GDPR will have an impact on the ICO’s business friendliness

The ICO’s current regulatory style may have to change somewhat under the EU DP General Data Protection Regulation (GDPR). Ian Bourne, DP Policy Delivery Group Manager, ICO, said at a PL&B/Browne Jacobson seminar in London yesterday: “The ICO’s traditional ability to be flexible and business savvy will be under much more scrutiny from other DPAs and the European Data Protection Board (EDPB) as well as the European Commission. So we will have some challenging times internationally.”

“We now have a reasonable picture of which aspects business has issues with, and this will be reflected in our guidance. The ICO will issue guidance soon, first on the main practical aspects to identify the differences between the current law and the GDPR. An automated breach notification system is now being developed.”

“The Regulation has direct effect. But we also have around 40 areas where EU Member States can exercise national discretion, for example, national security, crime prevention, freedom of expression, such as whether citizen bloggers can enjoy the journalistic exemption. I imagine that the government wants to keep these issues as similar to the current position as possible.”

Bourne said that the Department of Culture, Media and Sports (DCMS) is now working on the UK law – how to marry the Regulation text with national interpretation of the exemptions.

Also the EU Article 29 Data Protection Working Party is now very busy. “We are trying to get the Art. 29 DP Working Party to reform itself – the EDPB will be very different, as it will be able to issue binding decisions, and the UK could be voted out by a majority vote. We will have to bring these messages to business which will be difficult,” Bourne said.

Under the EDPB, any fine that the ICO issues could be challenged if the other DPAs think it is too low. The Article 29 DP Working Party is now working hard to get the Board running and agree on the rules – how to conduct voting for example.

Yesterday’s seminar on GDPR compliance will be repeated in Birmingham on 28 September. See