Information Security and Data Protection Newsletter - March 2017

Information Security and Data Protection Newsletter - March 2017's Tags

Tags related to this article

Information Security and Data Protection Newsletter - March 2017

Published 9 March 2017

GDPR Update

It's been full steam ahead in the first quarter of 2017 for the GDPR implementation process. Not only have the Article 29 working party adopted guidelines on three key areas in February, the right to data portability, data protection officers and identifying a controller or processor's lead supervisory authority; we can shortly expect to see further guidance from them on topics including profiling, transparency and data transfers. More locally, the ICO have recently released guidance on consent under the GDPR – which can be accessed here. The regulator has also launched a new webpage covering GDPR developments. The webpage presently confirms ICO plans to publish guidance concerning contracts and liability under the new regime.

For more details, please see our GDPR round-up.

New draft E-privacy regulation

Hot on the heels of the GDPR, a new draft EU e-privacy regulation has been revealed by the European Commission. The regulation, once finalised, will update the Privacy and Electronic Communications Regulations; which imposes rules on electronic communications including nuisance marketing and cookie consent. The regulation is scheduled to apply from 25 May 2018, the same date as the GDPR, but in contrast to the GDPR, the regulation is far from finalised.

To read more, please click here - Draft new E-Privacy Regulation revealed.

NIS Directive to be implemented in UK despite Brexit

Speaking of EU legislation which is intended to be slipped into UK law before we Brexit, on 21 December 2016, the UK government confirmed in its cyber security regulation and incentives review report, that despite Brexit, the NIS Directive will be implemented. It also indicated that it was considering whether further regulation would be necessary for critical sectors.

The report can be accessed here.

Guidance from the EU

The European Commission have adopted a communication on building the European data economy and have separately published a communication on exchanging and protecting personal data in a globalised world. For further detail, click into our articles below:

Organisations with an interest in keeping up-to date with the position on international data transfers should be sure to also view our International personal data transfers round-up which covers updates about the Privacy Shield as well as the challenge to the validity of standard contractual clauses by privacy rights organisation, Digital Rights Ireland.

The ECJ have queried the scope of legitimate interests under the Data Protection Directive. The concept, generally a grey area, was considered by the Advocate General recently pursuant to a 2012 case concerning a Latvian road accident case. For further details, please see our article - Guidance on legitimate interests.

News at the ICO

Turning to the UK regulator, in our last newsletter we reported that the ICO were driving towards a more a proactive ICO, including a more pre-emptive DPA enforcement regime. In progression of these plans, in December the ICO took charge of the Telephone preference system ("TPS") in a bid to more effectively tackle nuisance marketing.

Please click here to read more - ICO takes charge of TPS in bid to tackle nuisance marketing

Outstretching its guidance arm following the increase of cyber attacks to UK businesses which were in turn forced to shut down after being held hostage by ransomware, the ICO published a blog with helpful advice to businesses to avoid such attacks. That blog can be read here.

And in a show of intent to retain and develop its international focus, the ICO announced a new deputy commissioner. The new deputy, Rob Luke, has considerable international leadership experience having previously occupied policy positions at the Foreign & Commonwealth Office in London and between 2012 and 2016 serving as the British High Commissioner in Malta; skills which Denham commented would be drawn upon by the ICO to deliver its aims. To view the ICO press release, please click here.

Elsewhere in the UK…

The ICO have not been the only UK regulator busily producing data protection guidance, the Charity Commission and Fundraising Regulator joined forces to produce a data protection alert on the back of two high-profile enforcement actions taken in December against charities.

For further details, please click here - Data protection alert issued to charities

For general points to note deriving from the ICO's most recent enforcement actions, please click here to be taken to our ICO enforcement round-up.

And, employers in particular may be able to take comfort a useful judgment for employers which confirmed that a data controller's obligation to carry out searches in respect of a SAR was limited to what was reasonable and proportionate.

Subject access request case considers proportionality of searches and legal professional privilege

Updates from across the world

To read our updates from across the world, please click here.

Follow us on twitter @DACBprivacy


Charlotte Burnett

Charlotte Burnett


+44 (0)113 251 4785

Rodrigo Fernández Guerra Fletes

Rodrigo Fernández Guerra Fletes

Mexico City

+52(55) 11076056

Rowena McCormack

Rowena McCormack


+353 (0)1 231 9628

< Back to articles