The clock is ticking. We are getting more guidance by the month, but there is still room for lots more clarity. Laurence Eastham is looking to SCL members to add real insight.
As the Article 29 Working Party formally adopts the guidelines on data portability, lead supervisory authorities and Data Protection Officers which were published in December (with some clarifications, neatly summarised here and here) and the ICO has gained my grudging respect (‘grudging’ because of them ignoring my request to interview the once-new Commissioner) with its guidance, the implementation date for the GDPR no longer looks like a distant prospect. This week the ICO has moved forward again with its request for ‘feedback’ on its latest discussion paper on profiling and automated decision-making. Indeed, that is one of a series of truly valuable discussion papers, introduced by Jo Pedder, Interim Head of Policy and Engagement at the ICO (though I am not sure if they are ‘owned’ by her) which are required reading. If you are interested in DP but are not reading Jo Pedder’s blog posts, you are missing out.
But not everything in the garden is rosy. The ICO, whatever its faults, puts the Article 29 Working Party to shame when it comes to clarity in communication - it is often hard to work out what they have done at each meeting. We are now but a year away from GDPR implementation and yet there is no GDPR implementation legislation available in draft. The internal contradictions which will apply post-Brexit (indeed, with or without Brexit) in light of the UK’s intrusive policies on investigatory powers are being swept under the carpet by the government spokespersons who claim that GDPR will be implemented and that we will not have Safe Harbour/Privacy Shield style problems. And, trumping all of those factors, is the unavoidable fact that implementing GDPR is very complicated; I say ‘very’ only because the appropriate reinforcing adverb is obscene.
And yet, the SCL website and the pages of the magazine have been unusually quiet of late on GDPR. That is partly because I have been besieged with articles saying, in effect, ‘businesses better get ready’, which is a message that I assume our readers do not need to hear. But I have been offered little new analysis since our splurge on the subject when the GDPR was finally agreed.
My invitation to SCL readers is to add to the official guidance with clear detailed critiques – rip the official guidance to shreds if you feel that is necessary - and I am also seeking amplifying guidance for DP professionals and legal advisers with a real DP interest. Use our pages and website for debate on the outstanding issues too.
And get a move on. The clock is ticking.