If it wasn’t hard enough to convince businesses in the UK that they really should be thinking about how their organisation will be impacted by the General Data Protection Regulation (GDPR) next year, we’ve got to also think about the ePrivacy Regulations (which the EU wants to come into force at the same time as the GDPR) and most recently an announcement by the UK Government that we’ll be getting a new Data Protection Act (the Data Protection Bill was announced in the Queen’s Speech on 21st June 2017).
General Data Protection Regulation
Of course businesses have until 25th May 2018 to ensure they’re compliant with the GDPR, but research and polls seem to suggest that businesses either think it’s not relevant because we’re in the UK and leaving the EU, they’re unprepared or haven’t started thinking about it yet – see here and here for examples.
If you speak to GDPR consultants, lawyers, experts or even the Information Commissioner’s Office (ICO) the message is clear: start taking action now to make sure your business will be compliant come the deadline next year. But at the same time, we’re also waiting for ICO guidance, Article 29 Working Party guidance (they’ve already published some on DPOs, data portability and lead authorities) and potentially views from the European Data Protection Board who may have their own views on how to interpret the Regulation. However, we have to soldier on interpreting the intentions of the Regulation, the meaning of the Recitals and hope we’re getting it right and then potentially adapting our approaches if someone in authority comes up with a different interpretation or when guidance is published. And let’s not forget the impact Brexit might have.
As for the electronic marketing rules, currently covered by the Privacy and Electronic Communication Regulations (PECR), we’re getting a new ePrivacy Regulation which will, again apply to the whole of Europe and is supposed to come into force at the same time as the GDPR, but might not do. This Regulation will supersede the UK’s PECR, but aspects of it (like marketing to businesses) are derogations allowed to be interpreted by member state law – or at least that is the case in the current draft, but of course it could change.
Data Protection Bill
And then, in the Queen’s Speech, a Data Protection Bill has been announced which will introduce a new Data Protection Act and rules to the UK to (hopefully) complement GDPR and maybe the ePrivacy Regulations.
We don’t know much about the Data Protection Bill, in terms of content, or what it might mean for data protection in the UK. The Tory Manifesto simply makes references to protecting citizens’ online data and the Queen’s Speech refers to:
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”
It is generally thought to address online data and rights for processing information particularly for law enforcement purposes (see the BBC summary).
We’ll have to wait and see what’s in it in detail, but some things that are likely to be in it are:
- The government’s attempts to provide derogations allowed under GDPR (e.g. the age of a child for the purposes of processing children’s data (Article 8))
- Possible implementation of law around derogations allowed under the ePrivacy Regulation (if/when that becomes EU law) – of particular interest here will be consent relating to business data for marketing purposes and for communications networks around handling data breaches
- Maybe some extra rules relating to Brexit and data protection with the UK out of the EU
So, all things considered, we have to comply by the GDPR without knowing what guidance might look like in some areas and has it’s own set of derogations that could yet be implemented in the UK, a new set of privacy regulations, which may or may not come into force at the same time as the GDPR and a new Data Protection Bill!
The next 12+ months are going to get a lot more interesting…
Keeping up to date
The key to all this though is keeping in the know. Whether you’re just starting your GDPR journey, wondering how the GDPR might impact your B2B activities or want to make sure your marketing is compliant, you’re going to need to pay attention to the rules, guidance and changes over the next couple of years.
That’s one of the benefits of using the Digital Compliance Hub – we can keep you and your business up to date on the latest changes as well as provide advice and guidance. Get in touch if you want to know more or sign-up today and get in the know.