Defining Codes of Conduct to Enable Post Brexit GDPR Compliance
Harmonization of data protection regulation should still be the aim, despite Brexit, to enable companies to trade across Europe.
Speaking during the Westminster Events Conference on data protection, Chris Combemale, CEO of the Data and Marketing Association, said that since the implementation of GDPR in May 2018, the harmonization of data protection “has been put at risk by data protection authorities across Europe” as they applied the legislation “in radically different ways in each country.”
This can affect customer trust, economic growth and job creation in relation to processing and getting to know customers better.
Combemale said data protection authorities (DPAs) should “apply the role as it is written.”
Looking at the code of conduct for GDPR, which he said was intended for relevant sectors and to achieve harmonization across Europe, in the first instance of “co-regulation” by data protection legislation, Combemale explained: “The logic is that a GDPR code of conduct, operated consistently across 27 or 28 countries, via an industry monitoring body, can provide a consistent interpretation of key aspects of GDPR within an industry sector.”
This would be across industry verticals and different types of businesses, as determined by Article 40 of the GDPR. He said the data and marketing industry has been working hard to achieve clarification of GDPR across Europe, through a combination of an EU code of conduct and national codes of conduct.
This has seen a European code of conduct being produced, while the Austrian DPA has approved a code of conduct for the use of third party data, as approved by the Austrian data and marketing association. The Italian DPA has approved a specific code of conduct for business information services, which is in the process of being approved.
In the UK, he said the Data and Marketing Association is working with the ICO to create a data and marketing code of conduct “including recognition of the existing data and marketing commission as the industry monitoring body.
“All these codes of conduct must reflect GDPR text in way it was written and applied through the lens of sector knowledge and expertise,” he said.
The next step is to understand the scope of business legitimate interests and what that is within the text of GDPR. “We will work hard, using our industry expertise, to ensure all approved data and marketing codes of conduct across Europe and for our industry reflect this,” he said, “in order to understand the harmonization and consistency that was intended by GDPR being a regulation rather than a directive.”
If, in a worst case scenario, the UK is denied data adequacy, he concluded that industry codes of conduct can offer a basis for data transfers.