In our Spring agenda piece, Brexit dominated the horizon in the privacy and cyber world. And while many of us will still be transfixed by political events, the extension of the Article 50 process, in all likelihood up to 31 October, has given us momentary relief.
With the Brexit hiatus, attention has turned back to day-to-day compliance concerns. The summer is traditionally a quiet time of year of course but this agenda piece will highlight a number of events coming up you may need to be aware of. It will also highlight some of the key recent developments you may have missed.
The recent developments include discussion driven by the first birthday of the General Data Protection Regulation (GDPR), the publication of National Cyber Security Centre guidance on cybersecurity design principles and a wave of new content across Practical Law summarised at the bottom of this blog post.
Happy Birthday, GDPR!
We passed the landmark of the GDPR’s first birthday on 25 May which gave us a chance to reflect on the successes and challenges the Regulation has brought so far and will do looking into the future (see our blog post GDPR one year on: some highlights in words and numbers).
The Information Commissioner’s Office (ICO) published a 21-page report last week to share learning from the past twelve months (see Legal update, ICO updates on GDPR: One year on).
Most notably, the ICO report says that the focus for the GDPR’s second year must be beyond baseline compliance with organisations shifting their focus to accountability. It emphasises the importance of proper resourcing of data protection officer (DPO) roles (see Practical Law’s new content on DPOs below).
Forthcoming ICO consultations
The ICO report also highlights some consultations due to launch in June, arriving too late for this agenda piece but which will be covered by Practical Law. These include the following consultations:
- The data sharing code to be opened in June 2019, with the code to be laid before Parliament in the autumn.
- The draft direct marketing code which should be opened in June 2019 with the code finalised by the end of October 2019.
- The data protection and journalism code which should also be launched in June 2019 with the code laid before Parliament in the summer.
- A draft code on the use of personal information in political campaigns for consultation in July 2019.
Other consultations about to close
You may need to react quickly to these consultations with imminent deadlines:
- Government consultation on mandatory labelling scheme for consumer smart devices. This government consultation concerns a proposal to introduce a mandatory labelling scheme regarding the security measures in consumer “internet of things” (IoT) products, such as “smart” TVs and appliances. It closes on 5 June 2019.
- Ofcom consultation on establishing a common database of telephone numbers. This consultation concerns the establishment of a common database of telephone numbers so that telephone companies can verify that caller ID numbers are genuine and to improve the process of letting customers retain numbers when they switch providers. It closes on 6 June 2019.
- Consultation on UK’s proposed approach to regulating non-UK based digital service providers. This government consultation calls for views on the UK’s proposed approach to regulating non-UK based digital service providers operating in the UK under the Network and Information Systems Regulations 2019, considering the UK’s forthcoming departure from the EU (Brexit). It closes on 11 June 2019.
The Cyber-Attacks (Asset-Freezing) Regulations 2019 (SI 2019/956) come into force on 11 June 2019 and make provision for the enforcement of Council Regulation (EU) (2019/796) by way of sanctions, restrictive measures and offences connected with cyber-attacks threatening the EU or its Member States.
The social media network site, Facebook, is updating its Terms of Service to reflect EU consumer law and to explain that its business model relies on selling targeted advertising services to third parties by using data from users’ profiles. This is due to take place by the end of June 2019.
A final date for the diary is 9 July 2019 when the the ECJ is set to hear Schrems II which concerns the challenge to the validity of the European Commission’s standard contractual clauses as a mechanism for effecting international transfers of personal data to ‘third countries’ which may include the UK after Brexit.
The underlying anxiety of Brexit no doubt remains, with no-deal perhaps now more likely than ever. Look out for more Practical Law content in the coming weeks to assist with Brexit planning to sit alongside our existing guidance:
- Practice note, Brexit: implications for data protection.
- Video, Key data protection measures to prepare for a no-deal Brexit.
- Practice note, Brexit: implications for cybersecurity in the UK.
New Practical Law content
Recently published privacy and cybersecurity content on Practical Law includes:
- Checklist, Concepts of controller and processor (GDPR and DPA 2018) (UK) which sets out the questions to consider when determining whether a party is a controller or a processor under the GDPR.
- Video, GDPR data protection officers: recruitment and responsibilities which examines the obligations of a GDPR data protection officer (DPO) and the types of skills needed to successfully fulfil the role.
- Video, GDPR data protection officers: mandatory and voluntary DPOs explains when organisations must appoint a data protection officer (DPO) under the GDPR, and why it’s important to distinguish this mandatory role from that of a voluntary DPO or equivalent compliance officer.
- A series of Standard documents designed to assist organisations with handling various data subject requests:
- Data subject erasure request form (GDPR and DPA 2018) (UK)
- Controller’s response to erasure request (GDPR and DPA 2018) (UK)
- Response procedures for data subject requests (GDPR and DPA 2018) (UK)
- Data subject rectification request form (GDPR and DPA 2018) (UK)
- Controller’s response to rectification request (GDPR and DPA 2018) (UK)
- Data subject request tracking form (GDPR and DPA 2018) (UK)
- Data subject processing restriction request form (GDPR and DPA 2018) (UK)
- Controller’s response to data processing restriction request (GDPR and DPA 2018) (UK)