Businesses should be forging ahead with preparations to comply with the EU General Data Protection Regulation (GDPR) regardless of Brexit, says the Information Commissioner’s Office (ICO)
Brexit created some uncertainty and may have caused some organisations to “take their foot of the gas”, according to Jonathan Bamford, head of parliamentary and government affairs at the ICO.
“But the UK will still be in the EU when the GDPR comes into full effect and organisations will have to comply,” he told a Westminster eForum event in London.
The government has also signalled its intention to implement the GDPR fully to ensure there is no interruption in the free flow of data between the UK and the EU after Brexit.
Bamford said the reason the implementation phase was two years was because some organisations would have a lot to do to ensure they are in compliance with the GDPR by 25 May 2018.
“We all need to keep our foot firmly on the gas in the coming months to ensure that we are ready,” he said. For its part, the ICO was continually producing new guidance to “signpost the way”, he said.
But this is not just about the GDPR, said Bamford – the ICO is also looking beyond the EU and is developing a new international strategy.
This includes ensuring that the UK maintains a high data protection standard globally, leading the way where possible, and securing a new relationship with the EU in the post-Brexit era.
“The strategy is about making sure the ICO is forward-looking and outward-looking in the same way as the country will be as a whole,” said Bamford.
Elizabeth Denham, the new information commissioner, comes with a wealth of experience, said Bamford, having spent the five years before joining the ICO as the privacy and information commissioner for the Canadian province of British Columbia. Before that, she was Canada’s assistant privacy commissioner.
“She has one core message,” said Bamford. “She wants to build a culture of data confidence in the UK. We are going to be aligned to ensure that happens.
“We believe you can all innovate, and that we can have privacy in your innovation. It is all about trust, and trust building reputation.
“We are very keen for organisations to be proactive in asserting what they do in terms of looking after people’s information, and praising those who do a good job – not just wielding a big stick. We want people to do the right thing in the first place.”
But business should not lose sight of the reasons for the changes, said Bamford. Data protection should no longer be thought of in terms of bureaucratic red tape, but as the cornerstone of the digital economy.
The GDPR and other regulatory changes are about laws catching up with the way things are working in the real world, he said. “It is important that we all up our game here. Our citizens are going to need those laws and safeguards more than ever. Whatever our geopolitical alignment is going to be in future, that is essential. We want to help ensure that the end result is that the public have trust and confidence in all those who process their personal information.”