The ICO – GDPR partners or police?
The ICO is the regulator for data protection in the UK and will continue to be the supervising authority after GDPR launches on 25 May 2018. But what, exactly, is the ICO all about?
Today, many businesses have to register with the ICO as a data controller under the existing data rules (the Data Protection Act 1998), but as of 25 May next year this won’t be required.
However, the ICO will continue to monitor and assess organisations’ compliance with data protection legislation. All data breaches which could cause loss or damage to data subjects (like you or me), will also need to be reported to the ICO within 72 hours of organisations becoming aware of them.
Elizabeth Denham, the Information Commissioner, is clear that the ICO is there to help and assist. It has launched an online chat facility and is taking proactive steps to work with businesses and help them achieve GDPR compliance. At the 2017 ICO Practitioners’ Conference, Commissioner Denham said: “Our emphasis is on partnership, we are not the police. We are not the department of no.”
To help organisations prepare for GDPR, the ICO has created a ‘12 Steps To Take Now’ checklist. Step 2 advises organisations to document what personal data they hold, where it comes from and who they share it with. This should all be included on the data map I suggested last month as the starting point for compliance.
The checklist indicates that you may find compliance difficult if you leave your preparations until the last minute. Like most things, the earlier you start the better. The exercise won’t be completed on 24 May 2018 either. GDPR requires you to continually review, analyse and improve how you process and handle data.
Businesses should, as a minimum, work through the checklist and document how they have addressed each point. The impact of GDPR will be different for each and every business – there is no ‘one size fits all’ option or approach.
For SMEs, the ICO also has a self-assessment toolkit that can be used to determine what areas they need to focus on and address.
To stay up to date with the latest news from the ICO, you can follow it on Twitter or subscribe to the monthly blog. The blog highlights any new guidance as well as the fines and investigations that are concluded, with advice on how to learn from others’ mistakes.
Check out the ICO’s website to learn more or, contact the Commercial Law team, or call 0191 211 7972 for expert data protection advice.