On 14 March 2016, I joined 800 other data protection practitioners in Manchester for the ICO's annual conference.
The ICO is in full GDPR preparation mode
As expected, much of the day focussed on the European General Data Protection Regulation ("GDPR"). Christopher Graham, the UK Information Commissioner, started the day by highlighting that "directors now have 20 million reasons to start listening" to data protection concerns; a reference to the new levels of fines under the GDPR
The ICO clearly has a great deal of work ahead over the next two years to ensure that it is ready for the changes that the GDPR will bring for it and the organisations that it regulates. Key projects for the ICO on the horizon include:
- working with the UK government on secondary legislation, particularly in respect of those areas where the UK will be permitted to derogate from the provisions of the GDPR;
- the significant task of drafting new guidance and reviewing current guidance for required amendments; and
- establishing a breach notification service.
The ICO is currently in its "listening phase" and welcoming all thoughts, feedback and concerns regarding organisations' views of the likely impact of the GDPR. It will then use this feedback to develop its "change programme" and to prioritise the advice and guidance that it provides.
This is an opportunity for all organisations to influence the focus of the ICO over the next crucial two years. DAC Beachcroft will shortly be issuing a request for input in order to collate feedback from our clients. If you would like to be involved in this please email Jade Kowalski.
Organisations should be making preparations for implementation of the GDPR now
The key message from Steve Wood, ICO Head of Policy Delivery, was one of "continuity and change". His advice, which echoes the advice that we have been providing to clients, was that good compliance with the Data Protection Act 1998 will be a strong starting point for compliance with the GDPR.
With a few exceptions, our experience is that organisations are only just beginning to scope the extent of their GDPR implementation plans. This is a crucial phase in the project which should be given the appropriate attention. We are advising our clients to: a) conduct a fact finding mission to identify what personal data is held and where; b) identify stakeholders at all levels of the business; c) design your organisation's implementation plan, breaking it down in smaller, manageable tasks; and d) set up steering committees for each element of implementation.
New ICO resources
The ICO also used the conference as an opportunity to launch two useful resources:
- a dedicated GDPR microsite (www.dpreform.org.uk). The ICO will use this site to issue its blogs and guidance on the GDPR to avoid any confusion between guidance on the GDPR and the current Data Protection Act 1998; and
- its first piece of official guidance titled "12 steps to take now", a summary of which is set out below.
ICO guidance: preparing for the GDPR – 12 steps to take now
The ICO's first piece of guidance on the GDPR serves as a useful checklist of the steps that organisations should be taking now as the first step on the road to full compliance by 2018.
- Awareness – ensure that decision makers and key people within your organisation are aware that the law is changing.
- Information you hold – document what personal data your organisation holds, where it came from and who it is shared with.
- Communicating privacy information – review current privacy notices and put in place a plan for making any necessary changes.
- Individuals' rights – check your procedures to ensure they cover all new rights of data subjects under the GDPR.
- Subject access requests – update your procedures and plan how you will handle requests within the timescales and in line with the new information requirements.
- Legal basis for processing personal data – for each of your data processing activities, identify the legal basis for processing and document it.
- Consent – review how you are seeking, obtaining and recording consent and identify any changes required.
- Children – consider how to put systems in place to verify individuals' ages and to gather parental consent for processing of personal data of children.
- Data breaches – ensure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data protection by design and privacy impact assessments (PIA) – familiarise yourself with the process and format of PIAs and work out how to implement them in your organisation.
- Data Protection Officers (DPO) – appoint a DPO (or someone who will take responsibility for data protection compliance) and assess where this role will sit.
- International – if your organisation operates internationally, determine which data protection supervisory authority will be your lead authority.