Data Protection Update – ICO Priorities moving forward
Data Protection Update – ICO Priorities moving forward
Introduction
In a recent speech, the Information Commissioner John Edwards outlined the key priorities for the Information Commissioners Office (‘ICO’) over the coming months which included:- Children’s data – The ICO recognises that children are the most vulnerable members of society, whose personal data should be protected to ensure that children are kept safe online. The ICO will continue to work closely with organisations such as Ofcom, regarding content moderation and guidance, continue to persuade organisations to change their practices and set expectations, and look to apply the full range of regulatory powers available to them as the UK regulator to keep children’s information safe.
- Advertising technologies and fair use of cookies – The Information Commissioner acknowledged the current power imbalance between online advertisers/aggregators and end users. In early 2024 the ICO reviewed the top 100 websites in the UK and identified 53 as having non-compliant cookie banners. Those organisations were given 30 days to address non-compliance or potentially face enforcement action. Based on these figures, the Information Commissioner indicated that ICO time and resource will continue to focus on how to monitor and regulate cookie compliance, at scale.
- Artificial Intelligence (AI) - Given the transformative power and increased usage of AI, the Information Commissioner confirmed that the ICO is focusing on ensuring that AI technologies are implemented in a way that complies with the principles of UK data protection legislation.
How does this impact the Not for Profit sector and what should organisations do next?
Not for Profit organisations should be aware of the current ICO focus, and the impact of this on current activities.- Children’s data - For services targeting children and the processing of children’s data, Not for Profit organisations should ensure compliance with the Children’s code. Adherence to the code ensures that privacy settings are automatically set to high, children and parents/carers have more control of their privacy settings and there are clear and accessible tools in place to help children exercise their data protection rights.
- Advertising technologies - Given the renewed focus on cookie compliance, Not for Profit organisations should review existing cookie arrangements, and be aware of the requirement to notify individuals of the existence of cookies, clearly explaining the purpose of each cookie, and finally obtaining an individual’s explicit consent to store a cookie on their device. Essentially Not for Profit organisations should ensure that the option to reject cookies is clearly highlighted, but also ensure that non-essential cookies are switched off by default.
- Artificial Intelligence – Not for Profit organisations either already utilising or looking to implement AI technologies would do well to keep an eye on the ICO’s consultation series on generative AI, with the first chapters published focusing on the lawful bases used for web scraping to train GenAI models, and how purpose limitation should be applied at different stages of the AI lifecycle. From a governance perspective, organisations in the Not for Profit sector should ensure that AI technologies are not developed in siloes, but instead developed, implemented and monitored with input from data protection compliance teams from the outset (demonstrating a privacy by design approach), as well as other relevant stakeholders from across the organisation, including risk, legal, IT security, data scientists and senior management.
Further information
Organisations in the Not for Profit sector continue to navigate compliance with applicable data protection regulation, within the context of an ever-changing regulatory landscape. For further information regarding how to navigate data protection legislative changes, or if you have any questions, please reach out to Christopher Beveridge, Managing Director, Privacy and Data Protection, or Louise Sadler, Senior Manager, Privacy and Data Protection. You can also sign up to receive our quarterly newsletter here to receive privacy and data protection insights and articles straight to your inbox!Spotlight – Recent ICO enforcement action in the sector
OverviewIn March 2024, the ICO issued an enforcement notice to a charity, ordering them to stop sending unsolicited marketing emails to individuals, who had not provided their consent.
The organisations sent over 460,000 unsolicited text messages, over a ten-day period to 52,000 individuals who had not provided their consent or had clearly opted out. The messages were sent during 2022 to coincide with Ramadan, encouraging people on a daily basis to donate to the charity’s appeals.
Organisations in the Not for Profit sector should be aware that the requirements for processing on the basis of consent are high under the UK data protection legislation, and the onus is on data controllers to evidence the collection of consent from each individual. Some considerations for an organisation relying on consent as a legal basis include:
- Ensuring any consent collected constitutes an unambiguous indication of an individual's wishes, so ‘opt-in’ not ‘opt-out’ (passive consent is not permitted);
- Consents are not ‘bundled together’ or captured for multiple data processing activities, but must be clearly distinguishable;
- Consents are written in clear plain language, so that the individual can clearly understand what they are consenting to;
- Ensuring that for direct marketing, the option for individuals to ‘opt-out’ of future marketing emails should be clearly highlighted on each communication; and
- Organisations should also maintain a record of consents, including the time/date evidence was obtained in the event of any challenge.