Takeaway from the IAPP Europe Data Protection Congress 2019
Last week FORT Riga lawyer, data protection officer Nikola Katrīna Megne attended one of the largest events for GDPR practitioners – IAPP Europe Data Protection Congress 2019 held in Brussels. Here are seven things to keep in mind after the congress that Nikola would like to share.
Any data controller and processor in the European Union has hopefully already taken appropriate measures to ensure compliance with the General Data Protection Regulation (GDPR). Even though the hype around the GDPR has declined in the recent months, the 2019 IAPP Europe Data Protection Congress reiterated the most important issues and highlighted new developments in the world of data protection.
- Ethics and processing
Ethics in data processing have been playing an increasingly higher role when it comes to what we can and should do with personal data. Controllers need to adhere to the principle “just because you can, does not mean you should”, as data processing for a seemingly innocent purpose could have unintended consequences.
- Implication does not mean consent
Implied consent (i.e., “if you keep scrolling the page, you consent to cookies”) does not comply with the requirements of GDPR and cannot be considered valid. This means that cookie settings in the websites that have not already fixed the cookie settings should do it now.
- Different approaches
When it comes to consent, the GDPR is quite explicit about providing an opt-in option to data subjects in order to consent to data processing. This is not the case in all jurisdictions though, as the California Consumer Privacy Act will adopt the opt-out option, which means that data subjects will have to make active efforts to recall consent.
- The “B” word
Putting aside other uncertainties around Brexit, data controllers and processors need to start preparing for a scenario where the United Kingdom is no longer part of the European Union and is considered a third country within the meaning GDPR. This means that appropriate measures have to be taken to ensure lawful data transfer to the United Kingdom. However, there is some hope, that an adequacy decision could be made, which would mean that data can be easily transferred to the United Kingdom.
- Intelligent design
Data protection by design is not only the concern for your legal team or data protection officer. The software developers need to think of data protection and accessibility while developing software, to ensure not only the functionality of the software and safety of it, but also making sure that data can be easily found and data subject’s requests fulfilled.
- Increased pressure on processors
It is no secret that a lot of controllers use data processors to outsource certain data processing activities. This is why, since controllers are responsible for the data processing, they are paying more and more attention to the processors they use, which, in turn, means that processors have to think about data protection and demonstrating compliance with GDPR.
- GDPR is not alone
Now that an increasing number of countries outside the European Union are adopting data protection legislation, the GDPR does not work anymore as a universal standard for adequate data processing practices. This means that controllers prepare and adapt their data processing activities to comply with other data protection legislation.