March 20, 2017

UK Privacy Regulator Addresses Data Protection Under The GDPR

King & Spalding

+ Follow Contact

Send

Embed

On Monday, March 6, 2017, the UK’s Information Commissioner’s Office (“ICO”) held its annual Data Protection Practitioners’ Conference. During the conference, Information Commissioner Elizabeth Denham, who was appointed to the role of Information Commissioner in July 2016, discussed the General Data Protection Regulation (“GDPR”), which will become effective in May 2018. Denham’s remarks focused on the GDPR’s role in giving individuals stronger rights to be informed about how their personal information is used and emphasized the need for organizations that handle personal data to have a broader and deeper sense of accountability for the way they handle that data.

In her remarks, Denham highlighted a few examples of organizations that are “getting it wrong” under the current data protection regime. The common thread among her examples were “organizations failing to put customers first.” Going forward, however, GDPR will “put even more of an onus on organizations to understand and respect the personal privacy rights of consumers.” While noting that the GDPR imposes specific new obligations on organizations, including obligations related to reporting data breaches and transferring data across borders, Denham believes that the “real change for organizations is understanding the new rights for consumers.” Specifically, under GDPR, consumers and citizens will have stronger rights to be informed about how organizations use their personal data.

According to Denham, those with responsibility for the protection of data within an organization must ensure that accountability for data protection is prioritized at all levels of an organization – referred to in the GDPR as “accountability by design.” Denham also emphasized that while the greater enforcement powers that the GDPR gives to regulators, including significantly increased monetary fines, is one way to make data protection a priority, organizations should see a real business benefit to getting data protection right to achieve both legal compliance and competitive advantage.

Denham also referenced the ICO’s new published draft guidance relating to the requirements for obtaining consent under the GDPR. The draft guidance was published on March 2, 2017, and the ICO is seeking comments on it through March 31, 2017. The ICO has stated that the draft guidance is the first in what is planned to be an ongoing series of publications by the ICO addressing various topics related to the implementation of the GDPR and the ICO’s recommendations on implementation. The guidance on consent (1) details what counts as valid consent; (2) gives practical advice on deciding when to rely on consent and when to look for alternative legal bases for data processing; and (3) explains the key differences between the new requirements under the GDPR and the existing requirements under the Data Protection Act (the existing legislation which enacts the provisions of the Data Protection Directive in the UK).

In a press release announcing the release of the draft, Jo Pedder, the ICO’s interim head of policy and engagement, explained that the GDPR sets a higher and more detailed standard for consent; one that will require organizations to reassess and revise their current practices for obtaining and maintaining valid consent. The ICO explained that companies that rely on consent as the lawful basis for their processing activities must offer individuals genuine choice and control. Consent is only valid if it is freely given. Consent likely will not be valid under the GDPR if it does not meet each of the following requirements:

Positive opt-in is required for effective consent, which means that valid consent cannot be obtained by default, including the use of pre-ticked boxes or other similar methods to obtaining consent by default.
Consent requests should be documented separately from other terms and conditions.
Consent requests should be specific and granular as well as clear and concise.
Consent requests must identify by name any third parties that will rely on the consent.
Consent requests must tell individuals that they can withdraw consent and should tell them how to do so. It must be as easy for the individual to withdraw consent as it was to give it in the first place.
Consent cannot be a precondition of the provision of a service unless it can be shown that it is necessary for that service.

Organizations must also keep detailed evidence of consents, including who consented, when they consented, and what they were told at the time they consented.

The draft guidance also provides insight into when consent might not be the most appropriate legal basis for data processing. For example, public authorities, employers, and others in a position of power over data subjects may have difficulty meeting the requirements for establishing that consent has been validly and freely given. Under the GDPR, the limited circumstances in which personal data can be processed without consent are (1) if it is necessary for fulfilling obligations under a supply or employment contract; (2) for complying with a legal obligation; (3) for carrying out official public duties; or (4) if there is a “genuine and legitimate reason” that is not outweighed by harm to the individual's rights and interests.

Finally, Denham acknowledged in her remarks that, post-Brexit, the UK may face challenges related to the flow of data across global borders, as different legal systems and cultural norms about privacy complicate things. However, she noted that the ICO is committed to making sure the ICO as the UK regulator sets a standard for data protection in the UK that is equivalent to the EU’s standard.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.