On 15 November, McGuireWoods London hosted its 6th Annual European Data Privacy and Security Conference.
Below are some of the key takeaways from discussion and presentations at this year’s event.
- The General Data Protection Regulation (GDPR)
It was developed as a “one size fits all” approach, yet the reality may be very different. Although the GDPR is not sector-specific, it may apply differently to different segments of the same business. It was noted that post-Brexit the GDPR will be adopted into domestic UK law. - Transferring data
Transferring data outside the EU is generally prohibited, unless adequate safeguards are in place. Furthermore, other jurisdictions may have vastly different approaches to data privacy. For example, in the U.S., the emphasis is on “opting-out” of data processing; whereas the EU focuses on adequacy and appropriate data transfer mechanisms, before considering any derogations, such as consent. - Data subject access requests (SARs)
SARs are a current right under the Data Protection Act that will continue under the GDPR. Do not ignore them, look carefully at the information requested and be careful not to disclose any third-party data without consent. Failure to comply is subject to the higher range of fines under the GDPR, and data controllers will have only 30 days to comply with SARs, unless they are particularly onerous or complex. - e-Privacy Regulation (ePR) and consent
The new e-Privacy Regulation will come into force at the same time as the GDPR on 25 May 2018 and extends the existing laws on e-privacy, cookies and direct marketing. Consent must be evidenced, recorded and refreshed on a regular basis. Direct marketing disguised as a “service message” is not acceptable. Companies have been fined for using customers’ personal data to clarify the scope of their consent to receive marketing, as that clarification was marketing in itself.
The “soft opt-in” option available under the current e-Privacy Directive will remain under the ePR but this option does not extend to charities. If a charitable organisation has a trading arm, that does not allow it to take advantage of the “soft opt-in” for its charitable arm. - Cybersecurity and data protection
All businesses are at risk of cyberattacks and as such should be prepared. The three principle weaknesses in any business are hardware, software and humans. It’s critical to have an incident response plan in place and ensure that everyone in the business is invested in it, including senior management, IT, security, legal, and risk and compliance personnel.
Any breach of the GDPR must be reported to the supervisory authority without delay and within 72 hours. A personal data breach must be reported to the appropriate local regulatory authority, and in certain cases, affected data subjects must be notified as well.
For those who haven’t started to implement a GDPR/e-privacy compliance plan, it’s not too late — but it’s critical to start now. Any questions or concerns may be directed via email to [email protected].