User menu

Reform of data protection laws hits home straight

By Christopher Graham, Information Commissioner

It’s taken four years of debate, but as we reach the 1,422nd day of planning, discussion and negotiation, agreement has finally been reached on the reform of data protection laws.

Last night, the institutions of the European Union – the Commission, the Council, and the Parliament – reached agreement on the new rules that will be put in place across the EU, and that will replace the UK’s Data Protection Act 1998. Tomorrow the key Parliamentary committee is expected to vote in support.

In turn, heads of government and the full Parliament are expected to add their agreement at their meetings in January, and the political agreement still has to be expressed in the texts of a General Data Protection Regulation and, in parallel, a new Directive for police and justice issues. So the final shape of the new rules will be clear early next year – and there will then be a two year transition period, during which we will all have to accustom ourselves to a different way of doing things.

The reforms agreed will mean change. Four years of work has created a set of rules that will need adjustments from consumers, businesses and, of course, the regulator. But it’s progress that the EU is moving on from trying to regulate 21st century digital developments with legislation dating from 20 years ago. Most crucially, a new law will remind people of their data protection rights, and remind organisations of their data protection responsibilities. That can only be welcomed.

As the UK’s data protection regulator, the ICO’s priority for 2016 will be making sure that we do all in our power to ease the introduction of the new rules – for data controllers and data subjects alike. Our approach to regulation begins with clear advice and guidance. We will focus on the new elements first, whilst remembering that there is much in the new regulation that will be familiar to us – the new principles are pretty much the same as the old ones.

Our work will be informed by listening and learning about the challenges posed by implementation. We are planning a series of explanatory blogs, events, and webinars to help everyone to get ready for the new regime, notably our data protection practitioners conference in March. We’ll be updating our publications and using our website to make things easy – and above all clear – for all who need to know. We’ll also be working closely with the Department of Culture, Media, and Sport who are the Whitehall Department leading on the digital economy.

It will take time to understand fully all the implications of the new legislation – the new regulation contains a great deal of compliance detail that isn’t present in the current law. But there is no doubt that the best preparation for an organisation is to comply with the current law – there are many parts of the new legislation that won’t be that new to us.

I’m in Brussels today for a meeting of the Article 29 Working Party, the conference of all the EU’s data protection authorities. It will be important for the ICO to keep in step with colleagues in other EU jurisdictions and there will, no doubt, be further guidance from that forum too. Under the new Regulation, this group will become a European Data Protection Board, overseeing a ‘one stop shop’ arrangement that will make for consistency of decision-making for international companies and cross-border service providers. No doubt we’ll be dealing with some significant issues that affect individuals across the EU.

The new regime will challenge the ICO to do some things differently. But we are determined to play our part in readying the UK for the big changes that will need to be in place for 2018 at the latest. After all, the ICO exists to uphold information rights in the public interest – and that means helping  data controllers to comply with the new rules, and helping data subjects (that’s you and me) to understand and exercise our rights as citizens and consumers.

We’ll be publishing progress updates here and on the ICO website, so it would be a good idea to follow us on Twitter and sign up for our regular ICO newsletters. Working together in 2016, we can make the transfer to the new rules smooth and successful.

Christopher GrahamChristopher Graham, Information Commissioner, has a range of responsibilities under the Freedom of Information Act 2000, the Data Protection Act 1998 and related laws.