Any hope that a tough new data protection regime will be enforced lightly at first were dashed this week by a senior figure at the Information Commissioner’s Office (ICO). The EU General Data Protection Regulation (GDPR) comes into force on 25 May next year, regardless of domestic legislation currently before parliament.
The regulation places statutory duties on organisations that process personal data and sharply increases the maximum penalty for breaches.
‘Day 1 is Day 1. It will be in force,’ Karen Round, head of private sector engagement at the ICO told the Law Society conference Legal Services in a Data Driven World. However she stressed that the changes amount to 'evolution not revolution'.
The new regime's requirements, for example to carry out privacy impact assessments, 'are not new concepts' she said. 'The difference is they are moving onto a statutory footing. If you have been following our good practice guidance for some time your firm is going to be in a good starting position in May.’
However conference chair Peter Wright, Law Society council member and managing director of DigitalLawUK, reminded delegates that just 150 working days remain until the regulation comes in to force. One expert panelist painted an alarming picture of businesses only just realising the implications. 'There is total panic,' she said.
The conference heard that several grey areas remain in how the regulation will be interpreted, for example where the new position of data protection officer should sit within an organisation. Meanwhile domestic legislation to implement the regulation, along with a separate law enforcement directive, is still going through parliament. The Data Protection Bill is due to have its second reading on 10 October.
Round admitted that 'some gaps' remain in guidance on implementation. 'We’re working as best we can to produce some workable guidance as best we can and as quickly as we can.' Lawyers can keep track by following the ICO's 'myth-busting' blogs, she recommended. The latest tackles requirements for mandatory reporting of breaches, which she stressed applies only to breaches 'likely to result in a risk to people’s rights and freedoms'.