Last week I attended a stakeholder workshop organised by the Information Commissioner (ICO) on the new General Data Protection Regulation (GDPR).
The workshop was attended by a range of representatives from central government and other public sector bodies, private and third sector organisations, industry bodies and law firms, who were invited by the ICO to help it understand particular areas of concern for data controllers.
The output of the workshop will influence the ICO’s programme of work over the next two years in the run up to the GDPR coming into force.
What was discussed?
The ICO identified eight key areas for discussion:
- The scope of the GDPR and principles
- Transparency and individual rights
- Breach notification
- General data controller duties
- International issues/consistency between member states
- Criminal enforcement/interaction with the new directive on law enforcement
The workshop took the form of round table discussions (with each table allocated one of the eight issues) and then a plenary session to feed back comments and concerns on each area.
The plenary session spent most time looking at the first three areas, and that reflects the areas where there is the greatest need for guidance.
Specific issues on the GDPR
I was sitting at the Transparency and Individual Rights issues. One of the key issues for data controllers will be compliance with the new requirements on fair processing notices, which are more prescriptive than at present. This presents data controllers with a number of challenges, particularly given the ICO’s current emphasis on lawyered notices, and the need to keep those notices up to date. There are also practical issues associated with the new rights to erasure, data portability and automated processing/profiling.
On scope and principles, concerns were raised in relation to the requirement to have a legal basis for the processing (particulary in the context of data sharing), interpretation of terms like pseudonymisation and profiling.
On consent, concerns were expressed in relation to consistency in approach across member states and within different sectors. The changes will require data controllers to review where they rely upon consent and how that is obtained and managed. The new hard-wired requirement for a digital age of consent also presents challenges for data controllers.
On breach notifications, there was a request for guidance on how this will work in practice. Will the ICO apply a threshold in terms of severity and impact? what about near misses?
In relation to accountability the overlap of responsibility as between data controllers and data processors was identified as an area needing clarification – particularly with legacy contracts. Where does accountability sit> How is this managed when both parties will have legal duties under the GDPR? Concern was also expressed in relation to expectations in relation to records keeping and records management (particularly with outdated legacy systems) and how this interacts with the rights of erasure and data portability.
On enforcement the ICO was asked how its current approach of educating and engaging (rather than necessarily going straight to enforcement) may change given enforcement action by other DPAs. The ICO confirmed that it is not planning to change that philosophy and will continue to collaborate with other regulators and trade associations/industry bodies.
Organisations that operate in multiple member states expressed concern in relation to the operation of the international issues and the consistency mechanism. In particular, whether the GDPR will recognise that an international group may process data for different purposes in different member states, and how that fits with the concept of the “place of main establishment”. The consistency mechanism was however welcomed as a means of ensuring so far as possible a common approach across member states. Conversely, there is potential for conflicts of laws and guidance where data controllers and data processors are located in different member states.
Finally, on criminal justice and law enforcement, the primary concerns here relate to the multiple layers of legislation that will apply, the impact on legacy systems and data sharing (for example, using hubs). Again, stakeholders are looking to the ICO for guidance on interpretation and approach.
Two overarching themes also emerged from the plenary session:
- the need to ensure that practical advice is made available to SMEs and others how are unlikely to have internal expertise or budget to engage external support
- the new fines and enforcement regime is a major cause for concern and may encourage organisations to take overly cautious approaches. That may, for example, mean that privacy notices contain too much information, which may make them less accessible to data subjects.
Next steps for GDPR guidance
The ICO was clear at the outset that aside from addressing obvious contradictions in the drafting and other minor issues requiring tidy up, the text of the GDPR is now essentially finalised. The GDPR is not going to be changed simply because a provision is uncertain or data controllers think that it is impractical (or simply don’t like it).
Rather, the ICO will use the feedback from the workshop (and other sessions) to identify areas where guidance is needed as a matter of priority and where it needs to work with data protection authorities in other member states to develop clear positions (noting of course that the GDPR does allow for some areas where member states can choose to implement a provision in a particular way – for example, the digital age of consent).
The ICO is already working with its counterparts in other member states through the Article 29 Working Party (which will morph into the European Data Protection Board) and factoring the GDPR into its new guidance (including, for example the consultation launched last week on a new Privacy Notices Code of Practice).
Given the GDPR’s intention for consistency across EU member states, it is inevitable that the ICO’s current pragmatic approach to interpretation will change. Data controllers will clearly want early sight of the new guidance but the ICO was unable to provide a timetable for when that will be issued.
Starting your GDPR compliance programme
In the meantime, data controllers will need to start thinking about how they will review and update their policies, procedures contracts and systems so that they can make the changes necessary to comply with the GDPR.