the last quarter of 2023 to see what has been happening in the world of data protection. Our highlights are:

Employee monitoring

On 3 October the Information Commissioner’s Office (ICO) issued new guidance relating to employee monitoring. You can read more here.

Cookie warning

In November we found out that the ICO had issued warnings to the companies running 30 of the UK’s “top”, but non-compliant, websites (although no details about which) that they face enforcement action if they do not make changes to their cookie notices and policies to bring them into compliance with the law.  The key issue relates to the need for first level ‘reject all’ buttons, the intention being that rejecting tracking technologies should be as easy as acceptance, whereas many websites still promote acceptance and require more clicks to reject. More information is expected to follow in January.

UK GDPR fine

On 13 December the ICO somewhat surprisingly confirmed they had issued a fine of £350,000 to a public sector organisation. This is only the second UK GPDR fine in 2023 and the Information Commissioner has made a conscious decision not to fine public sector entities, in favour of reprimands. What makes this data breach different to the numerous other public sector data breaches which we have heard about this year is unclear. This fine is another reminder of the importance of care when sending emails and the correct use of BCC (blind carbon copy) or bulk mailing services (see the ICO’s advice here).

DPDI bill

The Data Protection and Digital Information Bill is continuing to make progress after the reporting stage took place on 29 November.

Artificial intelligence

AI has continued to be a hot topic and the ICO has taken preliminary action against Snap, Inc over its potential failure to assess privacy risks to children, specifically potentially failing to properly assess the privacy risked posed by Snap’s generative AI chatbot ‘My AI’. However, the findings are only provisional and we are told investigations are ongoing.


The ICO has established a new way for data subjects to make data subject access requests which organisations should be aware of to ensure these are recognised as being legitimate if received. The ICO have explained: “The service means that people can make and send a SAR request directly to an organisation via our website. Organisations will then get an ICO branded email with the details of the request and guidance on how to respond.” You can find more information here.

US transfers

Finally, the ICO has issued guidance on completing a transfer risk assessment when transferring personal data from the UK to the US using an appropriate safeguards (see the guidance here).

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please contact [email protected].

Answers are just a click away

Make an enquiry