Article 29 Working Party
ARTICLE 29 WORKING PARTY – What is it? And why is it important?
David Parish – Information Security Consultant
The GDPR has been implemented across Europe as the new data protection legislation since April 27th 2016. By the nature and structure of the regulation it became a European law on that date.
The EU recognised that there would need to be an introduction period prior to any enforcement as compliance activity and to this end they gave a period of 2 years – giving the GDPR an enforceable date of 25th May 2018.
To enable efficient harmonisation across the EU, the legislation introduced the Article 29 data protection working party, with representation from each EU country and specialist data protection professionals the ICO is the UK representative, tasked with providing, and agreeing the actual interpretation of the legislation. This body is now producing additional guidance on key aspects of how to implement the regulation means and how the regulation will be consistently interpreted across the EU (Brexit makes no difference) to ensure compliance.
Over the next weeks and months here at the GDPR Academy, we will keep you up to date on key impact factors that the article 29 party discuss and deliver such guidance , it is clear that this is a moving feast and the guidance will continue post compliance date. First some additional guidance on consent – mainly marketing and Emails.
The guidance and information in these updates will seek to assist you in your implementation plans.
CONSENT– This is a big challenge on what it means and how it is interpreted in November 2017 and published in early December the article 29 provided 30 pages of guidance. In this are it was quite prescriptive and will need more than one guidance note from the academy.
If you currently are reliant on consent for your lawful basis for processing, you do not automatically have to re confirm your consent. What you must do is check that the methods by which you originally obtained consent are compatible with the new regulations.
If you applied robust granular consent in the first place, consent can continue. You need to check your processes if, you having reviewed consent procedures, feel it is not sufficient, you will then have to re confirm consent. This will potentially open up into your privacy policy/statement, so whilst you may be seeking to resolve one issue, you will find that a good understanding of GDPR is required to identify those cross cutting issues. You may wish to refresh your understanding and always ask at every step.
THE FIVE WH’s
WHAT
WHY
WHEN
WHERE
WHO……
And HOW?
Consent is one of the areas that potentially could cause embarrassment or referrals to regulators, with individuals understandably challenging consent more robustly.
It is therefore, a good idea to really look at the lawful basis and six key principles of lawful processing. Ask, should I, could I, be utilising one of the other basis for lawful process?
by David Parish, Information Security Consultant – IBITGQ Certified ISO 27001 and GDPR implementation Specialist MSC Security and Risk Management