The General Data Protection Regulation (GDPR) is due to take effect on 25 May 2018, precisely two years today. While the text is agreed, practitioners and organisations may now be forgiven for waiting to see how the national authorities interpret its effect - the UK Government, in the case of certain elements of the GDPR (like Article 85, providing for journalistic exemptions to data protection law) that are left to Member States to legislate on; and the Information Commissioner (ICO), in terms of how the updated guidance will look.
For most data controllers, and indeed data subjects, the everyday application of the existing Data Protection Act 1998 (the "Act") is determined not by black-letter law but by ICO Guidance. Lawyers and courts may frequently disagree with the ICO's broad and data subject friendly interpretations of the Act, but at least there is a detailed framework for how the regulator enforces the Act and expects to see its labyrinthine provisions applied. The ICO has issued dozens of long data guidance notes on everything from encryption to subject access, from breach reporting to direct marketing, from privacy notices down to what personal data actually is. It has also published numerous sector-specific guides for schools, charities, health records and the media.
So many volumes of literature will take time to replace: so much so that, although the ICO has pledged to start producing it "in the next few months", there are no guarantees that it will all be updated in time for data d-day two years from now. After all, the ICO has continued even until this year to issue new and updated guidance on the existing Act almost two decades in (see previous Information Matters here and here) - so the effect is akin to painting the Forth Bridge. However, as a tantalising starter, it has issued a 12-step guide to helping addicts to the old Act prepare themselves for the next life under GDPR.
Its "checklist" style note, available here, highlights key concepts that are changing (consent, what national authority should deal with cross-border complaints, and protections for children) as well as reminding organisations of how to prepare for the new regime of data breach and subject access, and exploring buzzwords such as "privacy by design" and "data portability". For now it is the closest we have to a General Data Protection Guidance and, while necessarily high-level, acts as a useful framework for organisations that still have their heads in the ground.
Many more words will follow, and not simply from the ICO. As suggested in the introduction, media organisations will watch (and if necessary lobby) with great interest as government considers whether to take this opportunity to apply the - hitherto ignored - recommendations of Lord Leveson that the so-called "journalistic exemption" (s.32 of the Act) should be narrowed, in particular regarding subject access but also in respect of how personal data may be processed by media organisations generally. Art.85 leaves this delicate balancing act to Member States, who "shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression." Therefore additional or transitional legislation will be required, even if only to maintain the status quo.
At the same time, the Article 29 Working Party of the EU will also be producing guidance at a European level. How this interacts with, or takes priority over, ICO Guidance (Brexit allowing) will be an interesting new battleground for the practical application of data protection law. Therefore, while the final text may be agreed, the landscape of GDPR still needs plenty of terraforming before we can be sure what the world will look like on 25 May 2018.