General Data Protection Regulation (GDPR) update
11th October 2016
ICO launches updated code of practice on privacy notices
On 7 October 2016, the Information Commissioner’s Office (ICO) issued an updated version of its statutory code of practice relating to privacy notices, transparency and control.
What is the code for?
Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the new General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice.
The ICO stresses that transparency with customers is fundamental if businesses want to succeed in the digital economy. As Elizabeth Denham – the new Information Commissioner has said: “It’s not privacy or innovation – it’s privacy and innovation”.
The new code sets out how organisations should explain to people how they’re using their personal information. It includes sample privacy notices and suggestions for using preference management tools. Mobile app notices receive particular attention.
Alongside the code, the ICO has issued a checklist for privacy notices which covers the essential elements of compliance including:
- deciding what to include in the privacy notice based on the personal data you hold and what you do (or plan to do) with it
- issues which arise if you are relying on consent
- where and how you give privacy information: in writing; orally; in signage or electronic format
- when to give privacy information – especially where:
- you are collecting sensitive information
- the intended use of the information
- is likely to be unexpected or objectionable, or
- will have a significant effect on the individua
- how the notice is written – which should be in clear, straightforward language.
What does this mean for me?
Privacy notices need to be reviewed regularly and updated to reflect any changes.
The code has a specific section on the changes likely to take place as a result of GDPR. These include requirements for more detailed and specific privacy notices than in the DPA and an emphasis on making privacy notices understandable and accessible. The privacy notice must be:
- concise, transparent, intelligible and easily accessible
- written in clear and plain language, particularly if addressed to a child, and
- free of charge.
The code contains a useful table on the GDPR privacy notice requirements for direct and indirect collections of personal data.
How can I find out more?
The new Information Commissioner
Elizabeth Denham, who took up her 5-year post in July 2016, issued her first speech as Information Commissioner on 29 September 2016. The main themes that emerge are as follows:
- Consumer trust and control. The Commissioner places great emphasis on building data protection trust between customers and organisations, building a “culture of data confidence” and giving individuals control over their data, which she sees as a key shift in the GDPR. Trust has to be earned and in the press release on the TalkTalk £400,000 monetary penalty on 5 October 2016, the Commissioner said, “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
- Focus on technology. A focus of the ICO’s investigation efforts will be on the technology sector and the use of technology by others. The ICO is set to expand its technology team yet further. It is looking to partner with universities and support research into privacy by design solutions.
- May 2018 and GDPR. The Commissioner thinks it “extremely likely” that the GDPR will apply in May 2018 and sees this as an opportunity: “GDPR is an incentive to improve your practices, to sharpen things up, and encourage organisations to look at things afresh”.
- Post Brexit. Having experienced being in an “adequate” jurisdiction (Canada) first hand, and the issues that the European Court’s safe harbor decision created even there, the Commissioner wants UK data protection law post Brexit to be consistent with EU law and adequate; she is in dialogue with Government Ministers about this. To quote from her speech: “In a global economy we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK.”
ICO GDPR website and guidance to-date
The ICO has moved its GDPR website to here.
The ICO has now produced the 12 steps guidance; an overview of the GDPR and, as above, the updated privacy notice code of practice.
Future ICO and Article 29 working party GDPR guidance
The next ICO pieces of GDPR guidance will be on:
- Individuals’ rights
The Article 29 working party (which includes the ICO and its EU counterparts) is expected to produce GDPR guidance on the following topics by the end of 2016:
Identifying an organisation’s main establishment and lead supervisory authority
- Data portability
- Data Protection Officers
- Risky processing and Data Protection Impact Assessments
The ICO will also develop its thinking in the following areas to inform future ICO and European guidance:
- Risk and significant/ legal effects
- Children’s privacy
- Documentation/ records of processing activity
- Data controllers/ Data processors
- International transfers
We will update you as and when further guidance or information becomes available.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.