Karen Bradley MP, the Secretary of State for Culture, Media and Sport, recently confirmed that the UK will be implementing the General Data Protection Regulation (GDPR), in force from May 2018, stating "[w]e will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public."
Privacy notices, transparency and control
The Information Commissioner's Office (ICO) has welcomed the confirmation, coming shortly after their publication of a new code of practice on privacy notices, the first piece of the guidance puzzle that the ICO intends to publish in order to prepare businesses for the new regime.
The code, titled 'Privacy notices, transparency and control' follows an ICO consultation on the subject and the seeks to assist data controllers in complying with transparency requirements under both the Data Protection Act 1998 (DPA) and the GDPR.
The code is "aimed at all organisations that collect information about people, whether directly or indirectly" and provides guidance on:
- gaining and recording consent
- the content of a privacy notice, including how the privacy notice should be written and presented
- how to communicate privacy information for individuals
- producing privacy notices for mobile devices
- when a business should actively communicate privacy information
- testing and rolling out privacy notices
Privacy notices under the GDPR
The ICO also provides guidance on complying with Articles 12, 13 and 14 (which relate to the provision of privacy information to data subjects), noting that whilst these Articles are "more detailed and specific than in the DPA", if businesses follow the guidance in the code they will be "well placed to comply with the GDPR regime." A handy guide summarising the privacy information that needs to be provided under the GDPR, where data has or has not been obtained directly from the data subject, is also included in this section.
Why is all this important?
The code makes clear that whilst the Information Commissioner cannot take enforcement action for failure to adopt good practice, she can pursue actions for failure to comply with the DPA (which can attract a fine of up to £500,000) and, in doing so, she may have regard to the advice provided in the code. With the government's confirmation that the UK will opt into the GDPR, it is also worth stressing that under that regime administrative fines of up to €20m or 4% of the company's total worldwide annual turnover may be imposed in respect of a breach of the rules on privacy notices. It is therefore vital that businesses make good use of the code and revise their privacy notices as necessary.
Something to bear in mind…
Something to note in closing, in our ever-changing technological world data is increasingly being collected in non-traditional ways, for example by tracking people online or through smart devices, by the use of algorithms that analyse purchase history and social media use etc. Businesses will therefore need to assess how they collect information and adapt to meet the challenge of fulfilling the requirements to be fair and transparent when data is collected in this way. In particular the code addresses the use of 'big data', noting that "it may be more difficult to foresee at the outset how [a business] will use the data" so businesses should pay particular attention to how data is collected and update privacy notices as necessary in order to ensure that the risk of breach of the rules is limited.
The ICO intends to publish further guidance by the end of 2016.