Data Protection Consultations: Make Some Noise

April 12, 2017


DCMS Consultation

The Department for Culture, Media & Sport has issued a consultation
on the GDPR
. Views are sought on the derogations within the GDPR where the
UK can exercise discretion over how certain provisions will apply. The closing
date for responses is 10 May. This approach is complemented by discussions
the Department is already having ‘with a range stakeholders’; as ever, ‘stakeholders’
is not defined.

The call for views is split into themes:

  • ·       
    supervisory authority
  • ·       
  • ·       
    demonstrating compliance
  • ·       
    Data Protection Officers
  • ·       
    archiving and research
  • ·       
    third country transfers
  • ·       
    sensitive personal data and exceptions
  • ·       
    criminal convictions
  • ·       
    rights and remedies
  • ·       
    processing of children’s personal data by online
  • ·       
    freedom of expression in the media
  • ·       
    processing of data
  • ·       
  • ·       
    rules surrounding churches and religious associations.

A clue to the approach the DCMS is likely to favour may be
found in its additional question on cost impact: ‘In the context of the
derogations above, what steps should the Government take to minimise the cost
or burden to business of the GDPR?’

DPIAs Consultation

The Article 29 Working
Party has called for comments on the data protection impact assessment
guidelines it has published. Comments must be sent by 23 May 2017.

The draft guidelines, ‘Guidelines
on Data Protection Impact Assessment (DPIA) and determining whether processing
is “likely to result in a high risk” for the purposes of Regulation 2016/679’, are available via
as a downloadable pdf.

The guidelines aim to
anticipate the guidance that is likely to be issued by the European Data
Protection Board (EDPB – the upgraded Article 29 Working Party) once the GDPR
is in force. The introduction states the aim: ‘Keeping in line with the
risk-based approached embodied by the GDPR, carrying out a DPIA is not
mandatory for every processing operation. A DPIA is only required when the
processing is “likely to result in a high risk to the rights and freedoms of
natural persons” (Article 35(1)). In order to ensure a consistent
interpretation of the circumstances in which a DPIA is mandatory (Article
35(3)), the present guidelines firstly aim to clarify this notion and provide
criteria for the lists to be adopted by DPAs under Article 35(4).’

Laurence Eastham writes:

I was flattered to see that my
call for further guidance and clarification
has been answered so promptly
by the DCMS and the Article 29 Working Party. I can only hope that SCL members
take as much notice when I point out that the opportunity to be heard will only
be of use if you actually take it. The DCMS will undoubtedly listen to ‘stakeholders’
but every DP professional has a stake in having clear rules and ensuring that any rules arising in the
areas of derogations will not undermine the basic principles of the GDPR.
Make some noise.