Earlier this month, the Information Commissioner (ICO) published its draft updated code of practice for data sharing (the “Code”).
What is the purpose of the Code?
The Code contains practical guidance on how to share personal data in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA). It is aimed at data controllers (i.e. individuals or companies who decide why and how personal data is processed) who are subject to the provisions of the GDPR (i.e. they are established in the EU and/or are processing personal data of EU data subjects) and are sharing personal data. Although it does not impose any additional legal requirements beyond those imposed by the GDPR and DPA, the Information Commissioner must take the Code into account when considering whether an organisation has complied with its data protection obligations (under section 127 of the DPA). The Code can also be used as evidence in court proceedings, and must be taken into account by the court where relevant.
In brief, the code:
- updates and reflects key changes in data protection law, introduced by the GDPR and DPA, since the last code was published;
- explains new developments in technology and their impact on data protection;
- looks at new areas in data protection law (such as the principle of “accountability”, data protection impact assessments, and data sharing agreements); and
- looks at some common misconceptions and tries to clear these up.
What happens if an organisation does not comply with the Code?
So long as you are complying with the requirements of the GDPR and DPA, you will not be penalised if you fail to adopt the good practice recommendations in the Code. However, the Code warns that failure to comply with its recommendations may mean an organisation finds it harder to demonstrate compliance with the GDPR and DPA. A breach of the GDPR or DPA may result in fines of up to €20 million, or 4% of annual worldwide turnover, whichever is higher.
The Code is currently in draft form, and is open for consultation until 9 September 2019. After the consultation phase is over, the final version will need to be laid before Parliament before it can come into force in due course as a statutory code. In the meantime, the Code still makes for useful reading as it can help organisations ensure they are on the right track when sharing personal data as part of their day-to-day operations.
Hamlins regularly advises SMEs, and large organisations (including a market leading estate agency), on compliance with the GDPR and DPA. For further information please contact Matthew Pryke.