EU Data Protection Reform: An ICO Perspective Ian Inman Group Manager, Strategic Liaison 1

GDPR Is Coming! ‘We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” Karen Bradley MP, Sec. of State for Culture, Media & Sport The Government has more or less confirmed that despite the result of the EU referendum we will be EU members in 2018 and so will be implementing the GDPR This should remove any lingering uncertainty – organisations have clarity – if you have not already done so, it is time to start preparing for GDPR!

What are we doing? Queries and concerns – top 5 Guidance Change Management Programme What are we doing? Queries and concerns – top 5 website – www.dpreform.org.uk Blogs - https://iconewsblog.wordpress.com Guidance Key stakeholders What are we, at the ICO, doing to prepare for the GDPR? We have been listening all year to stakeholder concerns – we want to factor those into how we prioritise guidance. We have been tracking these through the use of a ‘top 5’ list We’ve continued to engage with key stakeholders across all sectors – Including NHS England and NHS Digital in the health sector. Listening to concerns and queries and providing advice where we can. Also running the workshop later on in the conference. We have an internal change management programme underway to look at what we do now and what we will need to do in the future. Examining staffing, skill sets and structures to make sure we are where we need to be for go live. We have a DP Reform website and our blog where you can go to keep up to date with all of our latest thinking. We are looking at refreshing our guidance suite.

Guidance is being published We have already released a couple of documents designed to help people who are just starting to get to grips with the GDPR. Our 12 steps to take now document sets, published early this year, set out 12 headline things to start thinking about now to help get things moving. We have since published our ‘Overview of the GDPR’ guidance which aims to provide a little more detail on key areas like individuals rights, conditions for processing, accountability and transparency Guidance is being published

E-Privacy Directive review Advice & guidance A29WP Guidance ICO Guidance Main Establishment Big Data v2.0 Role of the DPO Consent Data Portability Profiling Certification Risk Risks and DPIAs Contracts/liability Fines Children’s privacy E-Privacy Directive review We are also working on papers to inform our thinking on some of the topics that have come up time and again in our stakeholder meetings: Consent is clearly an area of some concern across many sectors – higher standard in the GDPR Profiling is also coming up a lot – we will be looking into what sorts of activities might be covered Also starting to think about risky processing, liability and contracts and issues around childrens privacy though these are in the very early stages. We are not shying away from ensuring we also input into much of the A29WP guidance that is being worked on. The following are due for completion by the end of the year: guidance on main establishment; role of the DPO data portability The rest are well underway but are due to roll over into 2017.

4.Legal basis for processing personal data 1. Transparency 2. Consent 3. Pseudonymised data 4.Legal basis for processing personal data I wanted to just tease out one or two points for special mention in light of the National Data Guardian’s review or simply . We will be looking at what the GDPR requires in terms of transparency and consent in more detail in our workshop later However, following on from the National Data Guardian’s review there are clearly some areas of both the current regime and the GDPR that are going to be relevant to how that is implemented. Particularly transparency and consent We have been very clear in our responses to the subsequent consultation around the review that in order for any consent mechanism to function properly, the transparency that goes with that is of paramount importance. Individuals should clearly understand the choice that is available to them and where they do not have a choice. They should know what is happening with their data and why it is happening otherwise it would be very difficult to say that they had consented (consent needing to be clear, unambiguous, fully informed and freely given in a data protection context) Currently pseudonymised data is in the vast majority of cases classed as anonymised under the current regime. Under the GDPR it is still subject to certain aspects of the legislation. How will this be reconciled with the findings of the report that consent/opt out will not apply to data anonymised in line with ICO Code? Especially since we will probably need to make changes to our anonymisation code. Finally, public bodies will need to be absolutely clear as to what their legal basis for processing is. They can no longer rely on the legitimate interest condition for processing when carrying out their duties. This will help focus minds on what basis you are really processing personal data on.

GDPR Key areas Enforcement Breach notification In some ways the changes to breach notifications will not be news to health bodies – they are already under an obligation to report incidents to the ICO However, it has major implications for us as we will likely be receiving significantly more data breach notifications than we currently do. We also need to revisit our enforcement strategy to see whether it will still be fit for purpose under the new regime – all things that are to be be considered as part of the change programme

€20m 4% wwto Monetary penalties Obviously the big headline change from enforcement is the changes to fines. Certain breaches can be fined up to 10m euros or 2% of WWTO, others attract fines of up to 20m euros or 4% of WWTO Crucially, and in a change from perhaps where the focus has been previously, issues related to security breaches will fall within the lower tier of fine. Issues that attract the higher tier include infringements related to: The basic principles for processing The data subjects rights Marked shift – Individuals rights clearly important and a failure to comply with them can attract a higher fine than failing to keep personal data secure.

The future? X We don’t know what the future holds post brexit – Will we retain the GDPR in full? Will there be some form of UKDPR? Theere hasn’t been any clear indication from government yet as to what may happen once we have left the EU. There are some inferences from comments made that we may see some further reform but there is nothing concrete about this yet.

Subscribe to our e-newsletter at www.ico.org.uk Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on… /iconews @iconews