Karen Bradley MP, the Secretary of State for Culture, Media and
Sport, recently confirmed that the UK will be implementing the
General Data Protection Regulation (GDPR), in force from May 2018,
stating "[w]e will be members of the EU in 2018 and therefore
it would be expected and quite normal for us to opt into the GDPR
and then look later at how best we might be able to help British
business with data protection while maintaining high levels of
protection for members of the public."
Privacy notices, transparency and control
The Information Commissioner's Office (ICO) has welcomed the
confirmation, coming shortly after their publication of a new code of practice on privacy notices, the
first piece of the guidance puzzle that the ICO intends to publish
in order to prepare businesses for the new regime.
The code, titled 'Privacy notices, transparency and
control' follows an ICO consultation on the subject and the
seeks to assist data controllers in complying with transparency
requirements under both the Data Protection Act 1998 (DPA) and the
The code is "aimed at all organisations that collect
information about people, whether directly or indirectly"
and provides guidance on:
gaining and recording consent
the content of a privacy notice, including how the privacy
notice should be written and presented
how to communicate privacy information for individuals
producing privacy notices for mobile devices
when a business should actively communicate privacy
The ICO also provides guidance on complying with Articles 12, 13
and 14 (which relate to the provision of privacy information to
data subjects), noting that whilst these Articles are "more
detailed and specific than in the DPA", if businesses follow
the guidance in the code they will be "well placed to comply
with the GDPR regime." A handy guide summarising the privacy
information that needs to be provided under the GDPR, where data
has or has not been obtained directly from the data subject, is
also included in this section.
Why is all this important?
The code makes clear that whilst the Information Commissioner
cannot take enforcement action for failure to adopt good practice,
she can pursue actions for failure to comply with the DPA (which
can attract a fine of up to £500,000) and, in doing so, she
may have regard to the advice provided in the code. With the
government's confirmation that the UK will opt into the GDPR,
it is also worth stressing that under that regime administrative
fines of up to €20m or 4% of the company's total worldwide
annual turnover may be imposed in respect of a breach of the rules
on privacy notices. It is therefore vital that businesses make good
use of the code and revise their privacy notices as necessary.
Something to bear in mind...
Something to note in closing, in our ever-changing technological
world data is increasingly being collected in non-traditional ways,
for example by tracking people online or through smart devices, by
the use of algorithms that analyse purchase history and social
media use etc. Businesses will therefore need to assess how they
collect information and adapt to meet the challenge of fulfilling
the requirements to be fair and transparent when data is collected
in this way. In particular the code addresses the use of 'big
data', noting that "it may be more difficult to foresee at
the outset how [a business] will use the data" so businesses
should pay particular attention to how data is collected and update
privacy notices as necessary in order to ensure that the risk of
breach of the rules is limited.
The ICO intends to publish further guidance by the end of
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).