General Data Protection Regulation approved and in force from 25 May 2016!
") and it was then published in the
EU Official Journal
on 4th May 2016. Star Wars fans and data protection geeks alike were no doubt cheering 'May the fourth be with you' all day yesterday. From today, the 20 day countdown period commenced and the GDPR will
come into force on 25 May 2016
. After the 2 year implementation period, it will become directly applicable and
enforceable in all Member States from 25 May 2018
Organisations must therefore now begin ensuring that new policies, procedures and systems are in place to ensure compliance. The ICO has created a
dedicated to updates on the GDPR and aims to ensure that all relevant GDPR guidance and any guidance updated in light of the GDPR will be added to that site. The ICO's initial posting on the site sets out a useful guide on 12 suggested steps to take now in order to prepare for the GDPR.
The EU Article 29 Working Party ("
") has also published its
outlining how the GDPR should be implemented. The Art29 WP highlights 4 priority areas:
- Setting up the European Data Protection Board ("EDPB") structure and its administration;
- Preparing the One-Stop-Shop and the consistency mechanism;
- Issuing guidance for data controllers and processors; and
- Communication around the EDPB and the GDPR.
Many of our clients have begun asking us for bespoke advice on how the GDPR will affect them and have asked us to carry out data protection compliance and gap analysis audits, highlighting increased compliance risks under the proposed GDPR changes. If we can assist you with this also, please do
UK has a Hamlet moment
Meanwhile, the nation still ponders the question: "to Brexit, or not to Brexit". The ICO has stated that even if we decide to exit the EU
"the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU". The regulator added "Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on".
Many clients have been asking our opinion on the likely impact on GDPR implementation if the UK leaves the EU, especially as the Cabinet Minister responsible for GDPR implementation, John Whittingdale, has made clear his views that we should leave
It is our opinion that whatever happens the UK would probably aim to become an EU authorised 'Safe Country' or as a country outside the EEA would still be required to have some other kind of "adequate level of protection" in place to permit business with the EEA. Given that the current UK DPA has already been found inadequate by the EC, it is likely that significant change would be required to upgrade the current legislation and meet the enhanced requirements under the GDPR. The UK would therefore most likely have to bring in equivalent legislation to the GDPR, to continue doing any business in the EU which involves personal data transfers to/ between European business partners, group companies etc. The ICO's 'Keep Calm and Carry On' mantra therefore remains a good one when preparing for the GDPR, whether we Brexit or not.
Marketers Take Heed
May 16th heralds a new era for direct marketing firms. They must now display their telephone numbers when making 'cold' calls. The government's announcement means any firm found to be breaking the new rules could receive a fine from the communications regulator Ofcom of up to £2million in addition to a possible £500,000 fine from the Information Commissioner's Office ("ICO").
The changes come not long after the ICO fined Prodial Ltd (a lead generation firm responsible for over 46 million automated marketing calls) £350,000, the highest fine to date under the PECR rules. For more examples of the ICO's recent enforcement action in this area in order to brief your Board, see
Marketeers should also check out the new direct marketing guidance published by the ICO on 24 March 2016. Find a copy of the new guidance and a briefing on the main changes in it on the ICO website here. The ICO are lobbying for the guidance to have statutory recognition, which would enable the Courts and Tribunals to take account of it. Although this is not yet the case, Baroness Neville Rolfe added her support for the move at a recent
Direct Marketing Association Data Protection Conference. For now the guidance remains "best practice" recommendation. We'll keep you posted if it gains a higher status in due course.
Rules on proper and compliant engagement with potential customers remain vital, as the benefit to sharing data to make markets more competitive becomes clear. For instance, reforms proposed to the energy market by the UK Competition and Markets Authority would see the creation of a 'super database' of customers who have been on a standard variable tariff for 3 years or more. These customers, who could potentially benefit from reviewing their deal or moving suppliers, would constitute a huge target market for rival firms to target their marketing to. The type of consent and/or opt-in/outs required to manage the creation of and activity around this database will need significant review.
Time to welcome some new chiefs
The UK government has confirmed Elizabeth Denham as its new Information Commissioner from the 28th June 2016. Elizabeth was formerly the Information and Privacy Commissioner for British Columbia so comes to the role with a wealth of experience. This will be very important at a time of great transition under the GDPR. We wish Elizabeth well in the new position and wish the outgoing ICO Chief, Christopher Graham, all the very best in his future endeavours.
We have seen great advances in data protection and privacy regulation during his time in office. See more about Elizabeth's appointment
On other Government news, it has been
on 18 April 2016 that the UK's first National Technology Adviser has been appointed. The announcement states that the "
new role will see him expand the government's relationships with the digital and technology industry to boost the UK's digital economy and provide world class public services for citizens".
You can't rely on the US Privacy Shield yet - EU report says 'must do better'
You'll recall from our previous Newsletter and Blog articles that on February 29th 2016, following months of intense negotiations, the European Commission unveiled the current proposals for the proposed new EU-U.S. Privacy Shield, to enable compliant transfer of personal data from the EU to the US following the dismantling of the US Safe Harbor Scheme.
