The Information Commissioner's Office (ICO) has published advice for UK businesses on how they can prepare themselves for the Data Protection Regulation. The Data Protection Regulation will replace the 1995 Data Protection Directive and seeks to harmonise the law in relation to data protection across all member states. The regulation will form the basis for the creation of a "Digital Single Market" and will take precedence over UK law, unlike the current Data Protection Directive which has been implemented into UK law via the Data Protection Act 1998.
In line with this, David Smith, Deputy Commissioner and Director of Data Protection at the ICO has provided his analysis on the impact of the Data Protection Regulation and how UK businesses should prepare themselves. In his blog he highlights a number of key areas for consideration such as consent and control, staffing, privacy by design and asks a number of questions businesses should be asking themselves for example; "how easy is it for a customer to withdraw their consent?"
Privacy by design is a key concept and the ICO suggest that every business should follow with privacy being at the forefront of business decisions made in relation to the handling of an individual's personal data. Mr Smith interestingly suggests the designation of a data protection officer as an internal compliance measure to meet the requirements of the regulation and provides further comment as to how this links in with proper systems and controls. He suggests that businesses should be in a position to deliver data protection compliance as, "a matter of course", especially in the implementation of new systems being introduced to a business. This he hints at should be built in as a process from day one. He further suggests the introduction of a "privacy impact assessment" and asks businesses to consider whether they have ever used one. A link is available on the ICO's site to access the assessment.
Other notable advice is the introduction of a breach management process which can analyse if a significant breach has occurred and how a business should address it. The issue of security is also examined and businesses are advised to review their technical and organisational security measures in assessing the risk of a data breach.