06 December 2016
Now that we seem to have confirmation from the Government that the GDPR will come into force in the UK on 25 May 2018, it is time to provide you with more information.
The GDPR will have direct effect in the UK
Secretary of State Karen Bradley MP appeared before the Culture, Media and Sports Select Committee on 24 October 2016 and in response to a question stated:
We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.
It is anticipated that a fuller and more formal statement will be issued by DCMS in due course.
The outcome of the vote on 24 June 2016 provided data protection practitioners with some level of doubt about what was going to happen with Regulation 2016/679. We all thought it was likely to come into force but it is good to have confirmation of that. There was also a slightly odd situation where the ICO indicated straight away that the vote to leave the EU would not impact on the need to comply with the GDPR. However this statement was subsequently removed and replaced with a statement which said that the ICO would be discussing the implications of the referendum result and its impact on data protection reform in the UK with the Government over the coming weeks. This was apparently in response to a request from the Department for Culture, Media and Sport, the government department responsible for Data Protection who were concerned at the definitive approach that the ICO was taking. Thanks to Jon Baines and Tim Turner for drawing out attention to that.
However it now seems clear that come 25 May 2018 the GDPR will come into direct effect in the UK.
So where are we with Guidance.
I attended the ICO’s Scottish Conference in June – just prior to the referendum. There was some useful guidance provided at that event and the ICO has provided some additional information on its website. There is now an Overview to the GDPR which sets out some more detail about the key issues in the Regulation.
The ICO also issued Updated Guidance on Privacy Notices which has a section identifying the changes coming with the GDPR. These changes are substantial and will impact significantly on data controllers. Currently there is only an obligation to provide the name of the data controller, the purpose or purposes of any processing and enough information to ensure that processing is fair.
There is an obligation under the GDPR for privacy notices to be in a “concise, transparent, intelligible, and easily accessible form, using clear and plain language” BUT there is also an obligation to provide more information than currently required. At the ICO’s Scottish Conference, the ICO’s advice was they thought that the information required to be provided in terms of transparency by Article 13 GDPR could be split into two categories, with the information required by subsection (1) being more important than the information required by subsection (2). Therefore the less important information could be provided elsewhere i.e. by providing a link to a webpage.
Therefore I have split the categories of information required into two columns below.
Identify and contact details of the controller
The period for which the data will be stored/criteria used to determine that
Contact details of the Data Protection Officer if one is required
The right to request: access to; rectification of; erasure of; restriction of processing; or to object to processing; and the right of data portability
Purposes of processing and the legal basis of the processing
The right to withdraw consent to processing
Where the processing is based on legitimate interests processing, the legitimate interests pursued by the controller or third party
The right to lodge a complaint with the ICO
The recipient or categories of recipients of the data
Whether the processing is based on a statutory or contractual requirement, and the consequences of failing to provide such data for the data subject
Information about transfers to third countries
The existence of any automated decision making/profiling etc; how it works and the consequences of this processing for the data subject
It is of significance that the data controller is required to state and therefore think about the legal basis for any processing that is taking place. In addition, if relying on the legitimate interests condition (which of course public sector bodies cannot do) then they must state the legitimate interest pursued. I suggest that even the exercise of thinking about these issues will improve practice and understanding of data processing going forward.
For more info visit our GDPR updates page.