Staying ahead in establishing and maintaining adequate data protections

UK ICO reminds firms on keeping adequate data protections when handling international transfers and access requests


The UK’s Information Commissioners Office (ICO) has recently published material on a couple of useful and topical matters.


The first concerns the introduction from 1st August 2016 of the new EU-US Privacy Shield which seeks to replace the former ‘Safe Harbor’ arrangement which is no longer considered to provide adequate protection when making international transfers when sharing and transferring personal data with US organisations. The former ‘Safe Harbor’ approach was successfully challenged in a past EU Court of Justice ruling and this effectively removed the previous basis of assurance and legal reliance given to this approach.


Firms who have previously relied on the ‘Safe Harbor’ (or have no other acceptable legal arrangements or options in place) need to be looking at how the new ‘Privacy Shield’ process can be successfully applied and used going forward. In particular, firms will need to be checking that any US organisations involved in any sharing or transfers of personal data on an international basis are signed-up to the new scheme and that this can be adequately monitored on an ongoing basis. Otherwise, such UK firms could in future risk being found to be in breach of the UK’s 8th data principle, making them potentially liable to UK ICO enforcement.


Furthermore FCA/PRA financially regulated firms could also find themselves in breach of wider risk governance and systems and controls rules and principles if they fail to respond, act or show they have a suitable change management process in place covering this matter too. The UK ICO is expecting to issue revised guidance for organisations involved in such international data transfers during the autumn of 2016.


In addition, following a recent ICO seminar event, a separate recent ICO publication covers the common issues and failures identified in the systems maintained by firms for handling Subject Access Requests (SAR) by individuals as a fundamental right under the UK’s Data Protection Act. This material includes slides used in the seminar event, and highlights the importance of firms maintaining visible and adequately robust arrangements, and also for ensuring that all staff involved continue to be properly aware of those arrangements to enable access requests to be successfully handled and completed.


This must all be a timely opportunity for affected firms and organisations to check the resilience and proportionality of their own existing SAR arrangements, including the opportunity to ensure they suitably reflect the UK ICO’s further ‘subject access code of practice’.