2018 was a big year for data protection, with a whirlwind of legal, regulatory and industry changes being introduced. This update provides a brief reflection of the past year and a look ahead at what is coming next in 2019.
Data Protection 2018
On the 25th May 2018 the much anticipated Data Protection Act 2018 (DPA) came in to force and enshrined the principles of the General Data Protection Regulation (GDPR) in to law. Many businesses (despite best efforts) were unprepared for the amount of work that the accountability principle brought to their organisations. The biggest challenge that has been consistent across industries and sectors is the ability to know where their personal data is and to record that in a Record of Processing Activity (ROPA) that is meaningful, useful, and maintained. Nonetheless, businesses are getting there, and DPAS has seen an increase in quality of ROPA and an understanding of how these documents can be used to create efficiencies for organisations in a data centric world.
As 29th March 2019 draws ever closer, there is an increasing likelihood that the UK will leave with 'no deal' or without being deemed an 'adequate country' in terms of sharing personal data across borders, per Article 45 of GDPR. This will mean the UK is a 'third country' to those who are processing data in the EU and businesses will need to reassess their processing (perhaps by using their ROPAs) to ensure they are DPA and GDPR compliant.
Nigel Gooding has written a series of articles expanding on this topic which provides more information, but in short, there are 2 main actions under GDPR that UK/EU organisations will have to undertake to ensure they can continue to trade.
These are 1) businesses should be putting in place additional safeguards (per Article 46) such as Binding Corporate Rules, new contracts, new consent regimes or the development of an industry wide scheme or certification. All of these methods prove time consuming. 2) In addition UK companies will have to appoint a representative within the EU to act on behalf of UK companies under Article 27 of GDPR. Therefore your organisation should be identifying the potential risk of the UK leaving the EU and taking action now. DPAS are able to advise businesses if you have specific concerns.
PECR & ePrivacy Regulation
DPA/ GDPR shook up the marketing industry due to its need to work in conjunction with PECR regulations. Most businesses (unless able to rely on convoluted exemptions such as a 'soft opt-in') undertook a consent exercise to market to their customers electronically. Whilst this has resulted in a significant cut in the amount of marketing that is sent, it has also arguably meant that those receiving the material are more likely to be interested and thus actively engaging. 2019 introduces further changes, with PECR being replaced by the still to be agreed Electronic Privacy Regulation (ePR). DPAS will update you on this when there is more clarity on how ePR will affect your business but the main take aways for now are that ePR is likely to be broader in scope than PECR and will have the same penalties applicable as GDPR does.
Whats new at DPAS!
With the new year, there are not just big commercial and
legal changes on the horizon. DPAS are excited to be expanding our
business out of London and the West Country, with new contracts starting in the North and in the Midlands.
Revised ROPA and
ISO27001 Security Assurance Trackers
Over the Christmas period we have developed new ROPA tools, which include increasingly relevant information and ISO27001 security elements with improved accuracy and reporting functions.
New DPAS Website
We have been working hard on our new website which aims to bring you more relevant content and updates about what's happening in the Data Protection world. You can also book onto our new training courses via the new website.
Our training courses are all now CPD accredited and we are running the following courses at our offices in Exeter during Feb, March and April:
Data Breach Course (1 day)
Data Protection Impact Assessment Course (1 day)
DPO Course (3 days)
Foundation Course (1 day)
Data Protection and Cyber Security e-Learning (1 hour)
Click here for course dates or contact Mel.
Wishing you all a Happy New Year and a successful 2019!
From all the team at DPAS.