The Age Appropriate Design Code comes into force in September 2021
Collecting data and testing for COVID-19 now requires a Data Privacy Impact Assessment.
Need an external DPO? We offer fully outsourced Data Protection Officers and support teams. Privacy Partnership data privacy experts and external Data Protection Officers have advised some of the world's largest companies on making privacy compliance changes that benefit their organisations. Based in London, Dublin and the Netherlands our Data Protection Officers are CIPP/E or BCS qualified Privacy Professionals with a proven track record in successfully supporting organisations worldwide.
At Privacy Partnership we know that implementing data privacy legislation can sometimes be overwhelming. We have been delivering successful and award winning privacy transformation projects since 2000. Whether you need a gap analysis or detailed review, Data Privacy Impact Assessments or privacy experts who can help.
Our Data Privacy Consultants have decades of experience in collaborating with digital ethics experts and UX designers to build privacy by design into your products and services. We can provide end to end design solutions to bring your compliance solutions to life. Our Privacy Enhancing Technology Designs solution P.E.T Lab delivers these solutions using internationally acclaimed multi-disciplinarian teams.
Our ground breaking Smart Privacy technology simplifies complying with the new GDPR record keeping requirements for Article 30 records of processing, Data Privacy Impact Assessments (DPIAs), Subject rights requests and privacy notices. The Smart Privacy user experience is what makes us a top rated market leader. Make us the first stop for technology to support your Privacy Office.
The European Commission has issued an opinion recognizing that the existing UK GDPR and Data Protection Act regime as providing adequate safeguards fro the transfer of EU citizens data to the UK. The finding should translate into a formal adequacy decision. When this decision is formalized Standard Contractual Clauses for data transfers will no longer be needed for UK organizations in reciept of personal data from the EEA.
For transfers of European personal data to countries without an adequacy finding, the European Data Protection Board and European Data Protection Supervisor still recommended the use of Standard contractual clauses. They have recently adopted joint Opinions on the draft Standard Contractual Clauses published by the European Commission in November 2020. The draft SCCs comprise a set of proposed Clauses for Article 28 data processing agreements between controllers and processors and a set of Article 46 Clauses for facilitating transfers of personal data outside the EEA. Similar SCCs are likely to be adopted un the United Kingdom.
On 22 January, Simon McDougall, ICO Deputy Commissioner (Regulatory Innovation and Technology), announced that the ICO’s investigation into real time bidding in the Adtech sector, which had been paused in May 2020 as the ICO prioritised responding to the pandemic, has now resumed.
To summarise, real-time bidding is where online advertising space is sold through auctions which occur whilst a webpage is loading. This involves passing information about the page and about the user to potential advertisers via an ad exchange so they can bid competitively for the opportunity to place their advert on the page the user sees. This is controversial because it generally happens without the user consenting to it or being fully aware that it is happening.
According to Simon McDougall:
“The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now. Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.”
The ICO will move forward with a series of audits focusing on digital market platforms and will be serving assessment notices in the coming months. The ICO recommends that organisations likely to be affected take steps to assess how they use personal data as a matter of urgency.
On 8 January, the ICO published its draft Direct Marketing Code of Practice.
The Code is meant to provide guidance rather than create additional legal requirements, although the extent to which organisations take it into account may be used when assessing them for compliance with privacy laws and rules including UK GDPR. To some extent the Code reaffirms the approach taken in the existing Guidance on Direct Marketing (here)
The Code takes a broad approach and addresses compliance with UK GDPR in a marketing context. It also focuses on online advertising, social media, subscription television, facial recognition, in-game advertising, mobile apps, location based advertising and connected devices. Key takeaways include that it applies to all processing of personal data for ‘direct marketing purposes’ which is defined broadly and encompasses not just the marketing communications but all associated processing activities such as building up a profile of an individual for the purposes of targeted advertising.·
Consent or legitimate interest are likely to be the most appropriate lawful grounds for processing personal data for direct marketing purposes. If the PECR requires consent, then consent will also be the appropriate lawful basis under UK GDPR. If consent is withdrawn, controllers should not seek to rely on legitimate interests instead. Consent may remain valid even if an inducement is offered.· Whilst direct marketing often involves profiling, the stricter UK GDPR rules applicable to solely automated processing under Article 22 are unlikely to apply to most direct marketing because it is unlikely to have a legal or similarly significant effect. This may be different for vulnerable individuals or when targeting individuals in financial difficulty with certain products or services such high interest loans.·
Viral marketing, which is where the controller asks individuals to share marketing communications they have received with friends, is likely to breach the consent requirement under PECR.·
The Code’s definition of ‘electronic mail’ for the purpose of PECR includes in-app messages and direct messages on social media but excludes targeted advertising on social media. ·
The Code explains that due diligence is necessary when buying using new technologies for marketing purposes.· There is guidance on topics relevant to social media, such as the use of ‘audiences,’ and how the issues of lawfulness, fairness and transparency can be addressed within this context.· It notes that in the context of ‘lookalike’ targeting the advertiser is likely to be a joint controller together with the social media platform in relation to that activity.
The distinction between a ‘service message’ as opposed to direct marketing communication is set out and it reaffirms that the PECR rules regarding electronic email do not apply to messages sent to corporate subscribers.·
DPIAs are specifically recommended in certain circumstances such as: invisible processing
list brokering, data matching, third-party, geolocation or behavioural tracking and processing involving the targeting of children or vulnerable individuals.· It states that organisations buying marketing lists must conduct appropriate due diligence. · It notes that purchasing additional contact details for existing customers is likely to be considered unfair.· It clarifies that personal data in a suppression list would be unlikely to need to be erased on request since it is processed for compliance with a legal obligation and is therefore an exception to the right to erasure.
The code will remain open for public consultation until 04 March.
Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.
Where you select "Accept" we set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone. For more information on how these cookies work see https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=en-US