Getting ready for the new EU data protection regulation is a seismic task for the regulator, as much as it is for businesses, explains Garreth Cameron, group manager of business and industry at ICO
May 25 2018 is the date circled in the calendars of data protection professionals across the country, as it’s the day the much anticipated General Data Protection Regulation (GDPR) will take effect in the UK.
The clock has already started ticking and 2017 will be a crucial year in which firms will be making plans and looking to implement the changes needed.
The regulation aims to update data protection for the modern age by reflecting rapid technological developments and globalisation, and the increase in the scale of collection and sharing of personal data.
It enhances data protection principles and rights, and will create a stronger framework for organisational accountability and enforcement. It’s an evolution of our existing laws and good practice, but that’s not to downplay the need for businesses to ensure they are now working towards meeting the new requirements.
There will be challenges for businesses, just as there will be challenges for the Information Commissioner’s Office as the supervisory body tasked with overseeing the regulation in the UK. As well as making sure we’ve got the right structures and processes in place to deal with our new responsibilities, we understand how important it is that businesses have the right information and guidance to hand to help them comply.
We started 2016 by running a series of roundtables to understand what the areas of concern are, and what businesses consider the ICO’s priorities should be.
As our thinking has developed we’ve continued to engage with trade associations and industry representatives, and we’ve listened to all the feedback and factored it into the guidance plan we’ve published. We have also been speaking to other regulators to help avoid any conflicting regulatory requirements being placed on firms.
One of our first pieces of guidance has been an overview of the regulation and the key themes. This should help those unfamiliar with the regulation to understand, in broad terms, what it requires.
Being transparent, providing accessible information, and giving individuals control over their information are important aspects of the regulation. We’ve already published our privacy notices, transparency and control code of practice to explain in more detail what is required, and the techniques that can help you present privacy information effectively – in particular in the digital world.
We’ve also published 12 steps to take now to help guide organisations on the key areas we think they should focus on first. A first step should be to ensure key decision makers are aware that change is coming and to appreciate the impact this is likely to have on the business.
Ensuring there is a consistent understanding of data protection requirements is crucially important to reducing barriers to trade and we’ve been working closely with our European counterparts to help ensure guidance from the new European Data Protection Board is pragmatic, easy to follow and reflects business concerns here in the UK.
What’s coming next
We will shortly be producing guidance on individuals’ rights, contracts and consent. These are three areas that businesses have consistently said are priorities. We’ve also started to develop our thinking on risk and significant legal effects, profiling, children’s privacy, documentation and records, controllers and data processors, as well as international transfers.
We provide a wide range of advice and guidance on a number of areas from employment practices to data sharing. We will be working on refreshing and adapting our existing guidance to ensure it reflects GDPR.
Following on from the success of our data protection self-assessment toolkit, we also want to seek to develop more practical tools and resources for SMEs to assist with their compliance.
On a European front, we expect guidance to be published shortly on identifying an organisation’s main establishment and lead supervisory authority, the right to data portability, the requirements for data protection officers, risky processing and data protection impact assessments.