There have been quite a few developments on GDPR in recent months with the publication of the Data Protection Bill by the UK Government, and further guidance from the ICO and the A29 Working Party. The GDPR landscape is slowing becoming clearer.
Data Protection Bill
This came out on 14 September 2017. The main parts of the Bill are:
- General data processing;
- Law enforcement processing;
- National security processing; and
- Regulation and enforcement
Contrary to government spin, the main thrust of the Bill is to bring the GDPR into effect under UK law.
There are a few UK derogations from GDPR proposed
- Extending the GDPR to cover all general data that falls outside current EU competence
- Repealing the Data Protection Act 1998, but preserving the key concepts that currently exist under that Act, so far as possible
- Introducing derogations in specific areas, including the research sector and in relation to the protection of children online
- Introducing criminal offences for organisations that intentionally or recklessly process data
On 14 September 2017, the Information Commissioner also published a statement regarding the Bill, available to view online here.
ICO Guidance
The ICO has been quite busy and has published the following:
- GDPR – sorting the fact from the fiction
- Consent is not the ‘silver bullet’ for GDPR compliance
- GDPR is an evolution of data protection, not a burdensome revolution
- GDPR – setting the record straight on data breach reporting
- ‘Preparing for the GDPR – 12 steps to take now’
- Getting Ready for the GDPR self-assessment checklist
- Updated its key areas to consider in the GDPR webpage
- Consultation on GDPR consent (consultation period now closed)
- Request for feedback on profiling and automated decision-making (deadline for responses now passed)
- Consultation on GDPR guidance on contract and liabilities between controllers and processors (consultation period now closed)
The ICO intends to publish a Guide to the GDPR, expected by early 2018. More detailed guidance on contracts between controllers and data processors, children’s data, and accountability is expected before year end.
Article 29 Working Party
This body advises EU member states on data protection, and has published:
- Revised guidelines on:
- data portability,
- data protection officers, and
- lead supervisory authorities
- Guidelines on data protection impact assessment and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR
Further guidance is expected on:
- Consent
- Transparency
- Profiling
- Certification
- Administrative fines
- Breach notification
- Data transfers
We will keep you informed of this further guidance as it comes out. However, for further information, please contact Christopher Evans of this firm by email to C.Evans@druces.com or on +44 20 7216 5505.
This was first posted on 12 October 2017.