The ICO has made recommendations to organisations and published updated views on the progress of the Regulation and the European Council’s draft.
What’s the issue?
With the agreement of a consolidated text by the European Council in June, the General Data Protection Regulation (GDPR) moved into the trilogue stage where the three European institutions, the Commission, Parliament and Council, negotiate a final version of the legislation. The aim is to agree this by January 2016 but how realistic a goal is this?
What’s the development?
The UK Information Commissioner’s Office (ICO) has published a blog post setting out the expected timing going forward and also advising organisations on how to prepare for the legislation even though its implementation is at least two years away. Comments have also been published by the ICO on the Council’s version of the text.
What does this mean for you?
In the ICO’s opinion we should have a reasonable idea of what will be in the GDPR by the end of the year but it is unlikely to become law before June 2016, after which there will be a two year implementation period. Nonetheless, the ICO urges organisations to start thinking about the impact now and says the most important thing is “to make sure you’re right on the ball in meeting your current responsibilities”. In other words, make sure you are 100% compliant with current legislation (for a refresh on the Data Protection Act 1998, join our webinar on 22 September).
The ICO also recommends looking at the following areas:
- consent and control – the extent to which data subjects are given control over their data and how it’s used and the degree to which consent is informed, particularly in relation to children;
- accountability – the ability to demonstrate data protection compliance and allow data subjects to find out easily what information is held about them and how it’s used;
- staffing – leaving aside the issue of whether or not a data protection officer will be required under the GDPR, are there sufficient resources (especially staff) in place to deal with compliance under the GDPR?
- privacy by design – businesses should be taking steps to ensure compliance is ingrained in their processes and systems. This includes the use of privacy impact assessments and adherence to data minimisation principles;
- breach management – again, this is a question of ensuring there are processes in place to both protect personal data and inform individuals and the ICO of any breach if necessary.
The ICO has published a short document setting out the areas of the Council text which it thinks are “most in need of improvement during the trilogue process”.
- the ICO thinks the Council’s draft gives too much scope to the development of different European regimes;
- while the ICO supports the exclusion of the concept of pseudonymous data as a separate category of data, saying it should be used only as a privacy enhancing technique, it thinks the Council’s drafting allows for confusion as to the treatment of pseudonymous data with the possibility that some will be personal data and some will not be;
- the ICO does not agree with the Council’s Article 6 which deals with the concept of incompatible further processing purposes as it confuses legal justifications for processing with purpose limitation. The ICO says any incompatible processing should only be allowed strictly within the terms of a relevant exception of the data protection principle;
- the ICO criticises the Council’s drafting for confusing references to explicit and unambiguous consent and says there should be a single, high standard category of consent to avoid uncertainty;
- the ICO is concerned that the Council requirement for parental consent to processing of child personal data is too restrictive, particularly as it appears to apply to older children as well as those under 13. The ICO says older children should have independent access to some services provided the necessary privacy protection is in place;
- there is concern that the suggested methods of communicating information to data subjects are too traditional and do not encourage finding innovative ways to deliver increasingly complex information to “ordinary people”;
- the Council’s provisions around when a charge for a subject access request (SAR) might be levied are criticised as unclear. The ICO is not against such a charge in principle, provided it is clear when it can be imposed. The ICO is also concerned that under the Council’s draft, there is no obligation to disclose personal data under a SAR where it would involve disclosure of the personal data of another data subject. The ICO says the third party’s data should only be withheld where their right to privacy outweighs the data subject’s right to access the data;
- the ICO is against the use of the phrase “right to be forgotten” on the basis that it will lead individuals to believe they have an absolute right to deletion of their data which is not the case – a right to erasure is seen as preferable;
- the ICO is against the right to object to processing being watered down from the original Commission proposals;
- the ICO is in favour of the right to object to automated processing including profiling being limited to situations where the data subject is significantly affected but is critical of the Council’s requirement for a “human intervention safeguard” which it believes is not always practical;
- the ICO does not think the Article 28 documentation requirement should apply to SMEs;
- the ICO supports the introduction of a de minimis concept in relation to the reporting of data breaches – the Council text refers to “high-risk breaches”;
- there is concern that as failure to consult a supervisory authority on risk mitigation measures can fall into the highest fine tier, data controllers will be over cautious and consult too frequently. The ICO is of the view that a requirement to consult should only be obligatory in exceptional circumstances if at all;
- the ICO supports increased flexibility in when a data protection officer (DPO) needs to be appointed but is critical of the prescriptive nature of a DPO’s required qualities and functions as set out in the Council draft;
- the ‘one stop shop’ principle has been watered down and is too confusing, in particular the role of the lead authority and the power of the EDPB;
- the three-tier fine system is too inflexible and does not allow for enough discretion by the supervisory authority. The ICO favours a list of offences which could attract a fine and the removal of the tiers.