GDPR for HR | A glance back at 2022 and look forwards to 2023

Key events of 2022

Looking back, 2022 was an eventful year in data protection. The UK government indicated plans to implement the most wide-reaching changes to the UK GDPR since Brexit, the courts issued a number of important decisions which will shape how employers handle employee data and the Information Commissioner's Office (ICO) issued guidance on a number of key areas for employers.

We have set out a timeline of notable data protection events from 2022 below:

January

The new International Data Transfer Agreement (IDTA) and IDTA Addendum were introduced to the UK Parliament. The new tools included an addendum to the European Commission's Standard Contractual Clauses (SCCs) and transitional provisions.

February 

The European Commission published its proposal for the "Data Act". In particular, the Data Act sets out who can create value from data generated by Internet of Things (IoT) devices and ensures consistency between data access rights. 

The ICO published its updated guidance on the use of video surveillance systems. This guidance highlighted the need to consider a data protection impact assessment (DPIA) before undertaking surveillance in the workplace and the importance of only recording audio in relation to a workforce in rare circumstances.

March

The Court of Appeal issued its decision in Brake v Guy. This decision clarified some considerations for employers when monitoring employee emails. 

May

The Irish Court of Appeal issued its decision in Doolin v DPC. This case set out considerations for employers using CCTV footage in disciplinary investigations. 

The ICO produced its artificial intelligence (AI) and data protection risk toolkit. This toolkit supplemented earlier ICO guidance on AI and was designed to provide further practical support to employers to reduce the risks to individuals' rights and freedoms caused by their own AI systems. 

June

The UK government published its "Digital Strategy" for 2022. This set out a number of steps to be taken to grow the economy and innovate, including reform of the UK GDPR. 

July

The UK government introduced the Data Protection and Digital Information Bill as a result of the "Data: a new direction" consultation. The changes proposed in the bill aimed to reduce the administrative burden on businesses, promote innovation and reform the ICO. The bill also proposed changes to the data subject access request (DSAR) regime, namely the introduction of a new test for refusing and charging for data subject access requests. 

The American Data Privacy Protection Act (ADPPA) was introduced in the US House of Representatives. This proposed legislation aims to harmonise privacy rules in the US, which currently vary on a state-by-state basis. 

The ICO announced that it would be investigating the use of AI systems in an employment context. In particular, its investigation seeks to clarify the extent to which these systems might show racial bias and how this risk could be minimised.  

September

The Data Protection and Digital Information Bill was delayed by Liz Truss's government in order to consider more wide-reaching reforms to the UK GDPR.

The ICO published best practice guidance in respect of handling DSARs. This guidance focused on the communications that the ICO expects to see between organisations and data subjects.

October 

The Home Office was reprimanded by the ICO for the loss of sensitive documents. This reprimand recommended that the Home Office review its "handling instructions" for sensitive information and the introduction of clear "sign-out" procedures. 

The ICO published updated draft guidance on employment practices, monitoring at work and the collection of employee health data.

November

The ICO published updated guidance on international data transfers. This included a section covering transfer risk assessments (TRAs) and a new TRA tool.

Looking to 2023: what we expect to see in the coming months

It looks like 2023 will be another busy year in data protection, with some significant changes expected to the UK data protection regime, as well as further guidance for employers from the ICO. We have set out some of the principal data protection themes relevant to employers below.

Updates to the UK GDPR

In 2022 the UK government set out plans for a number of substantial updates to the UK GDPR. Although these were placed on hold in September, there are indications that discussions will recommence later this year. It is anticipated that the changes indicated by the Data Protection and Digital Information Bill will be the minimum changes made to the UK data protection regime, with the possibility that more far-reaching changes could be introduced in an attempt to reduce the burden on businesses.

The minimum changes that we expect to see that will affect the way in which employers deal with data subject access requests include:

• An amendment to the circumstances in which employers can say no and refuse to respond to a DSAR. The draft bill had proposed that employers would be able to charge a fee or refuse to respond to a DSAR where the request is "vexatious or excessive". Previous governments had indicated a desire to move away from DSARs being processed where personal data or concerns about its processing are not the purpose of the request.

• A change to the definition of "personal data" so that it only needs to be considered whether an employer or others likely to receive the data are reasonably likely to be able to identify the individual in question. Essentially, this would be a more subjective test and may limit what is in scope of a DSAR.

ICO updates

The ICO has indicated that it plans to provide individuals with a better understanding of how their information is used and accessed over the course of this year. DSARs form a major aspect of this and the ICO has specified that it plans to introduce a new "subject access request tool" which will help individuals to identify where to send their requests and explain what they should expect from the DSAR process. It has also indicated that it will provide individuals seeking to exercise their rights with "easy to access answers" (that is, FAQs).

The ICO has also expressed its goal to reduce the burden or cost of compliance with data protection laws. It is seeking to accomplish this through a series of services, tools and initiatives "so organisations can benefit from the advice and support of the regulator when planning, innovating and managing information risk".

Dipping into Data – spring 2023 series

Our "Dipping into Data" series consists of 30-minute long webinars once a month on key legal, regulatory and commercial considerations around the use of data (whether personal or otherwise); including data privacy, other data regulation, intellectual property, competition and contract issues. The first of our webinars was on the ICO's updates to guidance on direct marketing. You can register and re-watch this webinar here. Our next two webinars of this year are on: (i) Beyond privacy – a new era for UK and EU data regulation (Monday 27th February); and (ii) A focus on health data. Find more information (including dates and times) and a link to register for these webinars.