Work at the European Level
- Identifying an organisation’s main establishment and lead supervisory national data protection authority – this is important for the one stop shop principle under the GDPR. The one stop shop principle means that an organisation will deal primarily with one national data protection authority, in connection with consumer complaints and enforcement if they have pan – European processing operations
- Data protability – this is a new right for individuals under the Regulation, which will make it easier for them to switch utility providers or social media service providers. The individual will be able to ask the old service provider to transfer their information to the new service provider in a common machine readable format in certain circumstances
- Data Protection Officers – this is a new requirement for organisations to appoint a Data Protection Officer if they carry out “regular and systematic monitoring of individuals on a large scale”. Hopefully the guidance will provide an explanation of what this means under the GDPR
- Risky processing and Data Protection Impact Assessents – under the GDPR if an organisation is planning to carry out processing activities on an individual’s information which is likely to result in a high risk to their rights under the GDPR then before starting the processing it must carry out an impact assessment of the proposed processing on their rights. The guidance should provide clarity on when such an impact assessment is required
- Certification – the GDPR contains new rules on how self-regulatory organisations can get their codes of practice approved at a European level as well as more general certification schemes and seals and marks. This is something which the UK DMA and FEDMA are interested in. FEDMA is the only European trade association to have a pan European Code of Practice approved by the Article 29 Working Party under the current European Data Protection Directive.
Areas for future guidance at UK and European level
- Risk and significant legal effect – this relates to when the new rules on profiling will apply
- Children’s privacy – children are given additional rights and protection under the GDPR and there is also some flexibility for Member States to determine at what age a child can give consent to processing of personal information about them in certain circumstances without the organisation getting verifiable consent from their parent/guardian
- Documentation / records of processing activity – under the GDPR organisations will have new obligations regarding record keeping particularly in respect of information which they currently send to national data protection authorities as part of the registration/ notification procedure. The registration/notification procedure is being abolished under the GDPR
- Data controllers/ Data processors – although there is no change to the definitions of organisations (data controllers) and outsourced service providers (data processors), national data protection authorities will be able to take enforcement action directly against outsourced serviced providers under the GDPR
- International transfers – the rules on transferring personal information to countries outside Europe are changing.
You can find more information at the Information Commissioner’s Office website. The DMA will continue to update members on GDPR developments through its dedicated GDPR microsite. Members who require legal advice on GDPR implementation can contact the DMA legal advice team.
popcorn is a smart, easy-to-use and efficient platform that not only helps you compose beautiful emails and newsletters but also helps you manage your sales funnels and leads. If you would like to test popcorn and see if it could help improve your email marketing game, you can sign-up for the free trial here.