Information Commissioner Christopher Graham has called upon organisations to begin their preparations for the forthcoming EU data protection reforms.
Speaking at the ICO’s annual Data Protection Practitioners’ Conference held in Manchester, Graham highlighted how maximum fines as high as 20 million Euros for breaches of the new EU General Data Protection Regulation mean that organisations cannot afford to “get data protection wrong”.
Graham stated: “People have never been so aware of what their personal data is, and never cared so much about how it’s used. The law is changing to reflect that.”
The Information Commissioner continued: “The EU’s data protection reforms promise to be the biggest shake-up for consumers’ data protection rights for three decades. Organisations simply cannot afford to fall behind. We know data protection officers understand this, and we know they sometimes find their views ignored in the Boardroom. The new law gives directors 20 million reasons to start listening.”
The EU’s General Data Protection Regulation is four years in the making. Agreement on the new rules was reached last December, and work is now ongoing around translation and legal accuracy. Final political sign-off is expected in the summer, followed by a two-year transition period before the regulation becomes law across the EU (including replacing the EU Directive upon which the UK’s Data Protection Act 1998 is based).
Guidance work to be done
As the regulator, the ICO’s role is not just about enforcement and fines. There’s a significant amount of work to be done in guiding organisations who want to make sure they’re following the new rules, and getting it right from the start. With that in mind, the ICO is publishing a guide setting out how organisations can begin their preparations for the changes.
Launched at the Manchester conference, the 12-step guide will explain that many of the new laws’ concepts and principles are the same as those currently in UK law, but new elements and significant enhancements mean organisations will have to do some things differently.
The ICO’s Data Protection Practitioners’ Conference brought together over 800 delegates attending from a variety of different sectors. As well as key speakers, the event included workshops on a range of data protection topics, from handling subject access requests through to CCTV.
BSIA’s Information Destruction Section offers expert advice
The British Security Industry Association’s (BSIA) Information Destruction Section exhibited at the Data Protection Practitioners’ Conference.
Running alongside the busy seminar programme was an information market where organisations involved in activities that are relevant to the Data Protection Act could exhibit. The BSIA’s Information Destruction Section had expert representatives on hand throughout the day to provide advice and guidance on secure data destruction.
Adam Chandler, chairman of the BSIA’s Information Destruction Section, explained: “Under the Seventh Principle of the Data Protection Act, a business must take appropriate measures against accidental loss, destruction or damage to personal data and against unauthorised or unlawful processing of that data. To fully comply with the Act, a data handler must have a written contract with a company capable of handling confidential waste, which can provide a guarantee that all aspects of collection and destruction are carried out in a secure and compliant manner. To ensure this, suppliers should comply with the European Standard BS EN 15713:2009 for security shredding and also BS 7858 for staff vetting.”
*For further information about the BSIA’s Information Destruction Section visit: http://www.bsia.co.uk/sections/information-destruction.aspx