ICO meaning

In brief In summary, UK data protection rules exist to make sure details about living people — captured as 'personal data' — are handled lawfully, fairly and responsibly. To achieve this, the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) places a range of obligations on anyone 'processing' personal data, and on the controllers supervising that processing, when they fall within the scope of the UK GDPR regime. The UK GDPR also confers rights on individuals whose personal data is handled (the 'data subjects'). 'Processing' covers practically any operation performed on personal data, meaning doing almost anything with it, such as storing, sharing, deleting, or using it. It is almost impossible to run a business or other organisation without processing personal data. Among other requirements, the controllers of personal data processing must provide information to data subjects, to make sure they are aware of the following: the reasons their personal data is collected; the ways it is used; ...

This Checklist summarises guidance on pursuing a ‘UK GDPR claim’. It draws on the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), together with the Data Protection Act 2018 (DPA 2018) legislation. Where the EU has jurisdiction, proceedings are governed by the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR). UK data protection rules—most notably Assimilated Regulation (EU) 2016/679 (UK GDPR)—originate to a large extent from EEA data protection frameworks and, as a result, generally rest on comparable principles, although some provisions differ slightly in detail. In the UK, ‘assimilated law’ denotes retained EU law (REUL) that continues to have effect after the end of 2023 and remains in force, for example the UK GDPR legislation. Re-labelling REUL (and related terminology) as assimilated law signals a shift in its status and handling in UK law, in practice, meaning it is now generally construed by reference to ordinary domestic legal standards and principles...

This Checklist This Checklist summarises Consumer Duty priority themes identified by the Financial Conduct Authority (FCA). See The FCA Consumer Duty—timeline for the full developments timeline...

STOP PRESS: This document is currently being updated to take account of the full implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which amends both the UK GDPR and the Data Protection Act 2018. For further guidance on the compliance consequences of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. The UK General Data Protection Regulation (UK GDPR) grants data subjects several rights, including, among others: access to their personal data rectification erasure restriction of processing data portability a right of data subjects Individuals may ask an organisation at any time of their choosing to exercise one or more of these rights, and strict time limits and deadlines apply to responding to such requests promptly. See Practice Note: How to handle data subject requests. This Flowchart sets out a process for dealing with data subject requests made under the UK GDPR and reflects the requirements in the UK GDPR together...

STOP PRESS: This document is being revised to take account of the Data (Use and Access) Act 2025 (DUAA 2025), which updates the UK GDPR and the Data Protection Act 2018. For more on the compliance impact of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications... This Flowchart steers you through the lawful mechanisms for sending personal data to a country outside the UK, for example: an adequacy decision or regulation appropriate safeguards such as standard contractual clauses (SCCs) or the International Data Transfer Agreement (IDTA), or binding corporate rules (BCRs) a derogation Such transfers are barred by the data protection regime unless one of these tools is in place. These mechanisms exist to ensure data subjects remain protected when their personal data leaves the UK... The mechanisms follow a hierarchy, and this Flowchart helps you select the route most suitable for your organisation and processing operations... This Flowchart reflects the UK General Data...

Flowchart This Flowchart helps determine which stamp duty land tax (SDLT) provisions are relevant on a lease renewal where a tenant remains in occupation by ‘holding over’ after a fixed-term lease ends. It should be considered together with the fuller Practice Note: SDLT—holding over. The SDLT provisions governing situations where a tenant holds over a lease, and that lease is subsequently renewed, are intricate and often complex...

In this issue: Horizon scanning Directors Status and worker categories Cross-border, international and jurisdictional issues Recruitment Protected characteristics Prohibited Conduct (discrimination etc) Diversity and gender pay gap Maternity, parents and carers Financial services and banking: employment issues Data protection and employee information Bribery, modern slavery, tax evasion and fraud Employment Tribunals Scotland Ireland LexTalk®Employment: a Lexis®Nexis community Dates for your diary Trackers New Q&As Employment resources on Lexis+® Daily and weekly news alerts Horizon scanning BTC launches call for evidence on Employment Rights Bill The Business and Trade Committee (BTC) has opened its first request for evidence for a new inquiry into the Employment Rights Bill (ERB). The inquiry will collect written and oral submissions to steer the Bill’s subsequent passage through Parliament and to gauge whether it is set to meet its stated aims. Written evidence should be submitted by Friday...

Abbot v The Information Commissioner [2024] UKFTT 478 (GRC) What are the practical implications of this case? This ruling mirrors the approach in other recent decisions on the operation of the exception to disclosure under EIR 2004, SI 2004/3391, reg 12(5)(b), again stressing the considerable weight that legal professional privilege carries within our justice system. It therefore highlights the obstacles applicants will encounter when attempting to access documents protected by legal professional privilege, and that only ‘special or unusual’ circumstances are likely to be sufficient for the public interest in disclosure to prevail over the interest in preserving legal professional privilege. That said, legal professional privilege was not the Tribunal’s only concern when concluding that EIR 2004, SI 2004/3391, reg 12(5)(b) applied. The Tribunal indicated that the exception would have been engaged even without legal professional privilege, particularly because releasing the material would not have added anything of substance to what is already in the public domain. As such, the analysis turned on whether disclosure would materially add...

