The Data Protection Network has added its voice to widespread concerns that the Information Commissioner’s Office is dragging its feet over publishing guidance to comply with GDPR, despite the regulator’s insistence that firms must act now.
In June, John Lewis and HSBC joined growing calls for more clarity from the UK regulator over how they can achieve compliance with GDPR, insisting its guidance is still too ambiguous.
The ICO had originally said it would publish its consent guidance in June, but with fears this may not emerge until December – first revealed in Decision Marketing – companies will have less than five months to get their plans in place before the May 25 deadline.
Last month, the DPN published its own guidance on legitimate interests, having joined forces with the DMA and ISBA.
Plans for the cross-industry initiative were first hatched in March after the ICO seemed to suggest it would not be publishing specific guidance for legitimate interests; a move it subsequently denied.
Now, in a blogpost written by DPN member Rosemary Smith – a former DMA chair and director of Opt-4 – it states: “Unsurprisingly, organisations told to hurry up and prepare for May 2018 are frustrated; consent is a crucial issue. A draft is a draft and subject to change and any alterations could have a significant impact. Do organisations jump now and adopt the draft guidance and risk going too far?”
“The tough stance taken in the draft certainly presents a real challenge for many, and in some cases the requirements are simply impractical to implement. Organisations need to know for certain what the ICO expects. There are also areas that are just not covered where further guidance would be most helpful.”
In the absence of the certainty final guidance would provide, the DPN insists organisations can only go with what they know and what might present the ‘worst-case’ scenario. Smith adds: “Being prepared for the latter may be wise. What is unlikely is the ICO backing down on the statement, ‘Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.’ And, increasingly, this is something consumers regard as suspicious.”
The DPN also says organisations face a major challenge in meeting the deadline to comply with the ePrivacy Regulation governing electronic communications – due to come into force at the same time as GDPR.
Smith writes: “The final text has yet to be published and rumours are growing it may be delayed. Will the soft opt-in be retained but its scope limited? Will there be a clear distinction made between business data and consumer data?
“A final ePrivacy text and more consent guidance simply can’t come soon enough, ensuring compliance isn’t easy when you don’t know precisely where the goalposts stand.”
UK bodies publish GDPR ‘legitimate interests’ guidance
GDPR fears mount over delay to ICO consent guidance
ICO insists GDPR guidance will cover legitimate interest
John Lewis and HSBC slam ‘ambiguous’ GDPR guidance
Lack of GDPR guidance fuels fears over bombardment
ICO rebuffs GDPR guidance failings despite RNLI rethink
Industry on alert over third-party data legal crackdown
DMA joins forces in bid to demystify legitimate interests
GDPR consent updates spark chilling warning to brands