Data Protection in 2019 – refresh and further reform
With the introduction of the General Data Protection Regulation (GDPR), 2018 was a very busy year for data protection compliance. Many businesses from all sectors left updating their GDPR compliance programs later than they would have liked. Research shows that companies struggled to get ready for the May 2018 deadline. For example, a study conducted after the GDPR came into effect showed that many organisations are failing to respond to subject access requests within the one-month time limit, with many failing to respond at all!
This could be for a number of reasons:
- personal data is so important to how we all do business, even small changes to how its use is regulated will have a major impact on operations;
- achieving compliance requires input and effort from all areas of an organisation – not just the compliance team; and
- guidance on how the GDPR would be enforced was not available for all aspects of the Regulation and industry standard compliance methods were in their infancy.
2019 provides an opportunity to take a fresh look at data protection compliance:
- without any looming deadlines;
- with planning, involvement and buy-in from all areas of your business;
- with the benefit of further guidance documents issued by the European Data Protection Board (which replaced Working Party 29) and national regulators, like the Information Commissioner’s Office and better developed industry standard approaches to compliance.
We expect businesses in all sectors to further develop their data protection compliance programs in 2019 as the ways and means to become compliant become more uniform across all sectors.
There are also a number of events on the horizon that will need to be considered as part of a fresh approach to data protection compliance, including the ePrivacy Regulation and Brexit.
The ePrivacy Regulation
This is a draft European regulation relating to privacy and electronic communications. It’s currently expected to be finalised during the second half of 2019. Assuming a reasonable implementation period, this could mean that it won’t take effect until 2020 at the earliest. But like the GDPR, it could have a major impact on your business, so getting ready for this in 2019 makes sense.
It will replace the current Privacy and Electronic Communications Directive 2002, and bring the law in this area more in line with the GDPR, including the same level of potential fines following a breach. Like the GDPR, moving from a directive to a regulation will also provide a greater degree of uniformity across the EU.
As legislation with a specific application (e.g. electronic communications), it will supersede the GDPR, which has a general application. It will impact how messaging services (Skype, WhatsApp, Facebook Messenger etc.), Internet of Things communications, telephone calls, SMS and emails are regulated. The biggest impact could be on businesses that send B2B marketing emails.
Under the current draft it’s not clear whether businesses will be allowed to retain their ability to send B2B marketing emails using the “legitimate interest” legal basis. Instead they could be required to obtain consent to the same standards required under the GDPR before sending a B2B marketing email. The interpretation of this point is hotly contested. Many groups are continuing to lobby the EU on how the law on this should be understood or whether the wording of the regulation should be changed all together.
On 19 December 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were published in draft form. Their purpose is to replace the GDPR with a version that will make sense once the UK has left the EU, a “UK GDPR”.
Organisations in the UK and outside the UK could be regulated under both the UK GDPR and EU GDPR. Policies, agreements and other compliance documents will need to be updated to reference the new UK GDPR. UK businesses trading into the EEA will need to consider appointing Article 27 representatives within the EEA. Likewise, businesses outside the UK which trade into the UK will need to consider appointing a UK representative. Non-EEA businesses may need a representative in both the UK and EEA! It’s unlikely that the UK will benefit from an adequacy decision immediately after Brexit, therefore transfers of personal data between the UK and EEA will need sufficient safeguards in place, such as use of the European Commission’s standard contractual clauses.
The GDPR Journey
Whilst you might have thought 2018 was your data protection Everest, with the need to refresh, deal with the ePrivacy Regulation and Brexit, it’s clear that data protection compliance is going to be an ongoing Journey, so “Don’t stop…”!
If you’d like any help finding your way, please get in touch to arrange a free call or meeting.