ICO chief says no ‘fixed point’ for GDPR compliance
Elizabeth Denham attempts to allay fears over a hard deadline for the General Data Protection Regulation
Information Commissioner Elizabeth Denham has said her organisation is not planning to take a hard line on the 25 May implementation date for compliance with the EU General Data Protection Regulation (GDPR).
She has given the assurance in an effort to bust what she described as the biggest myth around the new regulation – that it needs urgent action to comply with a fixed point deadline on a par with the Y2K Millenium Bug.
Instead, she indicated that compliance should involve an ongoing effort in which organisations have to show they are putting the key building blocks in place.
The approach of GDPR implementation has cause alarm in parts of the public sector, with senior officials fearing their organisations could be subject to sanctions immediately for failing to comply with all the details of the regulation. Anxieties have been compounded by an apparent tension between the GDPR’s constraints on data sharing and the framework for doing so in the UK Digital Economy Act.
Fair and proportionate
Writing in an Information Commissioner’s Office (ICO) blog, Denham said there will be no ‘grace’ period as organisations will have already have had two years to prepare.
“But we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR, as I set out in my first myth busting blog,” she added. “Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.
“That means being able to show you have been thinking about the essential elements outlined below and who is responsible for what within the business.”
She also outlined the key building blocks including: understanding the information already held; implementing accountability measures; ensuring appropriate security; and providing appropriate training for staff.
In addition, Denham points to the ICO’s guidance on compliance. While this is not a definitive document and there will be more guidance to come, she says it should provide significant help.