Business as usual? Brexit, the ICO and the EU GDPR
Earlier this week, Sir Christopher Graham delivered his final annual report as Information Commissioner. Although, for the most part, the presentations given by Graham and Deputy Commissioner Simon Entwisle focused on statistics, insights and reflections of the previous year's work, there was one topic the audience routinely brought back to the agenda: Brexit and what it means for the newly passed EU General Data Protection Regulation (GDPR).
After more than two years of discussion and debate, the final terms of the EU GDPR were settled in April 2016. The legislation is intended to provide a single data protection framework across EU member states, ensuring equal security for citizens' sensitive information and making it easier for EU businesses to function within and across the different countries in the digital age.
The regulation brings with it significant changes from current legislation, in particular the UK's Data Protection Act of 1998. As a start, financial sanctions for those breaching the regulation will become tougher – either up to 4% annual global annual turnover or €20,000,000 (whichever is higher). The regulation will also enforce mandatory reporting of data breaches for all industries (something that is currently only J the case for specific sectors). Other key changes include expanding organisations’ responsibility for sensitive data by calling for ‘Privacy by Design and by Default’, the need to appoint data protection officers and the requirement to gather valid consent from individuals.
It was agreed that the regulation would come into force for EU member states (including, at that time, the UK) in May 2018.
What does Brexit mean for the EU GDPR?
Last week's referendum result, which saw 52% of the country back a campaign to lead Britain out of the EU, has caused many to speculate on the future of the EU GDPR in the UK. Unsurprisingly, therefore, this topic dominated the Q&A with Graham.
Although nothing can yet be said with full certainty, and Graham was careful to stress this point repeatedly, he did offer some insight and assurances from his years of working and negotiating with government.
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary," Graham commented. He went on to comment that the UK has always been at the forefront of delivering the highest levels of protection for personal data, preceding EU legislation by more than a decade and going beyond current EU requirements, and that the Information Commissioner’s Office (ICO) would continue to work with government to ensure this remains the case.
When challenged about the UK’s relationship with remaining EU member states, Graham stated that “international consistency around data protections laws and rights is crucial – for business, consumers and citizens”. This statement is consistent with the ICO’s immediate response to the referendum result that while the UK wants to trade with the Single Market on equal terms, they will have to ensure any national legislation provides ‘adequate’ protection – that is, it would have to be the equivalent of the EU GDPR.
“The ICO has got to play its part in keeping everyone up to the mark and upholding data protection rights in the UK,” Graham continued. “We must maintain the confidence of businesses and of consumers. We can’t do all the positive of digital unless we’re looking after people’s data.
“The ICO stands ready to enforce the rules that remain and make the case for the highest standards going forward,” he promised. “And we will be there to help Data Protection Officers navigate the turbulent waters over the coming two years.”
What else was up for discussion at the ICO annual report launch?
Graham and Entwisle both celebrated a successful year for the ICO. While still focusing on the goals in its corporate plan, the regulator has also had to respond to several unexpected occurrences, including the big data breach at TalkTalk, acting on allegations about charity fundraising methods breaching data protection and privacy laws, and counselling on transatlantic data flows.
Additionally, the regulator received a 15.1% increase in the number of data protection concerns reported for 2015/16 compared with 2014/15. Despite this, ICO staff complete 4.7% more cases than in the previous year, leaving fewer to carry over. Of those remaining, almost two-thirds (64%) have only been with the ICO for 0-30 days and the vast majority of completed cases (92.5%) were closed within 90 days.
Where a specific sector was specified, most industries saw an increase in the number of reported concerns. Leading the charge was the healthcare sector, which is also the top sector for self-reported concerns. However, as Entwisle noted, mandatory reporting of data breaches within this industry does influence these figures. Interestingly, local government saw a 1% decrease in the number of data protection concerns reported. This supports findings of Egress’ most recent FOI request to the regulatory body and champions the measures taken by this sector to enhance protection of citizens’ personal data.
It is fair to say that Graham leaves behind him a legacy of a highly efficient regulatory body. Despite, as Graham noted, facing ongoing resource cuts, the ICO undergoes continual improvement to remain constantly relevant in the changing data protection landscape. As the new Information Commissioner, although Elizabeth Denham will initially step into her role amidst certain widespread political concerns, she will inherit an agency resolved to overcoming any challenges it may face.