The GDPR – The Final Hurdle or is it?

Tuesday, April 24th, 2018

With 24 days left until the 25th May (GDPR Day) the team here at Proceed are very busy helping our clients with their GDPR projects. However, Steve Lofthouse, our man for all things data protection, did manage to attend both the Information Commissioners Conference in Manchester and the Privacy Professionals Conference in London. He gives us his thoughts and conference takeaways below:

It is interesting to note with less than a month to go until 25th May (GDPR) day, the messages that are coming out of the various EU Information Commissioners Offices and the areas of concern for most companies.

At the Information Commissioners conference in Manchester on the 9th of April, the commissioner spoke about how she is gearing up for the 25th of May and the increased workload that will no doubt follow. She has increased her staff considerably and will continue to do so as she aims to recruit up to 200 more people over the next 12 months. Also, of interest was the appointment of a new Deputy Commissioner for Operations, James Dipple-Johnstone who will head up the enforcement side of the ICO. Mr Dipple-Johnstone comes from the Solicitors Regulatory Authority and is experienced in the areas of investigation and the application of legal sanctions. Something which demonstrates the serious intent to enforce the GDPR that the Commissioner continues to articulate.

Both the Commissioner and the Deputy Commissioner made the point that, whilst the fines detailed within the GDPR are large, and a significant tool in their arsenal. Of more use to them and potentially more painful to business was the ability to impose orders to cease processing. This is something that we have been communicating to clients for a while now and it is significant to see this position being echoed by the majority of European Commissioners also.

The Privacy Professionals conference on the 18th and 19th saw a number of European Commissioners (UK, French, Irish and EU Data Protection Board) come together to deliver a singular message. Transparency in all regards is paramount. Be that transparency in processing, in the information given to data subjects or the handling of a data breach.

Additionally, and independently of each other, each of the Commissioners re-iterated the point that large fines will not be their first port of call. The use of Compliance Orders and Cease Processing Orders will be their tools of choice. They put forward a number of reasons for this, namely that it is in the best interests of the data subjects that companies comply, and also that an order to stop processing would protect data subjects and potentially ‘incentivise’ a company to comply more than a monetary fine.

That’s not to say that fines won’t be levied. The ability to levy fines is a new power to the Irish Data Commissioner who noted at a round table meeting that; “There is no grace period. The grace period ends the 25th of May.” John O’Dwyer Deputy Commissioner, Irish Data Protection Commission.

With regard to data protection there are generally two viewpoints. One which is taken from a business standpoint and one which is taken from a data subjects stand point. It was clear at both the ICO conference and the Privacy Professional conference that the Data Subjects position was the one that should be given priority, a fact we have echoed in all our advice. And it is fair to say that there was a degree of corporate re-education being undertaken.

In terms of the wider conference the key take-aways centred around transparency, handling data breaches and demonstrating compliance.

There were a number of discussions about what transparency meant, and how companies could best demonstrate it. It is clear, especially given the recent publication of the WP29’s updated guidelines that transparency pervades all aspects of GDPR compliance. From the content of a website privacy notice and the manner in which it is made available to the way a data breach is handled.

In regards to data breaches there were United States guests on hand to talk about their experiences in handling data breaches and subsequent disclosure. Their advice; have a robust, comprehensive and thought out plan in place. Test it, and ensure that, should you feel that you would require outside assistance, for example from an DPO as a service provider, or an IT security company, that you have agreements in place sooner rather than later and definitely before a breach happens. It was interesting to note that the use of a breach procedure not only assisted the staff handling the breach, but also the way the risk to the data subjects was assessed; the policy ensuring that this was reproducible.

In regards to demonstrating compliance many conference speakers put forward the idea that companies should prepare comprehensive documentation. The development of KPI’s which were linked to the various GDPR business processes like subject access requests was also spoken about positively.

The final sessions of the conference dealt with e-Privacy and also with Brexit. The new e-Privacy regulation was originally intended to come into force on 25th May, alongside the GDPR. That will not now happen, much to the relief of many a Privacy Professional. The e-Privacy regulation is still being developed however we would advise clients that this regulation will sit with the GDPR and act in Lex Specialis. That is to say it will use certain aspects of the GDPR, for example the GDPR’s definition of consent. The E-Privacy regulation also contains recitals affecting IOT communications and as such we will be keeping a close eye on the regulations development.

The conference session on Brexit also re-enforced the advice that we have been giving to clients. That whilst the UK Government may promote the idea that a decision of adequacy or some other mechanism to facilitate transfer of data between the UK and Europe is a forgone conclusion or at the very least a walk in the park, this is not the case. The EU has significant and long standing objections to the UK’s bulk collection of communications data and this may well impact on any decision about a data transfer mechanism.

The UK’s Information Commissioner, Elizabeth Denham re-enforced the point that a coherent data protection position is vital to a final Brexit agreement and while it remains unknown what a UK relationship will look like in a post Brexit reality, the ICO is deeply committed to a strong relationship with the EU regulatory community.

It was also pointed out that Privacy Shield, the instrument under which data is transferred to the USA, Is between the US and the EU. Come Brexit day the UK will require its own instrument under which to transfer data to the USA.

Steve Lofthouse MSc BSc PGCLTHE FHEA CIPP/E April 2018

GDPR Breakfast Webinar – Getting Ready and Staying Ahead with SAP Assets