New European data protection law will come into force in 2017 at the earliest, but UK business should not delay in getting its house in order, says the ICO.
“There is a lot going on in data protection that UK firms should be aware of besides the new EU data protection rules,” deputy information commissioner David Smith told a Westminster eForum in London.
Smith said that from next month, for example, the ICO will have the power to fine organisations for unsolicited calls and emails (spam).
This week, the ICO also acquired the power to prosecute anyone seeking to bypass data protection rules by forcing job candidates to make a subject access data request for their own criminal records.
Changes to the UK Data Protection Act that came into effect on 10 March make enforced subject data requests a criminal offence.
Smith said that while new data protection legislation is being formulated in Brussels, data protection and privacy will continue to be important and UK firms can expect more from the ICO on data sharing.
He hit out at critics that have suggested the ICO imposes monetary penalties for breaches of data protection laws only on public-sector organisations.
“The last five monetary penalties issued by the ICO have involved private-sector companies, which proves that we go after any organisation that breaks the rules,” he said.
Smith said UK organisations can reduce the risk of monetary penalties by ensuring they are patching their software systems and putting proper protections around personal data.
UK firms can also prepare for the coming changes in European data protection rules by ensuring they are in line with current trends.
These include the widening reach of European courts regarding privacy and data protection, the importance of good-quality consent mechanisms, and the importance of privacy by design.
Read more about the proposed European data protection laws
- More than half of European companies do not know about legislation planned to unify data protection laws.
- Only half of UK IT decision-makers are aware of the coming EU Data Protection Regulation, compared with 87% in Germany.
- The vast majority of cloud providers are not yet prepared to meet the requirements of the new EU General Data Protection Regulation.
According to Smith, organisations such as Google must realise that they cannot escape European laws and they need to recognise the need for transparency around the collection and use of people’s data.
“Organisations should look to achieve good data governance and ensure they have the right processes in place to respond quickly to change when it comes, rather than focusing on compliance,” he said.
Data protection and privacy experts have suggested that organisations that are waiting for the final text of the new data protection rules to be agreed before acting have already missed the boat.
Much of the objective of the reform has already been achieved because regulators are already regulating as if the new legal framework were already in place, according to PwC Legal partner Stewart Room.
This is especially important in the light of the fact that the final text is facing potentially lengthy delays.
Although the European Parliament has agreed a version of the European Commission’s original proposals, the European Council of Ministers still has to agree on a text.
After that, agreement has to be reached in the so-called trilogue between the commission, parliament and council.
Smith said that although optimists say the text will be finalised by the end of the year, privately they admit it will probably take another year, and then there will be two years before the new laws are enforced.
“But I wouldn't count on it – there is still a lot to be resolved and that could take some time,” he said.
One of the biggest obstacles will be getting agreement on the draft police and criminal justice data protection directive, as well as the draft general data protection regulation.
Smith said the European Parliament has indicated that it regards both pieces of legislation to be part of a single data reform package and one cannot progress without the other.
“The European Council has concentrated only on the general regulation while the law enforcement directive is still on the table, which means the trilogue will not get off to a good start,” he said.
Smith said the most important principle in the proposed data protection regulation is the shift in the balance of power away from government and business and towards individuals whose data is collected.
“The legislation aims to counterbalance the power of government and business to collect, retain and use the data of citizens,” he said.
However, Smith expressed concern that, amid a fresh round of lobbying in Brussels, the process of formulating the laws is “slipping away” from what is practical.
He also expressed fears about the threat to encryption. “We have no answer to how to give the ‘good guys’ the keys, but at the same time keep them away from the ‘bad guys',” said Smith. “I can’t see how these things can be reconciled.”