ICO advises businesses on how to avoid falling foul of new EU data protection regulation

The Information Commissioner’s Office (ICO) has published advice to British businesses on how they can prepare for the imminent and far-reaching European Union reforms to data protection.

It is expected that the EU will release the finalised General Data Protection Regulation later this year – or, increasingly likely, in early 2016 – which will see it take effect in all 28 EU member states after a two-year transition period.

Further reading

The legislation is intended to harmonise rules surrounding data protection across the EU, hopefully making it simpler for companies both inside and outside the EU to comply. In addition, the legislation will almost certainly increase penalties for breaching data protection law, with the possibilities of companies being fined up to five per cent of their global turnover. 

The ICO is responsible for enforcing data protection legislation in the UK, and the organisation has offered advice to British businesses on how they can avoid falling foul of the new laws ahead of the enforcement regime that will come in during 2018.

According to David Smith, deputy commissioner and director of data protection, the most important thing a business can do is to start preparing for the data protection regulation reforms sooner, rather than later.

“Make sure you’re right on the ball in meeting your current responsibilities,” Smith wrote in a blog post.

Smith suggested that while not every organisation will necessarily need a data protection officer, it’s important to ensure the business has the “right people in place to help you understand and meet the requirements of the regulation”.

“It’s a myth that the regulation will require every business to recruit a data protection officer, but they will need resources to help them deliver the necessary change, even if these resources come through training and developing existing staff,” he said.

The ICO also suggests that ‘privacy by design’ as a concept that every organisation should follow, with privacy being at the forefront of business decisions. This, Smith said, means many organisations will need to ask a few questions of their own processes.

“What steps do you take to make sure that your systems and processes, particularly new ones, deliver data protection compliance as a matter of course?” Smith asked.

“Are you reviewing the personal data you hold, and why you hold it, to ensure that you can meet the requirement for ‘data minimisation’? Do you know what a privacy impact assessment is? Have you used one yet?” he added.

Smith also explained how breach management is an area that organisations should have a plan for, just in case they find themselves suffering from a “significant personal data breach”.

He wrote: “Does your process include arrangements to notify affected individuals, as well as the ICO? Most importantly, do you have effective technical and organisational security measures to prevent breaches in the first place?

“We’ll be providing further updates on the progress of the reforms, and what that means in practice,” Smith’s blogpost concluded, suggesting that there’s plenty more to come from the ICO on the matter. 

Information Commissioner Christopher Graham recently spoke in-depth to Computing about the new General Data Protection Regulation and the state of privacy as a whole in the UK.