2018 was a big year for data protection. A whirlwind of legal, regulatory and industry changes were introduced. This Data Privacy Newsletter provides a brief reflection of the past year, and looks at what is coming next in 2019.
Data Protection 2018
On the 25th May 2018 the much anticipated Data Protection Act 2018 (DPA) came in to force. This enshrined the principles of the General Data Protection Regulation (GDPR) in to law. Many businesses (despite best efforts) were unprepared for the amount of work that the accountability principle brought to their organisations. The biggest challenge across industries and sectors is the ability to know where their personal data is, and how to record that in a Record of Processing Activity (ROPA) that is meaningful, useful, and maintained. Nonetheless, businesses are getting there. DPAS has seen an increase in quality of ROPA and an understanding of how these documents can be used to create efficiencies for organisations in a data centric world.
Brexit
As 29th March 2019 draws ever closer, there is an increasing likelihood that the UK will leave with ‘no deal’ or without being deemed an ‘adequate country’ in terms of sharing personal data across borders, per Article 45 of GDPR. This will mean the UK is a ‘third country’ to those who are processing data in the EU. Businesses will need to reassess their processing (perhaps by using their ROPAs) to ensure they are DPA and GDPR compliant.
Nigel Gooding has written a series of articles expanding on this topic which provides more information, but in short, there are 2 main actions under GDPR that UK/EU organisations will have to undertake to ensure they can continue to trade. These are:
- Businesses should be putting in place additional safeguards (per Article 46). These include Binding Corporate Rules, new contracts, new consent regimes or the development of an industry wide scheme or certification. All of these methods prove time consuming.
- UK companies will have to appoint a representative within the EU to act on their behalf under Article 27.
Therefore your organisation should be identifying the potential risk of the UK leaving the EU and taking action now. DPAS are able to advise businesses if you have specific concerns.
PECR & ePrivacy Regulation
DPA/ GDPR shook up the marketing industry due to its need to work in conjunction with PECR regulations. Most businesses, unless able to rely on exemptions such as a ‘soft opt-in’, undertook a consent exercise to market to their customers electronically. This results in significant cuts to the amount of marketing that is sent. It has also arguably means that those who recieve the material are more likely to be interested and actively engaging. Further changes are likely in 2019, with the still to be agreed Electronic Privacy Regulation (ePR). DPAS will update you on this when there is more clarity on how ePR will affect your business. The main take aways for now are that ePR is likely to be broader in scope than PECR, and will have the same penalties applicable as GDPR does.
This means the new regulations will apply not just to the use of cookies, or marketing emails, etc. It will also apply to current and future methods of communication. This includes instant messaging apps, machine-to- machine communications ,such as the Internet of Things, and other development areas. The significance then is that the technology giants cannot design their way out of the law.
Whats new at DPAS!
With the new year, there are not just big commercial and legal changes on the horizon. DPAS are excited to be expanding our business out of London and the West Country, with new contracts starting in the North and in the Midlands.
Revised ROPA and ISO27001 Security Assurance Trackers
Over the Christmas period we have developed new ROPA tools, which include increasingly relevant information and ISO27001 security elements with improved accuracy and reporting functions.
New DPAS Website
We have been working hard on our new website which aims to bring you more relevant content and updates about what’s happening in the Data Protection world. You can also book onto our new training courses via the new website.
Training Courses
Our training courses are all CPD accredited and the following courses are taking place at our offices in Exeter during Feb, March and April:
- Data Breach Course (1 day)
- Data Protection Impact Assessment Course (1 day)
- DPO Course (3 days)
- Foundation Course (1 day)
- Data Protection and Cyber Security e-Learning (1 hour)
Click here for course dates or contact Mel.
Wishing you all a Happy New Year and a successful 2019!
From all the team at DPAS.
Sign up to receive our data privacy newsletter using the form below.