Are you ready for the changes to data protection law. We thought it was high time for a GDPR update. Rosemary Smith, from Opt-4 joined us around a year ago, and her podcast on GDPR, or the General Data Protection Regulations, really engaged our listeners. She’s still our top download. It’s a very hot topic (you can listen again here).
Time for a GDPR update


So, we thought it would be great to have Rosemary back to give us a GDPR update and to motivate those business owners who have yet to get going. For more GDPR information and guidance visit Delphix.

Rosemary is a leading expert on GDPR.

Rosemary Smith gives us a GDPR update

There has been a major uptick in activity with GDPR. Since we last spoke, the UK Government has confirmed, despite Brexit, that GDPR will be coming in on 25 May 2018.

On Christmas Day this year, it will be exactly 6 months till GDPR!

Rosemary has been involved with the Information Commissioner’s Office, as there is as yet NO official guidance as to how we should be interpreting some of the key aspects of GDPR. We did have some draft guidance from the ICO on consent.

https://ico.org.uk/about-the-ico/consultations/gdpr-consent-guidance/

This is causing consternation as the barrier for consent is MUCH HIGHER than it currently is under the DP Act.

The draft guidance had no surprises. Consent needed to be unambiguous and confirmed by a statement or clear affirmative action.

In essence, is affirms opt-in consent. No pre-ticked boxes. Some fairly tough words around 3rd parties use of data. So, that is not the data collecting business itself but any other organisation to which you might want to pass data. The guidance is very clear in that you need to NAME all of those 3rd parties at the point at which you collect the information.
Is this punitive compared to how things are now?
Industry sectors like insurance, financial services, etc is typical now. But that looks unlikely to be part of the new regime. They have dismissed ‘defined sectors’. But they haven’t published final guidance, and they won’t be doing so until the ICO has final guidance from Europe on consent.

Article 29 Working Party – all the regulators around EU getting together and agreeing a position.

https://edps.europa.eu/press-publications/press-news/blog/crucial-moment-communications-privacy_en

It is likely to be December 2017 before we get final guidance.

If the outcome is purely opt-in, then the eco-system around prospecting to individuals in the UK via direct mail, for example, would be affected by the reduction in the availability of permission based lists.

That is one of the reasons that Royal Mail and others, including Rosemary Smith, engaged with the ICO to discuss the alternative to consent.
Balance of Interest or Legitimate Interest
This is in the current law, but will have more emphasis in GDPR. It is where an organisation asserts that it has a legitimate interest to process the individual’s data. That it is necessary to process it. And crucially, that they can process that data without harming the rights of the individual. It is a balancing test.

To date there has been no guidance from the ICO on this. So, Rosemary’s Data Protection Network

https://www.dpnetwork.org.uk

an online community that advises and helps people to unpick this legislation. Their Governance Board decided it would be a good idea to get industry representatives together, supported by the Direct Marketing Association, and the Incorporated Society of British Advertisers. They unpicked where it could and could not be used.

They sent that draft to the ICO and provided comment. It was published in July.

https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance/
What are the situations where Legitimate Interests are going to be relied upon?
i.e. Employees. Consent has to be freely given. In a firm, the staff really have no choice other than for their data to be processed by their employer.

Ver todos los episodios