tashka2000 - Fotolia

GDPR to place extra burden on ICO, says commissioner

The GDPR and global enforcement work will place an extra work burden on the ICO, but government has collaborated on a new funding plan that is awaiting parliamentary approval

The Information Commissioner’s Office (ICO) plans to expand its staff to deal with the extra work burden to be imposed by the European Union’s (EU’s) General Data Protection Regulation (GDPR).

“With the coming of the GDPR, we will have more responsibilities and new enforcement powers,” said UK information commissioner Elizabeth Denham.

“For example, there will be a mandatory requirement for companies and public bodies to report to us when there is a security breach involving personal information,” she said.

In the light of these changes, the ICO is putting in new measures, which include plans to recruit 200 additional staff to take the total number to around 700 in the next three years, Denham told the House of Lords EU Home Affairs Sub-Committee in its latest hearing on the new EU data protection package.

Currently, the bulk of ICO staff of lawyers, investigators, former police officers, policy analysts and advisors are based at the ICO office near Manchester, but the ICO also has offices in Northern Ireland, Scotland, Wales and London.

Denham said it would take time to recruit all the staff required, especially as the ICO is competing for people with specialist skills against public bodies and private sector organisations.

“Commercial entities can pay more money than government,” she said, admitting that it is challenge to attract and retain people with the right skills.

However, Denham said she was determined to keep her staff because the ICO is doing “socially relevant work” and that she had a plan.

“We need to be strategic in terms of our offering because we will never be able to match the salaries, but we can offer other benefits such as flexible working,” said Denham.

ICO ‘primary educators’ on data regulation

The most pressing staff needs are in relation to the GDPR, she said, especially in terms of increased duties and educating people about the implications of the regulation.

“Education is probably the most important function of the ICO, especially when you have a new regulation coming in that will be directly applicable on 25 May 2018 because the UK will still be in the EU.

“This is a once in a generation change in the law, and we are the primary educators for data controllers on what their new responsibilities are, and to the public on what their new rights will be,” she said.

Denham said it is challenging to run an education initiative, change the ICO’s functions and keep up with day to day business at the same time. “This means it feels a lot changing tyres on a moving car,” she said.

Brexit has also added work for the ICO’s policy staff to ensure they can give advice to government and to parliament about what the various impacts would be of different regulatory arrangements post-Brexit.

International data work ‘increasingly important’

Denham said in addition to the new work related to the GDPR and Brexit, the UK is increasing the work it is doing internationally regarding data protection enforcement.

“The ICO is one of the largest regulators globally. We have 35 years’ experience in this space and we have a newly developed international strategy,” she said.

“We are going to continue to lean in and engage deeply in work with our European colleagues on the implementation of the GDPR, but at the same time we are engaging in global enforcement work beyond Europe, which involves building bridges with other regulators around the world.”

Denham said the ICO recently met the Japanese data protection commission and is setting up a memorandum of understanding for co-operative work, and met with the Asia Pacific Privacy Authorities in December 2016, with plans to meet the US Federal Trade Commission in the coming months.

“A lot of our work is going to be beyond Europe – not just because of Brexit but because data knows no borders and we need to work together,” she said.

Even if the UK were staying in the EU, Denham said the ICO’s international work is increasingly important because other jurisdictions affect the UK. “Decisions that are made in Singapore on data protection will affect here and courts are looking at each other’s decisions.”

Denham said the ICO has assessed its technical, staffing and physical space needs and presented the business case to government.

In the past, the ICO has been funded mainly by fees paid by data controllers when they notify the ICO that they are processing personal data.

“But when the GDPR comes in there will be no requirement for notification, so we need to come up with a new fee structure that funds the regulator,” said Denham.

“The government has done a lot of work on this in partnership with the ICO and we have a new fee structure that needs to be approved by parliament, and hopefully this will be done before the notification fee falls away in 2018,” she said.

Read more about GDPR

Read more on Privacy and data protection