The General Data Protection Regulation (GDPR) will come into force in the UK on 25 May 2018. In parallel with businesses' activities to be compliant by that date, the regulators are issuing new guidance on various aspects of the GDPR which will shape interpretation and implementation of compliance measures. The regulators are consulting on some aspects, so now is the time to make your voice heard and influence the regulators' view.
New guidance/ call for views (more detail on each is given below)
ICO feedback request for profiling and automated decision making
Date for response: Responses closed on 28 April 2017
Date for response: 10 May 2017
Draft guidance oN data protectin impact assessments from WP29
Date for response: 23 May 2017
Previously published guidance
As a reminder, here is other key guidance or opinions that have been published since the text of the GDPR was approved in May last year:
- Draft ePrivacy Regulation, on which the Article 29 Working Party has issued a new opinion. We summarise their concerns below.
- ICO draft guidance on Consent. This closed for consultation on 31 March 2017 and the final version should be published in June.
Information Commissioner's Office (ICO) feedback request for profiling and automated decision making
Profiling and automated decision making can enable aspects of an individual's personality or behaviour, interests and habits to be determined, analysed and predicted. Types of data used in profiling can include internet search and browsing history, education and professional data, location data and wearable technology such as fitness trackers etc.
By using these sources of data, organisations can build up a picture of individuals in order to understand and target them more effectively. The ICO recognises the value of profiling to organisations (enabling targeted sales, better risk analysis) and to individuals (more personalised, relevant service) but also highlights the risks to individuals (discrimination, deprivation of services/goods) and, in particular, aims to address the fact that the public are unaware of much of the profiling that is undertaken.
The GDPR introduces stricter provisions about profiling and automated decision-making to protect individuals and places new obligations on data controllers.
As such, the discussion paper published by the ICO on 6 April poses questions in key areas related to profiling which it feels need further consideration; including ensuring profiling is fair, safeguards for accuracy, what is a 'legal' or 'significant' effect that profiling could have and DPIAs. It is taking a leading role on this issue as part of the Article 29 Working Party (WP29).
The window for feedback closed on 28 April 2017.
Department for Culture, Media & Sports - 'Call for Views' on UK derogations
The Department for Culture, Media & Sports (DCMS) is seeking views on the derogations (exemptions) contained within the GDPR via its online tool, 'Call for Views'.
While the GDPR will be directly implemented in the UK (as it will come in force prior to the UK leaving the European Union) and apply uniformly across the EU. However, the GDPR contains provisions which give Member States discretion to legislate in certain areas where the EU acknowledges that different Members States will have different requirements e.g. national security, public health, prosecution of criminal offences, and other "important economic or financial interests".
DCMS is seeking views on how these derogations should be implemented in the UK, under 14 categories / themes, some of which include:
- Sanctions (Theme 2)
- Demonstrating Compliance (Theme 3)
- Third Country Transfers (Theme 6)
- Sensitive Personal Data and Exceptions (Theme 7)
- Rights and Remedies (Theme 9)
- Processing of Children's Personal Data by Online Services (Theme 10); and
- Freedom of Expression in the Media (Theme 11)
DCMS is also seeking views from stakeholders on what steps the Government should take to minimise the cost of the burden of the GDPR on business.
The relevant GDPR provisions are noted under each theme. The consultation does not disclose the Government's thinking on any of the above listed issues; it merely lists the topics and corresponding GDPR articles.
This is the opportunity for bodies that represent different sectors and industry to lobby government for specific legislation that would make compliance with GDPR simpler or clarify grey areas e.g. in healthcare systems, fraud-checking, autonomous vehicles etc.
The consultation closes at 18:00 on 10 May 2017.
Article 29 Working Party draft guidance on Data Protection Impact Assessments
On 4 April, the WP29 adopted draft guidelines on Data Protection Impact Assessments (DPIAs).
Organisations should find the draft guidelines useful in 'filling in the blanks' where the GDPR provisions do not explain in practical terms what needs to be done or considered, although the guidance still leaves some questions unanswered, such as when will it be appropriate to consult data subjects as part of a DPIA.
DPIAs are mandatory under the GDPR where processing is likely to result in a 'high risk' to the rights of individuals and is particularly relevant where new data processing technology is being introduced. DPIAs should be seen as a tool for accountability, which is at the heart of the GDPR. Conducting a DPIA will help organisations build compliance (at the outset) and demonstrate compliance at a later date. A DPIA should be carried out sufficiently early in a project to allow recommendations to be actioned in a timely manner.
Annex 1 of the WP29 draft guidelines contains examples and links to existing DPIA frameworks and Annex 2 provides helpful criteria for an acceptable DPIA by reference to the relevant provisions in the GDPR. However, the WP29 does not prescribe what form the DPIA should take, rather that there are various templates available to organisations. It also encourages sector specific DPIA frameworks, which will permit organisations to focus on any risks and mitigations that are relevant to their sector.
