In the next few weeks, due to the Coronavirus pandemic, businesses in the UK may have more employees working from home. Employees may be working on their work laptops and devices, but for some they may have to work on their personal devices. Employers have a responsibility to undertake security measures to ensure staff are working securely both when in the office and when they are working from home.
Organisations have different IT systems but here are just some of the factors which many employers will need to consider and address as part of their working from home policy:
The code sets out the standards expected of those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It covers services likely to be accessed by children and which process their data. The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
The standards of the code are rooted in the General Data Protection Regulation (GDPR) and the code was introduced by the Data Protection Act 2018. The ICO submitted the code to the Secretary of State in November and it must complete a statutory process before it is laid in Parliament for approval. After that, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this to be by autumn 2021, so it will be key that relevant organisations start reviewing their practices as soon as possible to ensure they are acting in line with this Code.
After Brexit, the UK government intends to allow data to flow from the UK to EU countries. However, transfers of personal data from the EU to the UK will be affected. Moving forward, any transfers of personal data from an EU country into the UK will need an additional safeguard implemented around this transfer.
The simplest of these would be for the UK to be recognised as an “adequate” country in terms of its Data Protection laws by the European Data Protection Board. Initial thinking was that this was unlikely to happen before the UK left the EU.
However, the European Commission’s Task Force for Relations with the UK recently presented to the Council Working Party (Article 50) on initial discussions on the future relationship with the UK and adequacy decisions.
The Information Commissioner is producing a Direct Marketing Code of Practice, as required by the Data Protection Act 2018 which will provide practical guidance in relation to carrying out Direct Marketing in accordance with the requirements of Data Protection Law and the Privacy and Electronic Communications (EC Directive) Regulations 2003. The draft release is attached.
The Direct Marketing Code of Practice will significantly impact all organisations that use Direct Marketing and includes clarification on what is considered to be Direct Marketing, the limits of Legitimate Business Interest, Consent and how to ensure a Data Protection by design approach to marketing activity. It is unlikely that many organisations will currently fully comply with this code.
We recommend that all organisations that utilise Direct Marketing, particularly in the form of electronic communications, review their processes in detail to establish if they comply with the proposed new code of practice. You will be impacted if you fall under the following definitions: