Ana Pestana and Laura Trapnell | 3rd February 2022

Information Commissioner’s Office : Data Protection in 2022


Ana Pestana and Laura Trapnell | 3rd February 2022

Information Commissioner’s Office : Data Protection in 2022

The Information Commissioner’s Office (“ICO”) has published an article entitled – “Data Protection: what to expect in 2022” – which focuses on the main developments from the UK but also includes EU developments that are likely to remain important to businesses that operate both in the UK and the EU.

Summary of the Information Commissioner’s Office Report

We summarise the article below for you, picking out the key issues as we believe they relate to our clients. It will be interesting to see, throughout 2022, the extent to which the UK diverges from the EU rules when it comes to areas such as e-privacy, digital regulation and AI.


Confirmation of changes to accountability framework – some of the changes being considered include introducing a risk-based accountability framework that will be tailored to each organisation’s data processing work and based on a privacy management programme. There would be no longer the mandatory requirement to appoint a data protection officer, perform data privacy impact assessments or keep processing records. Prior to any changes the results of the analysis made by DCMS are awaited, they will confirm if the corporations will welcome these changes or if they will be considered just as burdensome as the existing ones.

Pragmatic scrutiny of compliance

The ICO is making an effort to enforce compliance with the UK GDPR whilst keeping up with the rapidly evolving digital landscape and understanding the challenges faced by organisations during the pandemic. The ICO will continue to engage constructively with corporations by providing guidance and evaluating projects.

New journalism code

A new statutory code to ensure compliance with data protection requirements will be presented in 2022 to Parliament, the code will provide guidance to media organisations and those involved in data processing for the purposes of journalistic work.

Certification schemes

This is a way for an organisation to show it is complying with its data protection obligations. The ICO is keen to develop more certification schemes during 2022.


Proposal in the DCMS consultation

The Government’s proposal includes a list of cookies that would not require consent in order to be used, analytic cookies would be on that list. Third party cookies would still require consent and the proposed list would not exempt an organisation to provide comprehensive information about their cookies policies.

Automated decision-making and profiling

The DMS consultation seeks views on automated decision-making and profiling in order to reduce its restrictions and include the right to human intervention and collateral use of personal data.
Google’s proposal to remove third party cookies – Google’s proposal on “Google Privacy Sandbox” intends to enable targeted advertising by implementing alternative technologies that will allow cross-tracking and replace third party cookies. Google is confident that its Privacy Sandbox will allow for a healthy ad-supported web, this will force advertisers and publishers to adapt their procedures.

Case Law

Richard Lloyd v Google ruling has made it more difficult to bring class actions on an opt-put basis for breaches of data protection law. Mr Lloyd’s arguments that “loss of control” over personal data is included within the meaning of the word “damage” in section 13(1) was supported by the ICO. A number of class actions have been put on hold waiting the outcome of this ruling and we wait to see if they will be continued.

Data security

Data breaches

Data security and data breaches will continue to be a focus for organisations and the ICO. Hardware, software misconfiguration and ransomware were where there was the biggest increase in incidents reported and therefore there may be a higher focus on these.

Certification schemes

The ICO approved a certification scheme criteria that ensures personal data has been dealt with correctly whenever IT equipment is re-used or destroyed.


A preliminary paper on end-to-end encryption, including online safety, is expected to be published in early 2022.


The Product Security and Telecommunications Infrastructure Bill has been published by the Government. The Bill creates a regulatory scheme that makes consumer connectable products safer against cyber attacks.

Data Sharing

DCMS consultation

The consultation has proposed the use of data intermediaries in the public, private and third sectors, to help manage data collection and sharing in an efficient and responsible manner.

UK National Data Strategy

The National Data Strategy aims to allow for a thriving and fast-growing digital sector by empowering Government and economy through the use of data and ensure public trust in its use. The Regulatory Sandbox will support organisations that provide services or products that use personal data in an innovative and safe way.

EU Data Government Act

The EU Data Government Act will boost data sharing across different sectors and EU member states. This will not apply to the UK after Brexit.

Direct marketing

ICO draft direct marketing code of practice

Once the code of practice in in force, it will grant more powers to the ICO to enforce the Data Protection Act 1998 than the current direct marketing guidelines.

DCMS consultation

The DCMS consultation has proposed to extend “the soft opt-in” for electronic communications for direct marketing to also cover non-commercial organisations such as political and charitable organisations and proposes to grant further powers to the ICO by introducing new laws to prevent nuisance calls, texts and emails.

e-Privacy Regulation

This regulation intents to tighten the rules on electronic direct marketing such as emails, texts and calls. This will not apply in the UK. However in view of its proposed territorial reach it is relevant to follow its progress.

Employee data and monitoring

Employment practices guidance

New guidance on recruitment, employment records and the monitoring of workers and information about their health is expected from the Information Commissioner’s Office.

Employee monitoring

Data protection compliance issues may rise from employers monitoring their employees’ productivity while working from home, collection of vaccination status and data on work patterns and movements. Employers will have to work through and document any compliance issues.

Exporting personal data

UK Government proposals on the future of the UK data protection regime

The DCMS has proposed global data protection plans that aims to promote growth, increase trade amongst countries and help improve the public services. The proposals include:

  • a “data adequacy” partnership that includes territories such as USA, Australia and Dubai;
  • an International Data Transfers Expert Council that will support the UK in managing the international flow of personal data; and
  • approved codes of conduct and certification mechanisms – the ICO is working with various sectors in order to approve a code of conduct for restricted transfers, further developments are awaited. There is no approved certification schemes currently in use as an appropriate safeguard on international transfers but guidelines are expected in due course.


New Information Commissioner’s Inbox

John Edwards will have a challenging inbox to work through as the new Information Commissioner. Key issues include:

  • Implement any changes following the DCMS consultation on data protection reforms
  • International transfer consultation
  • Ongoing investigations and
  • Allowing for data driven innovation while keeping organisations accountable

Rights of data subjects

Proposed legislative changes to subject access

A fee structure is being considered in order to help the capacity to respond to such requests based on factors such as time, cost and scope. The ICO has drafted guidance on the rights of access individuals have in relation to personal data held for law enforcement purposes and what obligations the competent authorities have.

Human Rights Act 1998

A consultation is being held on reforming the Human Rights Act and replacing it with a UK Bill of Rights, the consultation will close on 8 March 2022.

Online safety Bill

This Bill will apply to social media providers and search engines and includes the duty to protect rights of freedom of expression and privacy.

Sanctions and remedies

Bringing PECR’s enforcement regime in line with the UK GDPR

Unsolicited marketing communications continue to exist and be made by organisations such as American Express and Sports Direct regardless of the number of fines for infringements of PECR. DCSM has suggested increasing the fines to the same values as those under the UK GDPR, which could act as a significant deterrent.

ICO suggestion to extend PECR’s territorial scope

ICO has suggested that the PECR should include extra territorial scope which would enable the ICO to pursue organisations that target UK citizens, even if outside the UK.


ICO focus on use of live facial recognition (LFR)

LFR poses a risk to data protection rights specially in a future where LFR is integrated with CCTV camera systems and combined with social media. A high bar has been set to justify the use of LFR and the pursuit of public protections has to be balanced with privacy and data protection concerns.

If you would like further information on any of the issues raised above or would like to discuss a particular issue with our data protection team, please contact Laura Trapnell or another member of our Data Protection team.