It is disappointing, if not unsurprising perhaps, that the Art29 WP recently declared that in their view the proposed self-certification US Privacy Shield is insufficient to protect the privacy of EU citizens and fails to meet EU adequacy standards. This has caused yet more political wranglings across the Atlantic. See more about this in our Blog Article
What this does mean is that anyone 'holding out' for the Privacy Shield to be finalised and perhaps turning a blind eye to compliance involving transfers of personal data to the US must certainly no longer continue to do so. It doesn't look like there will be a definite solution in terms of the Privacy Shield anytime soon.
While the Art29 WP also raised some concerns about the adequacy of Binding Corporate Rules and the EU Standard Contractual Clauses, it and in turn the
have made it clear that organisations can, for now, continue to use these mechanisms to enable compliance when transferring personal data outside the EEA. See the ICO's latest
on the issue.
Don't get caught out without a compliant solution in the meantime. If you need our advice on how to transfer personal data legally to the US or indeed anywhere outside the EEA, please do
Are your Organisation's encryption processes fit for purpose?
The ICO recently published
on how and when to use encryption. Encryption is not yet a legal requirement but it is a basic level of security expected by the ICO and many organisations have been fined by the ICO for not having adequate encrypted systems in place.
How do you obtain consents for data processing now and how is that going to change under the GDPR?
We have recently written detailed
for publication in Lexis®PSL IT&IP publication. These have been reproduced in our
and may be of interest to those of you reviewing your existing reliance on consent under the Data Protection Act 1998 and how consent will be validly obtained under the new GDPR rules.
Regulation review a constant business - changes to the e-privacy rules?
Information sharing across Europe and internationally is picked up by many different strands of legislation. Combine this with constant technological advances and it becomes clear that laws should be regularly reviewed to check for robustness, thoroughness and overlap. The recent approval of the GDPR has led to a European Commission review of the e-Privacy Directive (2002/58/EC), which was last updated back in 2009. It is not surprising that this review is underway.
The review will check the current scope of the e-privacy rules and the confidentiality and security of communications throughout the EU. It would also require a consistency check between e-Privacy rules and the confirmed text of the GDPR. Watch this space! In fact, don't just watch. Get involved. Especially if you are interested in the knock on impact on the marketing rules - the consultation website is open until July 5th 2016.
Public Sector Big Data & Data Sharing
The Government plans to work with the ICO to prepare guidance on the implications of re-use of personal data under the GDPR. The Government's Science and Technology Committee has previously raised concerns that the GDPR "
appears to leave it open for data to be re-used, and potentially de-anonymised, if 'legitimate interests' or 'public interest' considerations are invoked" but that it is not clear how to balance up the competing interests of using data in this way with individual's privacy rights.
The Government has also recently completed a consultation into information sharing and the use of data in the public sector. It is understood that the proposals will create two Codes of Practice that would be laid before Parliament. Watch this space!
Technology giants act to protect users privacy
From a consumer bystander point of view, the question of e-Privacy and the extent to which information and communications can be shared with authorities continues to make the news. Interestingly, Whatsapp has added end-to-end encryption to its service. All messages, including file transfers such as photos and voice calls, will be encrypted so whoever intercepts them whether that's a criminal, a law enforcement agency or even Whatsapp themselves will not be able to see the content. This announcement comes after the ongoing battle in the USA between Apple, the US government and the FBI. Apple has so far resisted pressure to unlock iPhones to help progress criminal investigations, citing user's privacy rights. Interestingly the social networking site Reddit has removed wording from its website informing users that the site administration had not received a certain type of US government surveillance request. Removal of this wording infers that the platform is now being asked work with US law enforcement authorities and potentially hand over customer data, which has prompted privacy concerns amongst users.
Is big brother watching?
Possibly yes! Here in the UK, it's been revealed that successive Home Secretaries have authorised MI5 to collect data from communication network operators since 2005. Whilst the content of communications is not included in the database, telephone, internet and some financial data is included. As the Investigatory Powers Bill tracks through Parliament, the extent to which users data can be monitored, analysed and potentially used in legal investigations here in the UK, across Europe and internationally is becoming a hotter topic.
Holidaying soon? Is Passport Data Capture an interesting travel log or vital to security?
Whether we are in the EU or not, the need to have EU-wide agreements and regulations in place to share data for security purposes will also prove necessary. Legislation has at long last been approved which requires airlines to share air-passenger data. The Passenger Name Record Directive, or PNR, will make personal and credit card data of all air travellers coming into and leaving the EU accessible to national police and intelligence services for up to five years. Once formally approved by the bloc's various institutions, those countries that don't yet have units set up to process the data (the UK already does) will have 2 years to do so.
Our Recently Published Media Articles
If you are keen for more regular news in between our quarterly Newsletters, don't forget to follow us on our
for consumer data protection news.
You may also find the following articles, that were published recently in mainstream media, website or blog, of interest to your Organisation: