As numerous sectors continue to adopt technological innovations, it’s critical to be aware of the complex and often conflicting international legal frameworks they interplay with. The UK Investigatory Powers Act (IPA) 2016 has often been called the ‘Snooper’s Charter’, and its recent updates appear to impose more stringent and intrusive rulings on how public authorities can collect, store, and access communications data than ever before. We explore what the updates mean for organisations and how data protection officers (DPOs) can help make sense of the requirements.

Balancing UK privacy threats with global data protection standards   

The updated IPA, which expands government surveillance powers, presents challenges for data protection and privacy teams and potentially puts the UK at odds with global data protection standards such as the EU’s GDPR. While government officials maintain that these are necessary changes to combat evolving threats from advanced technologies and criminal enterprises, the expanded powers granted to security services are potentially at the expense of data privacy and cybersecurity. 

This creates a minefield for organisations already having to balance compliance with the EU’s GDPR, US privacy laws, and other international privacy frameworks. There’s a real risk that the UK’s approach could clash with global standards, potentially jeopardising the UK’s data adequacy status with the EU and complicating cross-border data flows.

The new IPA in practice – how DPOs help to make sense of a complex regulation

While the “double lock” system (requiring both ministerial and judicial sign-off for the most intrusive warrants) remains for some activities, the new amendments introduce lighter-touch oversight for certain types of data, specifically, bulk personal datasets (BPDs) and third-party bulk datasets (3PDs). 

DPOs are now more crucial than ever. They’re the bridge between organisations and regulators, responsible for ensuring compliance with both the IPA and data protection laws. DPOs must:

  • Map data flows to identify where personal and metadata are stored and processed
  • Classify and secure bulk datasets to prevent unauthorised access
  • Respond to government notices (like Technical Capability Notices or Data Retention Notices) and document every step for compliance
  • Conduct impact assessments before making any technical changes that could affect privacy or security

The IPA’s new requirement for tech companies to notify the government before rolling out certain system changes, such as new encryption or security upgrades, adds another layer of complexity. This could delay critical security patches and potentially expose systems to cyber threats.

The Act’s new rules around bulk personal datasets mean the government can demand access to huge swathes of data held by private companies, from travel records to biometric info. For organisations, this heightens the importance of strong data governance, particularly when handling personal data across borders or in jurisdictions where multiple regulatory frameworks may apply.

HewardMills’ global team of DPOs work with organisations to ensure strict access controls, robust encryption, and clear documentation of how and why data is shared or retained. As regulations and Acts like the IPA continue to evolve, HewardMills is ready to assist your organisation in navigating these changes.