What are the most significant changes introduced by the Act that pension scheme trustees need to prepare for? The most notable reforms in the Act that trustees should be ready for are: Data subject complaints: complaints about the handling of personal data must be acknowledged within 30 days and answered without undue delay. ICO enforcement powers: the Information Commissioner’s Office (ICO) now has authority to compel interviews and require the production of documents to assess compliance. Data subject access requests (DSARs): the Act codifies the ICO’s existing guidance, meaning (i) trustees must apply a ‘reasonable and proportionate’ search standard when responding; and (ii) the ‘stop the clock’ rule pauses the one-month deadline for a response. Automated decision making (ADM): the Act allows reliance on the full set of lawful bases — including ‘legitimate interests’ — when non-special category personal data is used for significant automated decisions about an individual, provided suitable safeguards are in place. ...

Data security sits at the heart of the UK General Data Protection Regulation (UK GDPR). The sixth data protection principle — integrity and confidentiality — obliges you to implement suitable technical and organisational steps so that personal data is handled with appropriate safeguards and security when processed, including: protection against unauthorised or unlawful processing accidental loss, destruction or damage This Practice Note draws on ICO guidance regarding personal data breaches under the UK GDPR. It also incorporates further practical pointers and information drawn from ICO guidance on managing data security breaches issued under the previous data protection regime; that guidance has now been withdrawn. The Practice Note additionally aligns with materials from the European Data Protection Board (EDPB). According to the ICO, although the UK has left the EU, these guidelines continue to be relevant. Data security requirements Article 32 expands upon the GDPR’s integrity and confidentiality principle by setting out further detail...

As of 31 January 2020, the UK left the EU and the EEA. This Practice Note introduces: the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) framework (which applied within UK law up to the end of the Brexit implementation period—11 pm UK time on 31 December 2020—and continues to operate across the EEA; therefore, any references in this Practice Note to EEA or EU states should be read as also covering the UK until that period concluded) the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) framework (which applies under UK law from the end of the Brexit implementation period) Where there is no need to draw a distinction, this Practice Note refers to both as ‘GDPR’ for ease. When looking at the routine processing of personal data, the UK GDPR and the Data Protection Act 2018 (DPA 2018) should be consulted together, as both sets of provisions have direct effect. Practitioners will generally...

This Practice Note This Practice Note offers a high-level overview of the data protection framework relevant to direct marketing, particularly how such activities may give rise to compliance obligations under the Assimilated Regulation (EU) 2016/679, the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426. It is aimed at commercial organisations in the UK, with further, scenario-specific guidance signposted. The main difficulty in direct marketing is determining what the UK GDPR and PECR 2003 permit and whether consent is needed, which will differ according to the activity undertaken and the audience targeted. This Practice Note reflects the following ICO guidance: Direct marketing guidance Direct marketing using live calls Making live marketing calls about claims management services Making live marketing calls about pension schemes Direct marketing using electronic mail Guide to PECR, cookies and similar technologies Guide to PECR, what counts...

FORTHCOMING CHANGE: The Information Commissioner’s Office (ICO) has issued draft guidance on recruitment and selection, which was open to consultation until 5 March 2024, and has also removed the employment practices code and its supplementary guidance from the employment information page. For further details, see Practice Note: The UK GDPR and DPA 2018: key data protection issues for employment lawyers—Information Commissioner's Office (ICO) guidance. This Precedent will be updated in due course. [ Insert name of organisation ] This notice sets out what personal data (information) we will hold about you, how we obtain it, and how we will use and may share information about you during the application process. We are required under data protection legislation to provide you with this information. Please ensure you read this notice (also referred to as a ‘privacy notice’) and any similar notice we may give you from time to time when we collect or handle personal data about you. Who collects the data [ Insert name of...

1 Data breach team The initial action is to convene a team to handle and respond to the breach. Data breach team lead [ insert the name or description of the person who will lead the data breach team, eg DPO ] [ Data protection officer (DPO) ] [ [ insert name ] ] Head of legal [ insert name ] Head of compliance [ insert name ] Head of IT [ insert name ] [ insert any other, eg head of HR if the breach involves employee data ] [ insert name ] 2 Background information Refer to the Data breach report form, if appropriate...

ARCHIVED: This Precedent has been archived and is not maintained. [ Name ] [ Address ] Ref No: [ number ] [ Date ] Dear [ applicant's name ] We acknowledge receipt of your [ letter OR email OR fax ] dated [ date of letter/email/fax from applicant ] regarding [ insert details ]. I can confirm the department holds this information...

We have concentrated specifically on sections 108–110 of the Digital Economy Act 2017 (DEA 2017) and sections 132–133 of the draft Data Protection Bill 2017 (DPB 2017) for the purposes of this Q&A. Part III of the Data Protection Act 1998 (DPA 1998) obliges data controllers who handle personal data to notify the Information Commissioner of their processing for inclusion in the register maintained by the Information Commissioner’s Office (ICO). Controllers seeking to register must pay an applicable fee. For further details, consult the Data Protection (Notification and Notification Fees) Regulations 2000, SI 2000/188, and official guidance from the Information Commissioner...