With just under one year to go before the EU General Data Protection Regulation (“GDPR”) becomes law across the European Union, the UK Information Commissioner’s Office (“ICO”) has continued its efforts to help businesses prepare for the new law. The ICO also has taken steps to address its own role post-Brexit.
In a YouTube video published on May 25, 2017, Information Commissioner Elizabeth Denham stressed the importance of preparing for the GDPR, warning that companies risk enforcement action – and the inevitable reputational and financial damage that follows—if they do not make data protection a cornerstone of their business policies and practices.
The ICO also published guidance materials for organizations grappling with the GDPR’s requirements. This includes an updated (1) data protection self-assessment toolkit for small and medium-sized enterprises, which introduces an element aimed at helping organizations chart their GDPR compliance progress and (2) 12 steps to take now guidance.
On May 25, 2017, the ICO also unveiled its Information Rights Strategic Plan 2017-2021 (the “Plan”). The Plan outlines five goals:
- increase the public’s trust and confidence in how data is used and made available;
- improve standards of information rights practices through clear, inspiring and targeted engagement and influence;
- maintain and develop influence within the global information rights regulatory community;
- stay relevant, provide excellent public service and keep abreast of evolving technology; and
- enforce the laws the ICO helps to shape and oversee.
Acknowledging that the ICO’s role within Europe will change when the UK leaves the European Union, and will bring with it a number of challenges, the Plan nevertheless stresses that the ICO will continue to play a full part in EU data protection working groups and boards until Brexit. It will work closely with EU partners post-Brexit as well, including the European Data Protection Board (on which, post-Brexit, the ICO will lose its seat). The ICO also pledges to work closely with the UK government to define its role in any transitional arrangements immediately following the UK’s departure from the EU.
The European Commission has also released a statement marking the GDPR’s one year to go milestone. According to the statement, the European Commission pledges to work with EU Member States and engage with companies to ensure that individuals are aware of their rights and businesses are prepared for their new compliance obligations.