The code sets out the standards expected of those responsible for designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. It covers services likely to be accessed by children and which process their data. The code will require digital services to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website.
The standards of the code are rooted in the General Data Protection Regulation (GDPR) and the code was introduced by the Data Protection Act 2018. The ICO submitted the code to the Secretary of State in November and it must complete a statutory process before it is laid in Parliament for approval. After that, organisations will have 12 months to update their practices before the code comes into full effect. The ICO expects this to be by autumn 2021, so it will be key that relevant organisations start reviewing their practices as soon as possible to ensure they are acting in line with this Code.
After Brexit, the UK government intends to allow data to flow from the UK to EU countries. However, transfers of personal data from the EU to the UK will be affected. Moving forward, any transfers of personal data from an EU country into the UK will need an additional safeguard implemented around this transfer.
The simplest of these would be for the UK to be recognised as an “adequate” country in terms of its Data Protection laws by the European Data Protection Board. Initial thinking was that this was unlikely to happen before the UK left the EU.
However, the European Commission’s Task Force for Relations with the UK recently presented to the Council Working Party (Article 50) on initial discussions on the future relationship with the UK and adequacy decisions.
The Information Commissioner is producing a Direct Marketing Code of Practice, as required by the Data Protection Act 2018 which will provide practical guidance in relation to carrying out Direct Marketing in accordance with the requirements of Data Protection Law and the Privacy and Electronic Communications (EC Directive) Regulations 2003. The draft release is attached.
The Direct Marketing Code of Practice will significantly impact all organisations that use Direct Marketing and includes clarification on what is considered to be Direct Marketing, the limits of Legitimate Business Interest, Consent and how to ensure a Data Protection by design approach to marketing activity. It is unlikely that many organisations will currently fully comply with this code.
We recommend that all organisations that utilise Direct Marketing, particularly in the form of electronic communications, review their processes in detail to establish if they comply with the proposed new code of practice. You will be impacted if you fall under the following definitions:
A breach involving your organisation’s personal data can have a significant effect on data subjects, your staff and your organisation (both financially through fines from the ICO and reputationally). The latest research from IBM suggests that an average cost to a UK business of a data breach is £2.9 million when taking into account immediate actions to deal with the breach and longer-term effects of a data breach, such as loss of business.