On 7 August, the UK government released its statement of intent, which set out its proposals for a Data Protection Bill (the “Bill”) to replace the Data Protection Act 1998 (“DPA”) and “bring data protection laws in the UK up to date”.
In the forward to the statement of intent, Matt Hancock, Minister of State for Digital, outlines that the Bill, due to be published in September, will “allow the UK to continue to set the gold standard on data protection”.
The Bill’s primary function will be to bring the EU General Data Protection Regulation (“GDPR”) into domestic law (although technically the GDPR will have direct effect in the UK from 25 May 2018, the government appears to be taking this approach to ensure these new data protection laws will continue to apply following Brexit). A summary of the primary changes that the GDPR will … Continue Reading ››
The ICO on the 4th
of July 2017 took a step forward with regards to privacy protection for the UK public from overseas data protection threats and risks, by publishing its first ever International Strategy document
. This document supports the earlier ICO 'Information Rights Strategic Plan 2017 - 2021'
document and is set to help the ICO meet overseas data protection challenges in a globalised world, including those in relation to key areas such as the GDPR and Brexit.
The document sets out what the ICO sees as its main international concerns over the next four years, which are:
- Operating as an effective and influential data protection authority at European level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period.
- Maximising the ICO’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies.
- Ensuring that UK … Continue Reading ››
The Article 29 Working Party ("WP29
") has recently adopted new General Data Protection Regulation ("GDPR
, this time focusing on Data Protection Impact Assessments ("DPIAs
"). The Guidelines aim to clarify when a DPIA is required and provide criteria for the lists of the kind of processing operations which are subject to the requirement for a DPIA, to be adopted by Data Protection Authorities under Article 35(4) of the GDPR.
Although the guidance has been formally “adopted”, the WP29 is welcoming comments from stakeholders until 23 May 2017, so it is possible that elements may be modified in the near future. The guidance is significant as it represents EU data protection authorities’ collective interpretation of this important new compliance requirement.
Any comments on the guidelines can be sent to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu
and firstname.lastname@example.org by 23 May 2017.
What is a Data Protection Impact Assessment?
DPIAs are not a formal requirement … Continue Reading ››
Impact of Brexit on data protection: EU Home Affairs Sub-Committee hears evidence
The EU Home Affairs Sub-Committee continues to hear evidence from various experts on the implications of Brexit on the "EU data protection package". Particularly notable are the comments of Elizabeth Denham, the UK's Information Commissioner, regarding her hopes for the UK post-Brexit.
Unsurprisingly for Denham and perhaps reassuringly for business, "the right way forward… is to fully adopt the general data protection regulation". However should the UK do so, questions persist as to the ICO's role, particularly in relation to its standing with the European Data Protection Board (EDPB). Denham was keen to emphasise that the Government should do anything it can to ensure the ICO has "some status" on the EDPB. Should it not, the UK will be at the mercy of the Board's decisions, but be without influence over its policy.
Lord O'Neil of Clackmannan, a Labour peer, was … Continue Reading ››
This week, the ICO published the latest version
of its paper on big data, AI and machine learning. Though not an official GDPR guidance document or code of practice, the paper sets out the ICO's views on the issues and has been updated to show how big data, AI, machine learning relate to the GDPR (however not the new draft PEC Regulation).
Of note to Datonomy readers are the six key recommendations the Paper gives to help organisations achieve data protection compliance in a "big data world". The ICO states that organisations should…
- Carefully consider whether the big data analytics to be undertaken actually requires the processing of personal data. Often, this will not be the case; in such circumstances organisations should use appropriate techniques to anonymise the personal data in their dataset(s) before analysis.
- Be transparent about their processing of personal data by using a combination of innovative approaches in order … Continue Reading ››
Yesterday the ICO published its much anticipated guidance
on consent under the GDPR for public consultation. This is a key practical area of compliance for all businesses. The new test for consent under the GDPR is higher than under the current rules and the penalties for failing to obtain valid consent potentially much harsher; organisations will need to review their data collection notices and opt ins and potentially make changes to websites and apps to ensure they are compliant by May 2018.
The guidance sits alongside the ICO's Overview
of the GDPR and explains its recommended approach to compliance and what counts as valid consent. On the tricky issue of verifiable parental consent to children's use of social media, the ICO has promised further guidance at a later date.
The consultation will run from now until 31 March 2017, and any comments on the guidelines should be sent … Continue Reading ››
Last week, as part of Olswang's GDPR readiness and Talking Retail webinar series', lawyers from the firm's data protection and retail sector teams hosted a webinar looking at the implications of the GDPR on the use of data by the retail industry during an online transaction. In this session our speakers looked at the following:
- Targeted and non-targeted advertising
- Privacy policies
- Processing customer payment details
- Post purchase analysis
- Data breaches
- GDPR implementation
The webinar was hosted by Katie Nagy de Nagybaczon
, a partner in the Corporate Team, who focuses on the retail, eCommerce and technology sectors. The two speakers were:
- Sven Schonhofen, an associate in the Commercial Team of the Munich office. He specializes in advising clients in all areas of IT law, in particular on data protection law.
- Emily Dorotheou, an associate in the Commercial Team who has experience of working on procurement, technology and logistics contracts for a variety of retail and technology clients.
Please follow this … Continue Reading ››