ICO warning on data protection reforms
With maximum fines as high as 20 million euro for breaches of the new EU data protection regulation, the Information Commissioners Office (ICO) has warned that organisations cannot afford to get data protection wrong
With maximum fines as high as 20 million euro for breaches of the new EU data protection regulation, the Information Commissioners Office (ICO) has warned that organisations cannot afford to get data protection wrong.
Information commissioner Christopher Graham said that with an initial agreement being reached on the new EU-wide regulations last December, sign-off was now expected in the summer, leading to a two-year transition period before passing into law.
Speaking at the ICOs annual Data Protection Practitioners Conference last month, he said: The EU data protection reforms promise to be the biggest shake-up for consumers data protection rights for three decades. Organisations simply cannot afford to fall behind.
The new EU General Data Protection Regulation (GDPR) will replace the EU Data Protection Directive of 1995 on which the 1998 UK Data Protection Act is based. It will run parallel with a new directive for police and justice issues that should enable police forces across Europe to work together faster and more efficiently to counter serious crime and terrorism.
European Parliaments lead MEP on the directive, Estonias Marju Lauristin, said the historic agreement was the first time rules covering police and criminal justice authorities on data protection in the EU were being fully harmonised.
While the new EU GDPR will apply directly throughout the EU with the aim of bringing about a standard data protection regime, the directive relating to police and justice issues will be implemented in each member state individually.
To better prepare for the potential implications of the reforms, the ICO has published a 12-step guide highlighting the importance of documenting personal data being held and ensuring an understanding of how it is shared through an information audit process. Other recommendations include ensuring the right procedures are in place to detect and investigate a personal data breach, as well as determining the correct supervisory authority in cases of transferring information internationally.
People have never been so aware of what their personal data is, and never cared so much about how it is used. The law is changing to reflect that, said Mr Graham, who is leaving his post when his term finishes in June.
He said the priority for the ICO this year will be making sure it does all in its power to ease the introduction of the new rules.
Steve Wood, head of policy delivery at the ICO, said the ICOs work around implementing the reforms had started in earnest and it was keen to hear from people about which areas of the reforms will be the most challenging to implement and what the priorities for advice and guidance should be.
One message that was coming over loud and clear, said Mr Wood, was that people were already starting to develop a plan and wanted to take the key steps towards implementation well ahead of 2018. It was with that in mind that the ICO produced its 12-step guidance on the GDPR.
Over the next few months well be doing more work to consider the feedback weve received and produce a more detailed plan for the guidance, other tools and services we need to develop, he added.
Were also aware that those working in sectors with law enforcement functions are also expecting advice and guidance about the data protection directive on police and criminal justice issues, which was agreed at the same time as the GDPR, said Mr Wood. Many of the provisions in the directive are drawn from the Regulation. Well also assess what specialist guidance may be needed.
He said the new law would enhance the rights of data subjects and place more obligations on organisations to be accountable for their use of personal data.