One long year

I am documenting my CPD’s and reviewing the contents of my LinkedIn blog and came across this, “The GDPR will become British law”, published last year where I predicted that the GDPR would be grandfathered into British Law via the proposed “Great Repeal Bill”.

What a difference a year and a general election makes.

I did not predict that since the GDPR has member state derogations and that the Government would bring a Data Protection Bill to Parliament. The fact they’ve lost their majority and are now frightened of loosing votes in Parliament is another motivation for sticking a big complex bill into the time table; iit burns time and one would hope that it can be uncontroversial so there’s no chance of loosing a vote, and even if they do, who cares, apart from people like me.

This could of course be a complete waste of time as it’s the courts which will decide what the law means and if we should leave then the issues raised here … will apply. …

The Data Flow implications of Brexit

The Data Flow implications of Brexit

Project Fear or Project Reality about Brexit continues and while risks to banking, air travel, radio-therapy and the pan-European integrated manufacturing supply chains are all making the headlines, there is also a serious problem with maintaining data flows particularly of personal data, which underpins both secondary & tertiary sector industries.  This article looks at the threat to trade involving data flows posed by Brexit and looks at the likely shape of US/EU data flow and privacy regulation. …

On the GDPR

The week before last, I attended the BCS legal day and have finally published my notes on this blog. The priority was the coming General Data Protection Regulation. I prefer to write in a style recognising those who have informed me or changed my mind but the notes have been anonymised as I believe that the day was held under Chatham House rules,  The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement.  The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement. …

Pragmatism

Are the ICO waking up, this seems a bit rough, … as it fines Flybe and Honda. There are two stories here, two large firms wanted to confirm that they had consents and so wrote to their list to ask if the consents remain in place …. they have been fined; the ICO considered this to be an un-consented bulk email. I wonder if it’s possible to perform this check legally. …

Restrictions

Just looking at my notes from the BCS Legal Day and while some are still hanging on for Brexit saving them from the GDPR, which it won’t, it becomes necessary to understand the wiggle room left by the GDPR.

Firstly, there is the competency limitations of Union itself, it cannot legislate for national & public security nor for the criminal justice system, these exclusions are stated in Article 23 Restrictions and also include (or exclude if that’s how you see it), the management of professions and the pursuit of civil justice. The Restrictions clause does however require the member state to act proportionately and respect the Charter of Fundamental Rights. In addition, there is room for national, member state, variances on the protection of employee data and the definition of public sector, impacting the need for a DPO. …

Fines, Enforcement and good faith

Fines, Enforcement and good faith

We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR),  which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection. …

An overview of issues with the GDPR

An overview of issues with the GDPR

At the BCS legal day,  a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),

“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.

Jan Albrecht MEP”

It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances.  …

BCS Legal Day

BCS Legal Day

I attended the BCS ISSG Legal day where the priority was the coming General Data Protection Regulation. I believe that the day was held under Chatham House rules, which means that comments cannot be attributed. I prefer to work on more open terms; it allows me to attribute credit to those who have informed me or changed my mind but the notes have been anonymised. The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement.  The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement.  I have written these notes over the last week, and backdated them to the day of occurrence. These are a bit less polemic than my recent articles here, but for various reasons I have been reminded that that’s how they once were; I hope these articles are useful to my more technical readers. Some of the discussions and issues may interest those that follow me for politics. …