ICO demands more resources or less burdensome new EU DP regime

The Information Commissioner, Christopher Graham, says that the current EU Data Protection draft Regulation would impose so many new tasks on the ICO that it would not cope with the current funding, or indeed with less money should the income from notifications be taken away.

In a letter to Secretary of State for Justice, Chris Grayling, Graham stresses that the consistency mechanism, which would rely on just one lead DPA for multinational companies, would bring even more work to the ICO as many EU regional headquarters for companies are based in the UK. Graham thinks that it would be regrettable if the EU DP Regulation would lead to forum-shopping.

Graham underlines the following negative impacts that the Regulation, in its current state, would bring:

- More emphasis on enforcement and fewer resources for education
- All data breaches to be reported (instead of just those that pose a significant risk)
- Prior authorisation for international transfers
- Limited discretion with regard to fines
- Consistency mechanism would be not risk-based enough.

If the ICO will not receive more funding, it will have to change its regulatory approach from the current advisory and educational one where the ICO enforces where it sees most risks, to a more process-driven role with prior checking, administering fines and processing breach notifications, Graham says.

See the letter of 24 May.