If you want to avoid watching Grandad murdering “Mistletoe and Wine” over the festive season, you could escape to a lesser evil; catching up on your GDPR reading! You may have missed some of the recent GDPR publications.
The Article 29 Working Party (A29WP) started handing out its Christmas presents early. Its Guidelines on Personal Data Breach Notification was published for consultation a few weeks ago. Once finalised this document will offer valuable assistance to Data Controllers when deciding when to report a data breach to the Information Commissioner’s Office and to Data Subjects under Articles 33 and 34 of GDPR. (See also our previous blog post on this subject.)
23rd January 2018 is the deadline for commenting on the A29WP’s Guidelines on Consent and Transparency.
There is a lot of misinformation and confusion out there about consent. As the Information Commissioner has pointed out in her myth busting blog post, consent is only one way to justifying processing of personal data under Article 6 (and 9) of GDPR. What is consent? When is it explicit? When is it freely given? These are just some of the questions addressed in the draft guidelines.\
Transparency is a key requirement of the First Data Protection Principle in Article 5 of GDPR. It is also the theme of the Data Subject’s rights in Article 13 and 14; the right to information.Amongst other things, the draft guidelines on this topic address the important issue of privacy notices, their content and timing.
The Data Protection Bill is currently being scrutinised by the House of Lords in the Committee Stage. One important amendment has been agreed which will be good news for public authorities (defined by clause 6 of the Bill as those subject to Freedom of Information laws). “Legitimate interests” is one of the conditions for processing personal data under Article 6. However GDPR states that it is not available to “public authorities in the performance of their tasks.” This caused concern amongst some public authorities who felt that some of their personal data processing, especially when involved in commercial activities, did not always fit the other conditions in Article 6. In particular it was not “a task carried out in the public interest or in the exercise of official authority” as per Article 6(1)(e).
The amendment to the Bill resolves this issue by saying that a Data Controller will only be a public authority “when performing a task carried out in the public interest or in the exercise of official authority” vested in it. Therefore where a Public Authority Data Controller is processing personal data for other reasons it will still be able to rely upon legitimate interests. We will be covering this in our Data Protection Bill webinar in January 2018.
And Finally…
- We have finalised our 2018 course programme.
- Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers. Read about the last set of results 2 out of the first 3 courses in 2018 are fully booked.
- If you require tailored GDPR training delivered at your premises, please get in touch.
- We have sold over 350 copies of our GDPR handbook. We are donating £1 from each sale to the DEC Rohingya Crisis Appeal.
image credits: https://londonist.com/category/things-to-do/christmas-in-london
