Biometrics, codes, certification and post-Brexit trends

As PL&B’s contribution to European Data Protection Day, our first event of 2020 is Balancing privacy with biometric techniques in a commercial context, a one day roundtable in London on 29 January. Very few places remain if we are all to actually fit around the table. Participants will share examples of the introduction of biometric identification in companies while attempting to achieve a balance with privacy principles and the law.

By attending this event you will be in a much more secure position to assess the risks and gain insights to organise a credible Data Protection Impact Assessment. You will become confident that you will be closer to achieving a defensible balance between introducing and/or deploying biometric identification techniques with the privacy values, your staff, customers, shareholders and regulators expect.

The ICO is planning to produce guidance on the processing of biometric data following its publication of its Opinion on facial recognition (PL&B UK Report November 2019 p.8). We will pass on the conclusions of the group and any recommendations to the ICO.

Codes and certification

Codes of conduct and certification schemes are now gathering pace and are expected to start to become commonly used forms of co-regulation this year. While both are recognised as useful instruments to demonstrate GDPR accountability, they could provide a useful bridging mechanism for Data Protection Officers in the UK who want and need their companies to comply with both the Data Protection Act 2018 and the GDPR.

PL&B will continue to monitor the ICO’s certification programme and has put several questions to the ICO, for example:

  1. When will the UK Accreditation Service (UKAS) start accrediting certification bodies?
  2. What will be the stages of the accreditation process?
  3. How long does the ICO expect the application and accreditation process to take?
  4. What will be the ICO’s continuing oversight and policy roles?
  5. Regarding the scope of a certification process, and appreciating that the certification process will be a learning curve for all parties, what will be the first types of certification schemes to be published by the ICO and when?

If you have questions which you would like PL&B to put to the ICO and/or UKAS on a named or anonymous basis, please send them to

Reciprocal recognition of data adequacy between the UK and the EU

There is a strong commercial incentive towards reciprocal recognition of data adequacy between the UK and the European Union so codes of conduct and certification schemes could play a useful role for some highly regulated sectors as an adjunct to the law.

But would the UK government in its first flush of enthusiasm to negotiate trade deals with countries outside the EU go so far as to align itself with the APEC Cross-Border Privacy Rules (CBPRs)? To do so would set up a two-tier system with some personal data being transferred abroad using recognised EU instruments, such as Standard Contractual Clauses, and others in conformity with the much looser CBPRs.

Choosing the less rigorous option may appeal to UK policy makers using the argument that it would encourage faster growth of innovative products and services. But this path is only superficially attractive because sentiment against profligate use of personal data in adtech and AI directed “smart” gadgets and services might lead to a reduction in support for some tech companies’ products and services when they abuse people’s trust.

There is no doubt that the fast growth of many state privacy laws in the United States in a race to catch up California (PL&B International Report p.1) reflects a trend towards greater privacy protections and disenchantment to some extent with the exploitation of personal data for commercial purposes. In many states, sentiment in the state congresses is to compare privacy law in the US unfavourably with that in Europe. It would be ironic if the UK government weakened its stance on privacy at the very time when it is firming up in the US.

By the time of the March edition of PL&B UK Report, the way ahead for data protection post Brexit should be clearer.


Stewart Dresner, Publisher


UK 102

UK Report 107

Lead stories:

The ICO urgently needs enhanced confiscation powers

Personal data can be laundered like money, so the ICO is seeking powers under the Proceeds of CrimeAct. By Paul May of WebXray.

Codes of Conduct under the GDPR: Business opportunities?

Camilla Ravazzolo of the UK Market Research Society reports on the latest developments.

Click for full contents list