Presentation is loading. Please wait.

Presentation is loading. Please wait.

EU Data Protection Reform: An ICO Perspective

Published byPercival Robbins Modified over 6 years ago

Similar presentations

Presentation on theme: "EU Data Protection Reform: An ICO Perspective"— Presentation transcript:

1 EU Data Protection Reform: An ICO Perspective
Ian Inman Group Manager, Strategic Liaison 1

2 GDPR Is Coming! ‘We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” Karen Bradley MP, Sec. of State for Culture, Media & Sport The Government has more or less confirmed that despite the result of the EU referendum we will be EU members in 2018 and so will be implementing the GDPR This should remove any lingering uncertainty – organisations have clarity – if you have not already done so, it is time to start preparing for GDPR!

3 What are we doing? Queries and concerns – top 5 Guidance
Change Management Programme What are we doing? Queries and concerns – top 5 website – Blogs - Guidance Key stakeholders What are we, at the ICO, doing to prepare for the GDPR? We have been listening all year to stakeholder concerns – we want to factor those into how we prioritise guidance. We have been tracking these through the use of a ‘top 5’ list We’ve continued to engage with key stakeholders across all sectors – Including NHS England and NHS Digital in the health sector. Listening to concerns and queries and providing advice where we can. Also running the workshop later on in the conference. We have an internal change management programme underway to look at what we do now and what we will need to do in the future. Examining staffing, skill sets and structures to make sure we are where we need to be for go live. We have a DP Reform website and our blog where you can go to keep up to date with all of our latest thinking. We are looking at refreshing our guidance suite.

4 Guidance is being published
We have already released a couple of documents designed to help people who are just starting to get to grips with the GDPR. Our 12 steps to take now document sets, published early this year, set out 12 headline things to start thinking about now to help get things moving. We have since published our ‘Overview of the GDPR’ guidance which aims to provide a little more detail on key areas like individuals rights, conditions for processing, accountability and transparency Guidance is being published

5 E-Privacy Directive review
Advice & guidance A29WP Guidance ICO Guidance Main Establishment Big Data v2.0 Role of the DPO Consent Data Portability Profiling Certification Risk Risks and DPIAs Contracts/liability Fines Children’s privacy E-Privacy Directive review We are also working on papers to inform our thinking on some of the topics that have come up time and again in our stakeholder meetings: Consent is clearly an area of some concern across many sectors – higher standard in the GDPR Profiling is also coming up a lot – we will be looking into what sorts of activities might be covered Also starting to think about risky processing, liability and contracts and issues around childrens privacy though these are in the very early stages. We are not shying away from ensuring we also input into much of the A29WP guidance that is being worked on. The following are due for completion by the end of the year: guidance on main establishment; role of the DPO data portability The rest are well underway but are due to roll over into 2017.

6 4.Legal basis for processing personal data
1. Transparency 2. Consent 3. Pseudonymised data 4.Legal basis for processing personal data I wanted to just tease out one or two points for special mention in light of the National Data Guardian’s review or simply . We will be looking at what the GDPR requires in terms of transparency and consent in more detail in our workshop later However, following on from the National Data Guardian’s review there are clearly some areas of both the current regime and the GDPR that are going to be relevant to how that is implemented. Particularly transparency and consent We have been very clear in our responses to the subsequent consultation around the review that in order for any consent mechanism to function properly, the transparency that goes with that is of paramount importance. Individuals should clearly understand the choice that is available to them and where they do not have a choice. They should know what is happening with their data and why it is happening otherwise it would be very difficult to say that they had consented (consent needing to be clear, unambiguous, fully informed and freely given in a data protection context) Currently pseudonymised data is in the vast majority of cases classed as anonymised under the current regime. Under the GDPR it is still subject to certain aspects of the legislation. How will this be reconciled with the findings of the report that consent/opt out will not apply to data anonymised in line with ICO Code? Especially since we will probably need to make changes to our anonymisation code. Finally, public bodies will need to be absolutely clear as to what their legal basis for processing is. They can no longer rely on the legitimate interest condition for processing when carrying out their duties. This will help focus minds on what basis you are really processing personal data on.

7 GDPR Key areas Enforcement Breach notification
In some ways the changes to breach notifications will not be news to health bodies – they are already under an obligation to report incidents to the ICO However, it has major implications for us as we will likely be receiving significantly more data breach notifications than we currently do. We also need to revisit our enforcement strategy to see whether it will still be fit for purpose under the new regime – all things that are to be be considered as part of the change programme

8 €20m 4% wwto Monetary penalties
Obviously the big headline change from enforcement is the changes to fines. Certain breaches can be fined up to 10m euros or 2% of WWTO, others attract fines of up to 20m euros or 4% of WWTO Crucially, and in a change from perhaps where the focus has been previously, issues related to security breaches will fall within the lower tier of fine. Issues that attract the higher tier include infringements related to: The basic principles for processing The data subjects rights Marked shift – Individuals rights clearly important and a failure to comply with them can attract a higher fine than failing to keep personal data secure.

9 The future? X We don’t know what the future holds post brexit – Will we retain the GDPR in full? Will there be some form of UKDPR? Theere hasn’t been any clear indication from government yet as to what may happen once we have left the EU. There are some inferences from comments made that we may see some further reform but there is nothing concrete about this yet.

10 Subscribe to our e-newsletter at www.ico.org.uk
Keep in touch Subscribe to our e-newsletter at or find us on… /iconews @iconews

Download ppt "EU Data Protection Reform: An ICO Perspective"

Similar presentations

European Data Protection reform: preparing for the future Richard Syers - Strategic Liaison, ICO 12 September 2014.

European Data Protection reform: preparing for the future Richard Syers - Strategic Liaison, ICO 12 September 2014.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Records management for the public sector 8 September 2016 Judith Jones - Group Manager Sue Markey - Senior Policy Officer Government and Society.

Records management for the public sector 8 September 2016 Judith Jones - Group Manager Sue Markey - Senior Policy Officer Government and Society.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Preparing for the GDPR Helping us to help you.

Preparing for the GDPR Helping us to help you.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Changing Times: The UK's GDPR future. What this means for you

Changing Times: The UK's GDPR future. What this means for you
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR Awareness and Training Workshop

GDPR Awareness and Training Workshop
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
The EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR)
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017

Similar presentations

Ads by Google