Maintaining momentum for the UK’s data protection law despite Brexit
In Privacy Laws & Business's 30th Anniversary year, I am underlining the importance of the second part of our company name. From 1987, we have spent a great deal of time on analysing privacy laws in every country where we can find them. But it is the impact on business that is our focus.
This emphasis helps explain why at the centre of the May edition of PL&B United Kingdom Report is an article on an exchange of peer group experience at our Help! Roundtable: Reviewing Progress hosted by Google in London in March. The enterprise level is where the rights-based data protection principles are either achieved by design or defeated by neglect.
What emerged was the need for cooperation between different parts of a team, one person to interpret the law in a way which makes sense for your specific organisation, and another person to be the project manager to make things happen. These roles can be combined but it is normal for a person to excel either at the legal end or the project manager end of the spectrum. Project managers play a vital role, such as ensuring that audits and training happen on time. Data Protection Authorities will seek evidence of these actions if (or when) you suffer a data breach or hard hitting complaints which you do not resolve yourself.
The PL&B Recruitment Service is being used by an increasing number of companies to find specialist managers and lawyers. Finding the right person depends on a clear understanding of the role you want the person to fill.
At our Retailing and the GDPR Conference, held in co-operation with DWF in London this month, the participants found stimulating and useful the parallel roundtable discussions on consent and profiling.
The consent session group agreed that companies should avoid over-reliance on consent and build the case for making legitimate interests their legal basis for processing personal data. Under the GDPR, organisations need to figure out the legal basis in each case, document it and have this evidence available for the Data Protection Authority in case of an audit. Documentation is also needed to satisfy the GDPR's accountability requirements. The UK ICO's recent fining of FlyBe and Honda Motors in March has caused some confusion as it is not clear how organisations can send service messages fearing that they will be interpreted as marketing messages.
The profiling session group discussed that if a piece of data, even if it appears to be completely anonymous, allows you to treat an individual differently from others, then that piece of data is personally identifiable information. Evidence suggests that the marketing spend on micro-targeting (which involves using social listening - scraping information from social media - to profile and target marketing to specific individuals) is increasing significantly. This marketing technique for commercial and political purposes is an area which the ICO is currently addressing both in political and marketing contexts.
Guided by a moral compass
Matthew Gaunt, Marketing Director, Wickes (the UK-based large home improvements retailer), was exceptionally positive about the GDPR when speaking at our retailing conference. He said that the GDPR gives precise rules to help him manage appropriate marketing for his company's different market segments. He is constantly being invited to spend his advertising budget on increasingly intrusive social media companies, sometimes partnering with popular apps. He said that in these situations, it is his duty to protect the company's reputation by being consciously aware of working along a path guided by a moral compass and declining certain offers where the links between the marketing partners was opaque to the customers.
PL&B's 30th Anniversary International Conference
See the programme for Promoting Privacy with Innovation, PL&B's 30th Anniversary International Conference 3-5 July at St. John's College, Cambridge which has been updated this week. Sessions will show how the apparent car crash between innovation and privacy does not need to be a disaster. This conference seeks willingness on both sides to connect with each other in a civilised manner and to find solutions. At one end of the spectrum, innovation can be the enemy of privacy and at the other end, innovation can be an enabler. This conference will address how to ensure that the golden age of innovation does not become the dark age of information privacy.
In Cambridge, we will welcome as speakers heads of the national Data Protection Authorities of the United Kingdom, Spain and Ireland, senior staff from DPAs in Germany and Hong Kong, the European Data Protection Supervisor, the European Commission, and many companies and their legal advisors, a total of almost 50 speakers and chair persons from 15 countries. You will also meet many of the PL&B team. We all look forward to meeting you in Cambridge seven weeks from now.
We look forwards to providing you with the information you need to understand and manage the ever growing privacy law areas.
Stewart Dresner, Publisher
UK Report 91
UK marketers call for more guidance on GDPR compliance
ICO consent guidance consultation stirs emotions and receives 300 responses. Final version is promised by June. By Laura Linkomies.
Contents also include:
- Comment: Brexit hampers SME firms’ GDPR preparations
- Brexit will not stop data protection – but prepare for changes
- Recent SAR decisions offer employers further guidance
- Adequacy finding best solution to ensure post-Brexit data flows
- Challenges to the EU-US Privacy Shield and the Model Contract Clauses
- Data protection – or protectionism by the back door?
- UK data protection in turmoil as Brexit looms
- What is fairness in an algorithmic world?
- Reviewing progress with GDPR: Peer group discussion
- Digital Economy Act passed
- Government ponders views on GDPR derogations
- DMA: Consumers benefit from profiling
- Flybe and Honda Motors fined for not respecting marketing opt-outs
- Company fined £400,000 for nuisance calls
- Group to produce guidance on legitimate interests