For most organisations trying to ensure compliance and manage budgets, guidance on key areas of the GDPR can’t come soon enough. Susan Corless, Client Relationship Manager at TwentyCi says its a concern, “many organisations have started preparation for the GDPR, however there is still a lack of guidance coming from the regulators on subjects like Consent and Legitimate Interest; without this and other guidance it could result in organisations implementing new changes that aren’t going to meet the new regulations and therefore many are sitting on a ledge for the regulator to guide us.”
So, what can we expect and when from the UK’s Information Commissioner’s Office and at a European level.
The ICO’s final Consent Guidance was anticipated this month, but the Regulator’s website is now more broadly saying “in the Summer”. In its draft Consent Guidance published in March the ICO took a strict approach and, if you believe the rumours, the final version is unlikely to be changed that much. Data sharers will certainly be praying for a more relaxed stance on the naming of third parties. Meanwhile the Article 29 Working Party (WP29) is expected to publish its guidance on Consent later this year.
A profiling discussion paper for feedback was published in April by the ICO and responses received are now being assessed. The Regulator says it plans to publish a summary of the feedback in ‘due course’ and that responses will inform their input into the drafting of EU level guidance on profiling and automated-decision making. If you can’t wait, find out what practical steps you can take now surrounding your activities in our Profiling – GDPR Compliance Ladder practical guide.
The Data Protection Network, working with a group of cross-sector privacy specialists is preparing industry guidance on the use of Legitimate Interests. Following feedback from the ICO on an initial draft submitted to them, we are working on a revised version which we hope to publish as soon as possible. The ICO will also publish their own guidance on this tricky area.
The WP29 has already published guidance on Data Protection Officers, Data Portability and identifying lead supervisory authorities, which can be found on their website. It’s hoped guidance on other areas such as Notifications, Transparency and Data Privacy Impact Assessments will be issued later this year.
If that wasn’t enough for organisations to consider, it’s hoped the final text of the new ePrivacy Regulation will be published in the Autumn. However, there is growing scepticism as to whether the aim of enforcing this Regulation in line with the GDPR on 25 May 2018 may have been too ambitious.
Sara Howers, Global Data Protection Officer at Haymarket Media Group says, “its a very frustrating time for many DPO’s. What’s an organisation to do? Leap ahead now, whilst some uncertainty hangs in the air, or wait, for further clarity. And it’s not being helped by the proliferation of ‘GDPR experts’, new software, magic bullets, snake oil, and in some cases rather conflicting information being dished out at some seminars and events.”
And finally, the recently pass Digital Economy Act brings with it an important change for marketers, giving the ICO powers to issue a statutory Code of Practice for Direct Marketing. Good Practice will no longer be optional!
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.