The Information Commissioner’s Office (ICO) recently published a guide outlining 12 recommended steps for businesses to prepare for the upcoming General Data Protection Regulation (GDPR), which will be implemented in mid–2018.
According to the ICO, if businesses are compliant with the current UK Data Protection Act 1998 (DPA) then they will be well positioned to comply with the new laws given that many of the GDPR’s main concepts and principles are the same as those in force under the DPA. That said, there are a number of new elements and significant enhancements with which businesses will have to comply.
The ICO advises that businesses should start by ensuring that their key decision makers are aware that data protection law is changing, which could have significant resource implications for larger and more complex organizations. The ICO also recommends that organizations appoint a Data Protection Officer to assess whether or not the organization’s current approach to data protection meets the GDPR’s requirements.
Among the changes highlighted by the ICO are enhanced rights of data subjects, modifications to the ability to charge for complying with a data subject’s access request, and faster response times to such requests (a month, as opposed to the current 40 days). With the GDPR, there will be breach notice requirements for all entities instead of just telecoms. Although the provisions are not procedurally identical, these breach notice requirements will be familiar for multinational organizations that face notice requirements in the U.S. The ICO guide also covers the GDPR requirements around children’s personal data, particularly in the context of social networking.
TIP: While the effective date of the GDPR will not be implemented until 2018, procedural steps will need to be taken to become compliant. This guide demonstrates that the ICO believes companies should start making preparations now.