13 April, 2017
With just over a year to go before the General Data Protection Regulation (GDPR) enters into force you may have started to think about how this impacts your business. A risk based approach is becoming more important because not only are you required to act within the law, you will be required to show how you are doing this in practice through policies and procedures.
The GDPR does make a number of changes to the existing data protection regime in UK as we have previously reported. However, the finer detail is slowly emerging through guidance that the Information Commissioner's Office (ICO) is working on and measures to be introduced by Government.
One of the changes that the GDPR will bring in is a higher standard for consent. The ICO has already issued draft guidance on consent, which it has consulted on. Whilst the guidance does provide a good overview of the key issues for businesses to consider, we have responded with suggestions where further examples would be useful and await the finalised version to be issued. Another issue currently out for consultation is profiling and automated decision-making, which we will be responding to.
If you rely on consent and/or use algorithms in your business operations staying up to date with these developments as part of your preparatory work for GDPR compliance is most important to ensure that your internal policies and procedures are in line with what the regulator expects.
The other consultation that is important to be aware of is 'Call for Views on GDPR Derogations' by the Department for Culture, Media & Sport (DCMS). This has been recently issued with a view to determine how those issues within the GDPR where the Government can exercise discretion should be implemented. These are issues where there can be exceptions in relation to implementation and cover:
The Government has also invited views on how it can minimise the cost or burden of the GDPR on businesses in the context of the derogations.
Whilst this latest initiative by DCMS does not say how the Government will action these flexibilities that the GDPR affords, it is likely that the Data Protection Act 1998 will be amended. On that basis staying up to date on these developments is likely to be an important component of your preparation plan so you know what your obligations will be come May 2018.
A related development is the overhaul of the Privacy and Electronic Communications Regulations (PECR), which are set to be replaced by the ePrivacy Regulation. This regulates electronic communications, cookies and internet or telecoms services. Whilst the ePrivacy Regulation is still being debated at European level with a target date of implementation May 2018, it is set to introduce a number of changes as highlighted by the ICO and further guidance is likely to follow.
Staying up to date with these changes as part of the preparatory steps you undertake is important. However, ensuring compliance with existing law remains key as failing to comply with the DPA or PECR as part of your preparatory steps can lead to enforcement action by the ICO as was the case with Honda and Flybe (see previous blog).
Forbes Solicitors regularly advise a range of business on data protection law including compliance with the DPA, PECR and preparing for the GDPR and ePrivacy Regulation including providing training. If you have any questions, please contact Daniel Milnes.