As year two dawns, here are some items to put on your to-do list:
1. If your compliance programme isn’t working, fix it
Inevitably, in the rush to prepare for GDPR, too often we saw compliance programmes put in place quickly and with little opportunity to benchmark against what other companies were doing. A year in is a good time to take stock, reflect on what works and what can be improved. For some companies, this actually means doing less better – focused on the real risks. For others, this may mean a shift in governance to ensure that processes are embedded through the business rather than just left in a compliance function. For still others, it means turning a pile of policy documents into something more tangible and operational. Compliance programmes should naturally be organic and evolve over time so there is little point lasting another year with something that simply isn’t working.
2. Get ready for the children’s code
The ICO is currently finalising its children’s code of practice, but the draft is out and will come as a surprise to quite a few companies, particularly those that thought they had carefully scoped their offerings to ringfence those under 13 but then discover that they have a lot to do now even if they just occasionally have 17-year-olds interact with their services. We recommend familiarising yourself with the code now.
3. Sort out when you need consent and when you don’t and review those release forms
There has been a recent £120,000 fine against a TV production company (albeit under the old data protection regime rather than GDPR given the timing of the breach). The incident concerned covert filming at a maternity clinic for a TV documentary on stillbirths. The hospital had given consent to the filming and there were some attempts to provide notices about the filming to patients in the clinic. The ICO held, however, that patients would not have expected to have been filmed, the footage would have contained sensitive medical information and the company should have got “permission from those affected by the filming in advance”.
Many production companies have found it hard to navigate when consent is required, what form this should take and how exemptions for journalistic and artistic content intended for publication in the public interest should play into this. We have seen many different (often surprising) approaches, including consent relied on where it wasn’t practicable (i.e., because it wasn’t actually freely given or couldn’t be withdrawn) or the exemptions applied blanket style (i.e., up front in contracts as applying to all sensitive data when in fact it would only ever apply if applied on a case-by-case basis). The ICO decision above perhaps raises more questions since it talks about ‘permission’ rather than the regulatory term ‘consent’ and doesn’t set out any practical guidance – all the more reason then to keep an eye on the ICO’s current consultation around the journalistic exemption, which PACT is also consulting on. In the meantime, the ICO will expect this to be warning to production companies, faced with the threat of a public fine, so it is worth checking your current processes.
4. Keep your eye fixed on e-privacy developments – a final draft should appear
It’s been so long since you heard about the ePrivacy Regulation that you may have thought it had been canned. This isn’t the case and these proposals (which contain key provisions around direct marketing, cookies and metadata) should be on track for a final text this year. In the meantime, while confusion on cookies does seem to reign among many companies, others have been working over the last year to implement cookie consent technologies now that more are on the market and there has been a definite move in the UK away from the ‘by continuing to browse this site you consent’ type model of old. Rather than waiting until the new proposals are finalised, regulators will begin to take action under the existing rules combined with GDPR, so it is a good idea to relook at your approach.
5. Keep up staff training on security and record it
Like most companies, you probably did some GDPR training before it came into force last year. It is important that this is done regularly so you should start thinking about how you will refresh it. In the unfortunate event that you have to report a security breach to the ICO, the standard template form specifically requires you to state whether the staff involved had training on data protection in the previous two years (and they won’t look kindly upon you if you can’t tick that box!) so you don’t want to leave this too long.
Client Alert 2019-126