We are certainly living through interesting times with both Data Protection and ePrivacy guidelines in a state of flux. The later now a proposed Regulation and progressing through the EU Commission as I type. It was the intention that the new PECR Regulation will be introduced at the same time at the GDPR, but we shall wait and see.

Just as we all thought we were getting to grips with the GDPR the UK government throws us a curve-ball in the shape of the Data Protection Bill. Whilst we are still in the EU the GDPR will be in full force, the proposed Bill pre-empts our Brexit from the EU, and is merging the GDPR and the Law Enforcement Directive in to UK legislation. It is anticipated that this will be in full force in 2018. You can no longer therefore just read the GDPR in isolation – the additional restrictions and exemptions within the DP Bill must be considered.

There are some serious implications for our industry, for example trying to re-engineer anonymous or pseudonymous data to identify an individual will be a criminal offence

The confusion and lack of official guidance on legitimate interests rumbles on, but was helped recently by an excellent joint project by the DMA and the Data Protection Network (add link).

Too many commentators continue to confuse legitimate interests and consents and we must be clear, are we talking processing of PII (GDPR) or electronic marketing (PECR). See the ICO myth-busting blog.

Also this week the ICO issued a consultation and useful guidance on what should be included within Controller – Processor contracts or Data Sharing Agreements – well worth a read.