Data Protection 2018: The ICO answers your questions
06 Apr 2018
We gathered recently for Data Protection 2018, and the ICO asked our attendees for questions they could take away and tackle in detail. Covering the GDPR, ePrivacy, consent, Privacy Shield and more, read on for their detailed answers.
Q: 3rd party consent requiring naming of 3rd parties is a major change for the industry. Can you give us guidance on the likely final direction of the ICO on this?
A: GDPR Recital 42 states that "for consent to be informed, the data subject should be aware at least of the identity of the controller". Therefore, any 3rd party relying on consent will need to be named. Please also refer to our Direct Marketing guidance, updated to reflect key GDPR requirements and the ICO's view on this point.
Both the Direct Marketing guidance and the ICO's PECR guidance previously indicated challenges in respect of PECR: 'PECR specifically requires that the customer has notified the sender that they consent to messages from them: see the definition of consent above. In most circumstances, indirect consent would not meet this test – as the customer did not directly notify the sender, they notified someone else.'
PECR refers to the Data Protection Directive 1995 for its consent definition. From May 2018, it will refer instead to the GDPR's consent definition. The specificity now required reflects the GDPR consent definition.
Q: Do you know when your guidance on consent will be published?
A: This is expected to be after the Article 29 Working Party's finalised consent guidance, which is expected in April 2018.
Q: Will the helpline for businesses with less than 250 employees remain after 25 May? Are there implications for calling post enforcement date with queries-can call anonymously?
A: The ICO recognises the challenges faced by smaller businesses in preparing for the GDPR. The Commissioner's blog (December 2017) announced specific advice, FAQs, a helpline and toolkits for the sector and that there would be more help to come throughout 2018 and beyond. In March, we launched our awareness campaign targeted at micro-businesses. The ICO's Regulatory Action Policy is being updated; please see the Commissioner's blog of December 2017 ('GDPR is not Y2K') which refers to the ICO's anticipated approach: 'Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.'
Q: How will GDPR affect US companies? What are the most informative ways companies in the EU can be confident of US companies' compliance e.g. Privacy Shield?
A: The GDPR applies to organisations outside the EU that offer goods or services to individuals in the EU. It is not clear what is envisaged here as reference to EU companies implies potentially a contractual relationship (whether data controller to data controller or data controller to data processor); please refer the ICO's GDPR Guide for further information, as the GDPR introduces additional requirements around international transfers. The US Privacy Shield is a self-certification scheme overseen by the Department of Commerce in the US to address requirements around EU-US transfers and as such may not provide sufficient information on GDPR compliance more widely.
Q: Can a DPO be effective (i.e. meet GDPR requirements) if not reporting directly into CEO?
A: Article 39(3) states 'The data protection officer shall directly report to the highest management level of the controller or the processor.' The Article 29 Working Party's guidance states: 'Such direct reporting ensures that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level.' The controller or processor is responsible to ensure the DPO can carry out their duties.
Q: Non-electronic mktg using 3rd party data. Legitimate Interest has been proposed as a relevant basis. Would you have an example of how balancing test could work?
A: Please refer to the ICO's GDPR Guide section on legitimate interests, including a three part test. We will be publishing more detailed guidance on legitimate interests shortly, which will provide further advice on the balancing test.
Q: The drafting of the regs + lack of examples has fuelled misinformation - could the GDPR myths series resume and develop with compliant examples through sectors
A: The ICO continues to issue GDPR guidance, including some sector specific, as well as blogs from the Commissioner and her senior leadership team. ICO guidance will continue to include examples of the steps organisations will need to take in certain circumstances in order to meet the requirements of GDPR. The first recorded podcast, focussing on GDPR myths, was published in March.
Q: Could you share the ICO's data controller purposes for processing docs and your latest gdpr compliant privacy policy draft
A: Please refer to the ICO's updated Code of Practice on Privacy Notices and new GDPR guidance on Records of Processing. Our guidance on lawful bases and transparency will be published shortly but we are unable to share draft versions.
Q: Will the US CLOUD act challenge and clash with the GDPR's international transfer conditions?
A: The proposed US Cloud Act is at early draft stage and therefore further information will be issued in due course.
Q: Will the ICO and FCA release specific GDPR insurance examples on lawful basis for processing?
A: The ICO supports the production of sector-specific guidance by trade bodies etc. The ICO has recently published its initial draft Data Protection Bill guidance which includes detail on grounds for processing special categories of personal data (Schedule 1), including insurance.
Please login to comment.
Comments