Practical Law

In the Winter agenda the prospect of a no-deal Brexit was a real, if improbable, threat. While the transition period until 31 December 2020 might represent a reprieve, there are plenty of things in-house counsel need be doing during the (now ten) months remaining. Our recent blog post, Data protection: what should companies be doing during the Brexit transition period?, will help to navigate the issues and prioritise your actions.

Despite the political landscape remaining uncertain, it does feel like a moment to focus greater attention to BAU data protection and cyber activities.

Looking back

In case you’re in catching up mode, a key headline landed just last week with the Croatian presidency of the EU publishing the revised text of the draft E-Privacy Regulation. Here’s a brief roundup of other key developments since the start of December:

• The ICO published: data protection guidance specifically for SMEs; the final version of its Age Appropriate Design Code; and amended guidance on timescales for complying with data subject access requests when clarification is sought.
• Simon McDougall of the ICO blogged twice on adtech, specifically on its engagement with adtech organisations and on investigation and regulatory action.
• In the Facebook Ireland case, AG Saugmandsgaard Øe delivered his opinion that controller to processor standard contractual clauses remain valid (although the position is not final until the ECJ’s judgment later this year).
• The National Cyber Security Centre (NCSC) published guidance for organisations on choosing and purchasing mobile devices.
• The Centre for Data Ethics and Innovation (CDEI) published its final report on online targeting.

Looking ahead

As ever in this area, there is certainly plenty happening for practitioners during the spring, including a number of open consultations/surveys, forthcoming publications and a key NCSC event, all outlined below.

1. Open consultations and surveys

• ICO survey on processing of criminal convictions personal data. The purpose of this survey is to find out if gaps exist in controllers’ awareness and understanding of the data protection requirements for processing criminal convictions personal data under Article 10 of the GDPR and closes on 28 February 2020.
• ICO consultation on draft direct marketing code of practice. The draft code aims to provide practical guidance and promote good direct marketing practice when complying with the GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). It closes on 4 March 2020.
• European Data Protection Board (EDPB) consultation on connected vehicles guidelines. The guidelines focus on the processing of driver and passenger personal data processed by the vehicle as a connected device. The consultation closes on 20 March 2020.
• Government call for evidence on regulating online advertising. This call for evidence is intended to supplement various ongoing reviews of the advertising sector by the Competition and Markets Authority (CMA), the CDEI and the ICO. It closes on 23 March 2020.
• ICO consultation on draft AI auditing framework guidance. The guidance is aimed at developers and users of AI systems. The consultation closes on 1 April 2020.

2. Forthcoming publications

• The CDEI is due to publish its final report on algorithmic bias in various sectors (which may include financial services, local government, recruitment and crime and justice) on 31 March 2020.
• The Secretary of State will publish a report on the NIS Regulations 2018 by 9 May 2020 following a review of the regulations.
• The European Commission is due to report on all elements of the GDPR by its two year anniversary, 25 May 2020.
• DCMS and the Cabinet Office are due to publish the responses from the Digital Identity consultation (following a call for evidence which ran last year) at some point during Spring 2020.
• Following publication of the final AI auditing framework in January 2020 and the consultation referred to above, the ICO expects to publish the associated guidance for organisations during Spring 2020.

3. CYBERUK 2020

The NCSC’s CYBERUK event is due to take place at the ICC Wales in Newport on 19 – 20 May 2020. CYBERUK is the UK government’s flagship cyber security event and will include briefings on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.

New and updated Practical Law content

In addition to the Brexit blog post referred to above, Practical Law has added the following to its content set in the past three months:

• Information and cyber security (sector-neutral): presentation materials which includes a sector-neutral set of slides for use by in-house or compliance counsel to train non-experts in an organisation on information and cyber security.
• Information and cyber security (regulated sectors): presentation materials which includes a set of slides for use by in-house or compliance counsel to train non-experts on information and cyber security in an organisation operating in a sector regulated under specific cyber security law.
• Standard document, Data retention schedule for personal data (GDPR and DPA 2018) which covers a range of records that may be held by an organisation and is arranged by typical business functions.
• Practice note, Legal aspects of managing data (recently updated) which provides a practical guide to legal rights in data; what they are, how they arise and how they can be managed.
• Practice note, GDPR and DPA 2018 exemptions and conditions: public sector which sets out the exemptions under the GDPR and the Data Protection Act 2018 relevant to data processing in the public sector.
• Practice note, Network and Information Systems Regulations 2018: impact on businesses in the life sciences and healthcare sectors which provides an overview of how the NIS Regulations 2018 impact the UK healthcare sector and the key considerations for businesses serving that sector.
• Article, Practical Law Data Protection: what to expect in 2020 which summarises the main developments that will affect data protection practitioners in England and Wales in 2020 and beyond.
• Article, Practical Law IP&IT: what to expect in 2020 which includes coverage of the new and emerging regulations (at UK and EU level) relating to cybersecurity.