Update from the AOP: ICO Adtech Investigation – Awareness & Accountability

Published: 02 Mar 2021

The AOP have been speaking with the ICO to understand how the ICO’s recent announcement in January will impact digital publishers across the UK. Following Brexit, and with the investigation into AdTech resuming, the legitimacy of processing activities based upon the IAB Transparency and Consent Framework (TCF) will continue to be increasingly stress tested. 

As Data Controllers, publishers would be sensible to revisit this area to confirm they have appropriate mitigation activity in place which is consistent with their risk appetite and to ensure that they feel comfortable explaining and defending the position they have adopted. 

In particular, Data Controllers should be able to demonstrate that they have the appropriate measures and safeguards in process to ensure that the data protection principles and the rights and freedoms of data subjects are effective: 

The ICO notice signposts a few specific areas to review:

1. Guidance regarding the lawful basis for processing personal data - Consent & Legitimate Interest
2. Accountability and Responsibility of the Controller – Data Protection by Design & Default (DPbDD) and Data Protection Impact Assessments (DPIA’s)

Each of the four topics are covered on separate pages of the ICO website which contains checklists, information and further references for your use:

• The checklists provide a list of relevant questions to help publishers review their activity. As a minimum, publishers should use them to document and understand their exposure and refine existing activity if necessary.
• The ICO also strongly recommend reviewing the European Data Protection Boards guidance on Data Protection by Design & Default.

Data Protection by Design & Default is expected as a minimum whereas Data Protection Impact Assessments for processing are considered high risk. This 30 page PDF guidance document was adopted in October 2020 and extends the 3 paragraphs in the GDPR text to provide recommendations relating to demonstrating the key principles of GDPR. It also highlights design principles that Publishers should consider and recommendations regarding working with third parties. 

In addition to the restart of the ICO investigation, UK-based Publishers with an international presence (who have UK & EU data Subjects) now have a greater risk exposure since we’re losing the “one stop shop” regulation under GDPR. It is important to be aware of the guidance and potential investigation / sanction from the UK ICO and a GDPR based Data Protection Authority. 

This is a complex area that will continue to evolve as guidance and legislation develop, for example with the recent developments in the ePrivacy Regulation. The ICO is also in the process of providing further insight into how they propose to exercise their regulatory functions when issuing information notices, assessment notices, enforcement notices and penalty notices in a draft Guidance document that may help you refine your position. We will continue to liaise with the Information Commissioner Office and other industry bodies such as the IAB and notify members of relevant information as things develop. 

The AOP UK have been supported in our activity in this area by Stef Elliott and if you have any specific queries please feel free to contact him via stef.elliott@6sm.co.uk .