GDPR Update from the Data Protection Network

GDPR Update from the Data Protection Network

  • The ICO has confirmed that it will not be issuing final guidance on key areas such as consent and Legitimate Interests until December at the earliest. Draft guidance on the contracts between Controllers and Processors has been issued. The office has also begun to dispel some GDPR myths including stating that fines will be proportionate and recommending the use of Legitimate Interest when consent is not appropriate.
  • Information Commissioner, Elizabeth Denham has been negotiating with DCMS arguing that she needs to pay ICO staff above the 1% pay cap. The Office has suffered a “brain drain” as employees are taking jobs as Data Protection Officers in the Private Sector at much higher salaries.
  • DPN has launched its own guidance on Legitimate Interests supported by DMA, ISBA and the IPA. This makes the case for mail being in the Legitimate Interests of organisations. The Guidance was warmly welcomed by the ICO who reviewed it before publication. Over 3,000 users have now downloaded the Guidance (https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance/ ) and the ICO has suggested that other areas of GDPR should be tackled by industry in a similar way.
  • There has been as significant uptick in company preparations for GDPR even in sectors that had been slow to realise the potential impact. Re-permissioning is starting in earnest. Recent fines for companies attempting re-permissioning by email (https://ico.org.uk/action-weve-taken/enforcement/flybe-limited/ ) have underlined that mail is a safer way to attempt to gain/re-gain permission. Trade associations (particularly the DMA) have increased their GDPR briefings and training.
  • The Government has published the Data Protection Bill which provides details on the areas of GDPR where the local country can make rules (for example on the age of a child and processing criminal data). Exemptions are largely carried forward from the DPA but will not impact mail.
  • The Government has also published a position paper as part of the BREXIT negotiations arguing that the UK should be given “adequacy” after exit ensuring that personal data can flow freely between the UK and the EU.
  • Negotiations on the e Privacy Regulation continue but it is the subject of heavy lobbying. The Ad Tech industry is concerned that tougher cookie consent will severely affect behavioural advertising and programmatic. Regulators are keen to bring B2B into scope but this is being fought hard by FEDMA. It is likely that the debate will continue well into 2018 meaning that GDPR will come into force whilst the existing email regulations are still in play.
  • Royal Mail has significantly increased its activities around GDPR both from an internal preparation point of view and in terms of messages to the market. Staff and customer briefings are continuing and there are plans for increased market messaging around the sustainable use of mail in a post GDPR world under Legitimate Interests.