GDPR Summary

The countdown has begun and there is now less than 1 year to go until the GDPR enters into force. As we approach this date (25 May 2018) data protection authorities are adopting a forensic approach to the GDPR and are keen for input and opinions on its practical implementation.

The EU Commission is setting up a stakeholder expert group to focus on the application of the GDPR across Member States. In the UK, the government has launched a stakeholder consultation looking at flexible areas under the GDPR prior to forming a derogations policy.

The ICO has been liaising with WP29 and stakeholders, and has identified 3 areas of concern regarding the GDPR. The ICO has also published a feedback request on profiling and automated decision-making under the GDPR. The WP29 has also issued guidelines on Data Protection Impact Assessments, providing practical guidance on conducting a DPIA and how to identify when one is required. The EDPS has raised concern more generally and has advised DPOs to prepare thoroughly for the GDPR.

ICO Review

The ICO has shown its continued commitment to enforcement action. This May the ICO issued a record fine just short of the maximum penalty and has also clarified key requirements following a series of hefty fines.

The ICO has also published its Information Rights Strategic Plan, setting out its aims for the next 5 years.

EU News

The EDPS and WP29 have both released opinions on the draft E-Privacy regulations, setting out praise for relevant areas and expressing various concerns around tracking-walls, end-user consent provisions, default privacy settings and Wi-Fi tracking.

The European Parliament has raised concerns about the effectiveness of the EU-US Privacy Shield under the current US administration, and WP29 has released a Privacy Shield Ombudsman form for data subjects to use when raising concerns. The EU Commissioner has also recently confirmed the Annual Review into the Privacy Shield will take place in September 2017.

Meanwhile the European Commission has imposed its first fine on a company for breach of the 2004 Merger Regulation and has fined Facebook €110 million following its acquisition of WhatsApp in 2014.

UK News

The UK government has published the Digital Economy Act which received Royal Assent on 27 April 2017. The Act deals with delivery of services, sharing personal data with specific public authorities, direct marketing and charges payable to the ICO.

Ransomware has been a key theme in UK news, following the outbreak of the WannaCry worm virus and its impact on NHS services. The UK government addressed cyber-attacks in its Cyber Security Breaches Survey and the implications for UK businesses, and the ICO has provided guidance on prevention and recovery in its ransomware blog.

Updates from across the world

To read our updates from across the world, please click here.