The clock is ticking to prepare for GDPR

Getting ready for the new EU data protection regulation is a seismic task for the regulator, as much as it is for businesses, explains Garreth Cameron, group manager of business and industry at ICO

LinkedIn Twitter
LinkedIn Twitter
Garreth Cameron of ICO
Garreth Cameron of ICO

May 25 2018 is the date circled in the calendars of data protection professionals across the country, as it’s the day the much anticipated General Data Protection Regulation (GDPR) will take effect in the UK.


The clock has already started ticking and 2017 will be a crucial year in which firms will be making plans and looking to implement the changes needed.


The regulation aims to update data protection for the modern age by reflecting rapid technological developments and globalisation, and the increase in the scale of collection and sharing of personal data.


It enhances data protection principles and rights, and will create a stronger framework for organisational accountability and enforcement. It’s an evolution of our existing laws and good practice, but that’s not to downplay the need for businesses to ensure they are now working towards meeting the new requirements.


There will be challenges for businesses, just as there will be challenges for the Information Commissioner’s Office as the supervisory body tasked with overseeing the regulation in the UK. As well as making sure we’ve got the right structures and processes in place to deal with our new responsibilities, we understand how important it is that businesses have the right information and guidance to hand to help them comply.


Our activity


We started 2016 by running a series of roundtables to understand what the areas of concern are, and what businesses consider the ICO’s priorities should be.


As our thinking has developed we’ve continued to engage with trade associations and industry representatives, and we’ve listened to all the feedback and factored it into the guidance plan we’ve published. We have also been speaking to other regulators to help avoid any conflicting regulatory requirements being placed on firms.


One of our first pieces of guidance has been an overview of the regulation and the key themes. This should help those unfamiliar with the regulation to understand, in broad terms, what it requires.


Being transparent, providing accessible information, and giving individuals control over their information are important aspects of the regulation. We’ve already published our privacy notices, transparency and control code of practice to explain in more detail what is required, and the techniques that can help you present privacy information effectively – in particular in the digital world.


We’ve also published 12 steps to take now to help guide organisations on the key areas we think they should focus on first. A first step should be to ensure key decision makers are aware that change is coming and to appreciate the impact this is likely to have on the business.


Ensuring there is a consistent understanding of data protection requirements is crucially important to reducing barriers to trade and we’ve been working closely with our European counterparts to help ensure guidance from the new European Data Protection Board is pragmatic, easy to follow and reflects business concerns here in the UK.


What’s coming next


We will shortly be producing guidance on individuals’ rights, contracts and consent. These are three areas that businesses have consistently said are priorities. We’ve also started to develop our thinking on risk and significant legal effects, profiling, children’s privacy, documentation and records, controllers and data processors, as well as international transfers.


We provide a wide range of advice and guidance on a number of areas from employment practices to data sharing. We will be working on refreshing and adapting our existing guidance to ensure it reflects GDPR.


Following on from the success of our data protection self-assessment toolkit, we also want to seek to develop more practical tools and resources for SMEs to assist with their compliance.


On a European front, we expect guidance to be published shortly on identifying an organisation’s main establishment and lead supervisory authority, the right to data portability, the requirements for data protection officers, risky processing and data protection impact assessments.



LinkedIn Twitter

Revealed: The F5 and Commercial Finance Awards shortlists

The shortlists have today been revealed for the F5: Future of Finance Awards and the Commercial Finance Awards. Both events will take place at the Hilton Bankside in London on October 31.

Precise Mortgages’ parent announces flotation

Precise Mortgages has today (September 29) floated on the London Stock Exchange

Older consumers face financial exclusion

Older consumers are at risk of being financially excluded, according to a recent occasional paper published by the Financial Conduct Authority (FCA)

FCA warns of enforcement action over complaints policies

The Financial Conduct Authority (FCA) has warned enforcement action will be taken against consumer credit firms who are seriously failing to comply with its complaints policy

The CS Interview

Renaissance man
LinkedIn Twitter

Renaissance man


Engineering a self-service solution in car finance
LinkedIn Twitter

Engineering a self-service solution in car finance


"It’s up to the financial services industry to help teach students the necessary skills to manage their finances"
LinkedIn Twitter

"It’s up to the financial services industry to help teach students the necessary skills to manage their finances"


Lloyds results reveal £2bn of debt in forbearance
LinkedIn Twitter

Lloyds results reveal £2bn of debt in forbearance

Upcoming events

TRI Conference: Special Situations & Turnaround

TRI Awards 2017

Mortgage Conference 2017

F5 Conference 2017

Credit Strategy

Did you find our website useful?

Thank you for your input

Thank you for your feedback – an online news and information service for the UK’s commercial and consumer credit industry. is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group