We have had a blockbuster twelve months in privacy and cybersecurity which saw the arrivals of the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA 2018) and the Network and Information Security Directive (NIS Directive).
As we approach the first anniversaries of those transformative pieces of regulation, the horizon is now dominated by the confusion and complexity of Brexit.
It feels like an opportune moment to kick off our quarterly agenda series on key privacy and cyber developments. This regular forward-looking piece will give in-house practitioners a heads up on key forthcoming developments to watch out for over the next quarter as well as highlighting new content.
Naturally, Brexit is at the forefront this Spring. Over the next four weeks, we may see Article 50 extended beyond 29 March. But the prospect of no deal in this short time still looms large and particular focus now will be on preparing for this, especially the real prospect of the UK being deemed an inadequate destination for EU personal data.
Practical Law’s recently published guidance in relation to Brexit includes:
- Practice note, Brexit: implications for data protection.
- Video, Key data protection measures to prepare for a no-deal Brexit.
- Practice note, Brexit: implications for cybersecurity in the UK.
The European Data Protection Board (EDPB) has also recently published an information note on data transfers under the GDPR in the event of a no-deal Brexit.
Beyond this, there are a number of developments – some driven by Brexit – but also including a number of consultations and events to be aware of over the Spring. New resources on Practical Law are featured at the bottom of this piece.
The statutory instrument designed to ensure the continuity of the UK legal framework for data protection continues to function on the UK’s exit from the EU, currently scheduled for 29 March. The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, originally laid before Parliament on 19 December 2018, merge the GDPR and the applied GDPR into the “UK GDPR” and amend the DPA 2018 and other legislation.
The regulations are largely designed to apply in the event there is no transition period (that is, no deal). However, the provisions amending the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR) will come into force on 29 March irrespective of whether there is a transitional period or whether the currently scheduled exit day is modified.
Meanwhile, the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2018, which amend provisions deriving from European Union Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions are ready to come into force for in the event of a no deal.
ICO adtech fact finding forum
Announced in its recent blog on the advertising technology (adtech) from a data protection perspective, the Information Commissioner’s Office (ICO) is holding a fact finding forum for adtech industry participants on 6 March 2019 in central London. The forum will seek to discover how organisations can have confidence and provide assurances that onward transfers of data will be secure. Those interested in attending are invited to contact email@example.com.
ICO “Openness by design” consultation
The ICO is consulting on a draft access to information strategy, “Openness by design”, which sets out the ICO’s priorities for the next three years in relation to its duties under the Freedom of Information Act 2000, the Environmental Information Regulations 2004 (SI 2004/3391) and the Reuse of Public Sector Information Regulations 2015 (SI 2015/1415).
The consultation closes on 8 March 2019.
The EDPB has two live consultations with imminent deadlines:
- The consultation on Annex 2 to Guidelines on certification. Annex 2 identifies topics that a data protection supervisory authority and the EDPB will consider and apply for the approval of certification criteria of a certification mechanism. Comments should be sent to EDPB@edpb.europa.eu by no later than 29 March 2019.
- The consultation on Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under the GDPR which aim to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the GDPR (in relation to codes of conduct). The consultation ends on 2 April 2019.
PSA consultation on retention of data
The Phone-paid Services Authority (PSA) is consulting on proposals intended to clarify its expectations as to how long providers should retain certain kinds of data. It is proposing that providers should retain all Relevant Data, including personal data for two years, starting from the point it was first collected. The consultation closes on 3 April 2019.
The National Cyber Security Centre’s CYBERUK event is due to take place in Glasgow on 24 – 25 April 2019. CYBERUK is the UK government’s flagship cyber security event and will include briefings on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.
New Practical Law content
In addition to the Brexit guidance referred to above, recently-published privacy and cybersecurity content on Practical Law includes:
- Practice note, Cybersecurity Directive: UK implementation which explains what Operators of Essential Services and Relevant Digital Service Providers must do to comply with the security and incident reporting requirements of the NIS Regulations.
- Practice note, Data protection aspects of image rights (GDPR and DPA 2018) which considers how the GDPR and DPA 2018 apply and the protection they provide when an image constitutes personal data.
- Practice note, GDPR and DPA 2018: claims for compensation which explores claims for compensation under the GDPR and DPA 2018, informed by the development of case law under the Data Protection Act 1998.
- Video, Conducting a global data protection audit under the GDPR which sets out a practical approach to undertaking a global data protection audit.