Data Protection Consultations: Make Some Noise

Two consultations have been published that offer great opportunities for those involved in data protection issues to help shape policy


DCMS Consultation

The Department for Culture, Media & Sport has issued a consultation on the GDPR. Views are sought on the derogations within the GDPR where the UK can exercise discretion over how certain provisions will apply. The closing date for responses is 10 May. This approach is complemented by discussions the Department is already having ‘with a range stakeholders’; as ever, ‘stakeholders’ is not defined.

The call for views is split into themes:

  • ·        supervisory authority
  • ·        sanctions
  • ·        demonstrating compliance
  • ·        Data Protection Officers
  • ·        archiving and research
  • ·        third country transfers
  • ·        sensitive personal data and exceptions
  • ·        criminal convictions
  • ·        rights and remedies
  • ·        processing of children’s personal data by online services
  • ·        freedom of expression in the media
  • ·        processing of data
  • ·        restrictions
  • ·        rules surrounding churches and religious associations.

A clue to the approach the DCMS is likely to favour may be found in its additional question on cost impact: ‘In the context of the derogations above, what steps should the Government take to minimise the cost or burden to business of the GDPR?’

DPIAs Consultation

The Article 29 Working Party has called for comments on the data protection impact assessment guidelines it has published. Comments must be sent by 23 May 2017.

The draft guidelines, ‘Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679’, are available via as a downloadable pdf.

The guidelines aim to anticipate the guidance that is likely to be issued by the European Data Protection Board (EDPB – the upgraded Article 29 Working Party) once the GDPR is in force. The introduction states the aim: ‘Keeping in line with the risk-based approached embodied by the GDPR, carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). In order to ensure a consistent interpretation of the circumstances in which a DPIA is mandatory (Article 35(3)), the present guidelines firstly aim to clarify this notion and provide criteria for the lists to be adopted by DPAs under Article 35(4).’

Laurence Eastham writes:

I was flattered to see that my call for further guidance and clarification has been answered so promptly by the DCMS and the Article 29 Working Party. I can only hope that SCL members take as much notice when I point out that the opportunity to be heard will only be of use if you actually take it. The DCMS will undoubtedly listen to ‘stakeholders’ but every DP professional has a stake in having clear rules and ensuring that any rules arising in the areas of derogations will not undermine the basic principles of the GDPR. Make some noise.

Published: 2017-04-13T08:40:00


      This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

      Please wait...