With all the focus being on GDPR implementation coming up to the 25th May, it would be easy to think that implementing the regulation and moving your change programmes more into business as usual would be the end state of privacy legislation, at least for now. Unfortunately change is in the air, and there are quite a few things organisations need to keep an eye out for, namely:
GDPR Case Law
Assumptions and organisational bets have been made around exactly how to interpret some of the more vague aspects of the GDPR (looking at you legitimate interests for marketing!), which will be sorted out through case law and ICO enforcement notices. It will be interesting to see how lenient the ICO is with fines and exactly what stance they take on issues which have been hotly, but up until now, hypothetically contested. Although points of law can be appealed if your organisations has a decision made against it by the ICO, it is nonetheless prudent to ensure your organisation learns from others mistakes to avoid getting a similar fine.
The replacement for PECR is coming up, and is more far ranging with less scope for nuance (or at least it’s draft form is!), this will be one to watch especially for digital marketers as well as any of the new ‘smart’ technology such as smart meters or other ‘internet of things’ services. Organisations will have to carefully implement technical changes where they apply, such as collecting less metadata around location for communications content, changes to cookies, and changes to how you can contact people.
Restriction of Model Contract Clauses to exclude the US
As discussed in a previous blog post there is highly likely to be a decision which means that the US is no longer able to use Model Contract Clauses, which is the legitimisation route most companies use when dealing with businesses outside of the EU. The new Facebook debacle has likely brought this forward somewhat, although it has been ongoing now for some time. This makes a Privacy Shield certification a much bigger priority if US companies want to do business with the EU, and would also mean that any data processors who process in the US would need to be reviewed with fresh eyes.
Data Protection Bill
The Data Protection Bill should be read side by side with GDPR and adds provisions where the GDPR allows to areas such as immigration, and is especially important for those in law enforcement or national security, however it also details more powers for the ICO. As was in the news this week, there are still considerable amendments being made to the Data Protection Bill, and at lot more discussion to be had about what makes it into the final text as it seems to be a medium for stirring up controversy from freedom of the press to immigration enforcement. As it is now it in the final strait in order to become law it won’t undergo a full revamp, but some surprises could yet be in store. It is certainly a document with implementation ramifications which a lot of organisations will want to pay attention to.
Supervisory Authority Guidance
The ICO releases some great pointers on how to comply with information law, but so far updated guidance for GDPR hasn’t been particularly comprehensive, this may be purposeful as there are so many other changes afoot, it may have been decided it is prudent to wait until the dust has settled to write authoritative guidance. Once the Data Protection Bill and e-Privacy Directive are through I would expect an increase in helpful guidance from the ICO, which may be radically different from how a given organisation has implemented GDPR. There are also other powers and responsibilities under GDPR that the ICO will need to fulfil which need to looked out for such as standard data protection clauses for international data transfers which would presumably supersede the current Model Contract Clauses. The ICO’s blog and published speeches are a great way to head off differences in implementation by the regulator as their stances are often alluded to much earlier than official guidance is released.
Codes of Conduct
Referred to explicitly in Article 40 of the GDPR as a way to stimulate proper application of the legislation, these have yet to rear their head. It’s not just the ICO who can write these, governing bodies of different sectors can also write these too, however it would need to be in conjunction with and signed off by the ICO. Look out for bodies such as the Financial Conduct Authority, Fundraising Regulator, and the Direct Marketing Association releasing official privacy Codes of Conduct.