Who: Information Commissioner’s Office (ICO)
Where: United Kingdom
When: 7 September 2015
Law stated as at: 9 October 2015
What happened:
On 7 September, David Smith, Deputy Commissioner and Director of Data Protection at the ICO blogged an update on the progress of the draft General Data Protection Regulation (GDPR) through the European legislative process, and some top tips on how to prepare for the reforms.
The end may be in sight…
Amid negative reports on attempts to finalise the GDPR, David Smith convincingly declared that “if all goes according to plan, we’ll know pretty much what’s going to be in the [GDPR] by the end of this year.”
He stated that on the most optimistic forecasts, the GDPR may be finalised by the end of this year or early next year (“much before June 2016”); but that the end of 2016 may be more realistic. Once adopted, there will then be a two-year transitional period before the GDPR comes into force.
This update was given before the CJEU’s ruling in Case C-362/14 Maximillian Schrems v Data Protection Commissioner that Safe Harbor is invalid and it is not yet clear how that landmark ruling will affect the progress of reforms.
ICO top tips
With the GDPR edging towards adoption, to the extent that they are not already start doing so, businesses should start thinking about what the GDPR might mean for them and what they can be doing now to prepare for it. On the latter point, the ICO’s main message and number one top tip is for businesses to make sure they’re meeting their current responsibilities.
In particular, the ICO advises businesses to consider:
- The extent to which individuals are given control over, and consent to the use of their personal information;
- Whether effective processes are in place to ensure data protection compliance and that compliance can be demonstrated;
- Whether the right people are in place to help with understanding and meeting the requirements of the GDPR;
- Whether privacy considerations are built into the development of new systems and processes; and
- What processes are in place to manage any data security breaches.
While the ICO does not specifically refer to reviewing arrangements in place for transferring personal data outside of the European Economic Area; following the decision in Schrems, this should invariably be high on businesses’ list of priorities for ensuring compliance with their current responsibilities.
Why this matters:
Ensuring compliance with data protection legislation is not an easy task, or one that can be done overnight.
Before considering what steps need to be taken to ensure compliance, businesses need to fully understand, for example, what personal data is collected, how it is used and whether it is transferred to third parties and/or to other jurisdictions. This in itself can take considerable time, effort and resource.
In the infamous words of Charles Dickens, “[m]y advice is to never do tomorrow what you can do today… procrastination is the thief of time.”