David Smith is the UK's Deputy Information Commissioner As well as providing Data Protection leadership across the ICO, he has direct responsibility for oversight of its Strategic Liaison Division which develops and manages the ICO’s relations with its key stakeholders.
You may have seen my recent blog offering an update on progress on EU data protection regulation reforms.
Negotiations are very much ongoing, but if all goes according to plan, we’ll know pretty much what’s going to be in the Regulation by the end of this year. There’ll still be plenty of process to go through before final adoption, including translation. On the most optimistic forecasts, the two year run in period is unlikely to start much before June 2016, with the Regulation in force in June 2018, though end of 2018 might be a more realistic prospect.
Plenty of time to prepare, then, but it may still be wise for UK businesses to start thinking about what the impact might be. So what can businesses be doing now?
The short answer is to make sure you’re right on the ball in meeting your current responsibilities. Beyond that, the impact will depend on the line of business you’re in, but here are a few areas which any business might usefully start to look at:
Consent and control
How far do you give your customers genuine control over what information you keep about them and how you use it? If you’re relying on their consent, do they know that they are consenting and the implications of this? This is especially pertinent if they are children. Can they easily say no or withdraw their consent later on?
Do you have effective processes in place to ensure that you are data protection compliant? Can you explain what these are and demonstrate that they work in practice? Can individuals easily find our not just what information you hold about them and how you might use it but also more generally about your personal data handling practices?
It may not be clear yet whether you’ll be required to designate a Data Protection Officer but even so, do you have the right people in place to help you understand and meet the requirements of the Regulation? If not, do you at least have some idea where you might get the necessary expertise from? It’s a myth that the Regulation will require every business to recruit a Data Protection Officer, but they will need resources to help them deliver the necessary change, even if these resources come through training and developing existing staff.
Privacy by Design
What steps do you take to make sure that your systems and processes, particularly new ones, deliver data protection compliance as a matter of course? Are you reviewing the personal data you hold and why you hold it to ensure that you can meet the requirement for ‘data minimisation’? Do you know what a privacy impact assessment is? Have you used one yet?.
Do you have a breach management process in place? Is it ready to be activated even if you’ve been fortunate enough not to suffer a significant personal data breach so far? Does your process include arrangements to notify affected individuals as well as the ICO? Most importantly, do you have effective technical and organisational security measures to prevent breaches in the first place? Are you sure that these are kept up to date?
We’ll be providing further updates on the progress of the reforms, and what that means in practice. You can keep in touch with us through our e-newsletter and Twitter.