The ICO on the 4th
of July 2017 took a step forward with regards to privacy protection for the UK public from overseas data protection threats and risks, by publishing its first ever International Strategy document
. This document supports the earlier ICO 'Information Rights Strategic Plan 2017 - 2021'
document and is set to help the ICO meet overseas data protection challenges in a globalised world, including those in relation to key areas such as the GDPR and Brexit.
The document sets out what the ICO sees as its main international concerns over the next four years, which are:
- Operating as an effective and influential data protection authority at European level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period.
- Maximising the ICO’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies.
- Ensuring that UK … Continue Reading ››
The Article 29 Working Party ("WP29
") has recently adopted new General Data Protection Regulation ("GDPR
, this time focusing on Data Protection Impact Assessments ("DPIAs
"). The Guidelines aim to clarify when a DPIA is required and provide criteria for the lists of the kind of processing operations which are subject to the requirement for a DPIA, to be adopted by Data Protection Authorities under Article 35(4) of the GDPR.
Although the guidance has been formally “adopted”, the WP29 is welcoming comments from stakeholders until 23 May 2017, so it is possible that elements may be modified in the near future. The guidance is significant as it represents EU data protection authorities’ collective interpretation of this important new compliance requirement.
Any comments on the guidelines can be sent to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu
and firstname.lastname@example.org by 23 May 2017.
What is a Data Protection Impact Assessment?
DPIAs are not a formal requirement … Continue Reading ››
Impact of Brexit on data protection: EU Home Affairs Sub-Committee hears evidence
The EU Home Affairs Sub-Committee continues to hear evidence from various experts on the implications of Brexit on the "EU data protection package". Particularly notable are the comments of Elizabeth Denham, the UK's Information Commissioner, regarding her hopes for the UK post-Brexit.
Unsurprisingly for Denham and perhaps reassuringly for business, "the right way forward… is to fully adopt the general data protection regulation". However should the UK do so, questions persist as to the ICO's role, particularly in relation to its standing with the European Data Protection Board (EDPB). Denham was keen to emphasise that the Government should do anything it can to ensure the ICO has "some status" on the EDPB. Should it not, the UK will be at the mercy of the Board's decisions, but be without influence over its policy.
Lord O'Neil of Clackmannan, a Labour peer, was … Continue Reading ››
This week, the ICO published the latest version
of its paper on big data, AI and machine learning. Though not an official GDPR guidance document or code of practice, the paper sets out the ICO's views on the issues and has been updated to show how big data, AI, machine learning relate to the GDPR (however not the new draft PEC Regulation).
Of note to Datonomy readers are the six key recommendations the Paper gives to help organisations achieve data protection compliance in a "big data world". The ICO states that organisations should…
- Carefully consider whether the big data analytics to be undertaken actually requires the processing of personal data. Often, this will not be the case; in such circumstances organisations should use appropriate techniques to anonymise the personal data in their dataset(s) before analysis.
- Be transparent about their processing of personal data by using a combination of innovative approaches in order … Continue Reading ››
Yesterday the ICO published its much anticipated guidance
on consent under the GDPR for public consultation. This is a key practical area of compliance for all businesses. The new test for consent under the GDPR is higher than under the current rules and the penalties for failing to obtain valid consent potentially much harsher; organisations will need to review their data collection notices and opt ins and potentially make changes to websites and apps to ensure they are compliant by May 2018.
The guidance sits alongside the ICO's Overview
of the GDPR and explains its recommended approach to compliance and what counts as valid consent. On the tricky issue of verifiable parental consent to children's use of social media, the ICO has promised further guidance at a later date.
The consultation will run from now until 31 March 2017, and any comments on the guidelines should be sent … Continue Reading ››
Last week, as part of Olswang's GDPR readiness and Talking Retail webinar series', lawyers from the firm's data protection and retail sector teams hosted a webinar looking at the implications of the GDPR on the use of data by the retail industry during an online transaction. In this session our speakers looked at the following:
- Targeted and non-targeted advertising
- Privacy policies
- Processing customer payment details
- Post purchase analysis
- Data breaches
- GDPR implementation
The webinar was hosted by Katie Nagy de Nagybaczon
, a partner in the Corporate Team, who focuses on the retail, eCommerce and technology sectors. The two speakers were:
- Sven Schonhofen, an associate in the Commercial Team of the Munich office. He specializes in advising clients in all areas of IT law, in particular on data protection law.
- Emily Dorotheou, an associate in the Commercial Team who has experience of working on procurement, technology and logistics contracts for a variety of retail and technology clients.
Please follow this … Continue Reading ››
On 2 February the ICO announced
that it had published a new code of practice
relating to privacy notices, transparency and control, which aims to keep pace with the increasingly complex digital landscape and also take into account the broader transparency rules under the GDPR. The ICO’s current guidance, from 2010, is here
‘Transparency’ under the GDPR
Although organisations are already required to provide certain details in relation to the identity of the data controller and the purposes for which the data is being collected, the GDPR will increase the amount of information which must be provided to individuals, including the rights available to them, information on data transfers and the source of the data. All information must be presented in a concise, transparent, intelligible and easily accessible form, using clear and plain language and tailored to the specific audience (including children). Organisations which fail to meet these requirements … Continue Reading ››