WP29 states in the guidelines that supervisory authorities, such as the ICO in the UK, are able to issue guidance on whether DPIAs are, or are not, required and recommends that DPIAs should be re-assessed at least every three years, if not sooner, depending on the circumstances.
Failure to conduct a DPIA under the GDPR requirements could lead to penalties being imposed by the relevant supervisory authority and, in the case of an undertaking; fines can be up to 2% of annual worldwide turnover. As both data controllers and data processors will be affected by the new law, organisations should take heed of these draft guidelines.
The draft guidelines are open to public consultation until 23 May 2017, after which a final version will be adopted. Comments should be submitted by email to JUST-ARTICLE29WP-SEC@ec.europa.eu and email@example.com.
Article 29 Working Party opinion on draft ePrivacy Regulation
As set out in our earlier article, the European Commission published a proposal in January for a new ePrivacy Regulation that is intended to replace the current ePrivacy Directive (2002/58/EC) - the thrust of the proposed ePrivacy Regulation is to increase transparency to consumers and to protect them from 'surreptitious' monitoring and data gathering (not limited to personal data). The European Commission intends for the proposed ePrivacy Regulation to enter into force alongside the GDPR on 25 May 2018.
On 4 April, WP29 published a detailed opinion on the European Commission's proposal for an ePrivacy Regulation.
Overall, WP29 welcomes the European Commission's choice of a regulation as the regulatory instrument in terms of increased harmonisation with the GDPR, and the expansion of scope to include 'over the top' providers, some of which include Facebook Messenger, Skype and WhatsApp.
However, WP29 has highlighted four areas of 'grave concern' in the draft ePrivacy Regulation which require improvement. These areas are:
- the tracking of local terminal equipment,
- the conditions under which the analysis of content and metadata is allowed,
- the default settings of terminal equipment, and
- software with regard to tracking walls.
For instance, WP29 comments that in terms of the location of terminal equipment, the proposed ePrivacy Regulation does not impose strong enough obligations to protect the privacy of individuals as regards to Wi-Fi or Bluetooth tracking.
WP29 notes other points of concern in its opinion, including that the term 'metadata' is too narrowly defined under the proposed ePrivacy Regulation, and that direct marketing is too limited in its scope.
The overarching concern from WP29 is that the proposed ePrivacy Regulation would lower the level of protection enjoyed under the GDPR, so it has provided suggestions to ensure that the ePrivacy Regulation will guarantee the same or a higher level of protection as that of the GDPR.
Given the revisions by WP29 regarding aspects of the proposed ePrivacy Regulation, it is an ambitious timescale and also a timetabling concern for parties involved to finalise this text for implementation in conjunction with the GDPR by 25 May 2018.
We will watch this space for more updates; the ICO has indicated that it intends to release some initial ePrivacy guidelines later this year.
Draft ICO consent guidance
The ICO ran a consultation during March regarding the issue of consent under the GDPR. Although the concept of consent is not new, the GDPR builds on the concept currently provided for under the Data Protection Act 1998 by imposing a higher level of detail on the standard and processes for consent. In essence, consent under the GDPR means offering individuals genuine choice and control. Consent under the GDPR also requires granular consent for distinct processing operations; and gives individuals a specific right to withdraw consent at any time.
The consultation closed on 31 March and the ICO is currently analysing the feedback. The ICO expects that the final version of its GDPR consent guidance will be published in June 2017 and we will keep you updated as to what the outcome of the consultation is.
Organisations should review their consent mechanisms to ensure compliance with the GDPR going forwards, and to determine whether consents obtained previously need to be re-obtained in order to meet the GDPR standard.
Final versions of Article 29 Working Party guidelines
On 5 April, the WP29 adopted final versions of guidelines on data protection officers (DPOs), identifying a lead supervisory authority for cross-border transfers and data portability, having considered comments on the initial versions that were published in December 2016.
- Guidelines on Data Protection Officers- these guidelines cover the circumstances where a Data Protection Officer (DPO) is a mandatory requirement under the GDPR and the role and remit of a DPO. The annex contains useful frequently asked questions and answers, such as 'which organisations must appoint a DPO?', 'is it possible to appoint an external DPO' and 'what is the role of the DPO with respect to data protection impact assessments and records of processing activities?'
- Guidelines on identifying a lead supervisory authority (cross-border transfers) - these guidelines are only required where a data controller or data processor carries out 'cross-border processing' of personal data, as per Article 4(23) of the GDPR. The guidelines provide steps that organisations can take to identify the lead authority, such as how to identify a 'main establishment', including where this is outside the EU.
- Guidelines on the right to data portability - this new right under the GDPR allows for data subjects to receive their personal data in a structured, commonly used and machine readable format from a data controller. The right is explored in more detail via a series of questions exploring the main elements of data portability, such as when the right applies, how it fits with the right of subject access and how the portable data must be provided to the individual.