The Information Commissioner's Office (ICO) has published its international strategy, setting out its route toward an outward looking and General Data Protection Regulation compliant Britain. The strategy sets out the ICO's international vision until 2021.
The document begins by noting, “As the UK prepares to leave the EU, the formal relationship between the ICO and EU data protection authorities will change.” Still, it adds, “Our relationship with our EU partners will remain highly important.”
The strategy sets out the regulator's commitment to strengthening its bonds with European bodies like the Article 29 Working Party, which designed the GDPR, and the European Data Protection Board, which according to the document, “will be a highly influential global players in setting the direction for data protection and privacy standards.”
Its collaboration with political bodies and private industry will look to “turn the GDPR's accountability principles into a robust but flexible global solution.”
The ICO goes on to underline its continuing role as a national regulator with strong international connections not just in the EU, but looking ahead, to the rest of the world, too. This will apply in knowledge sharing and standards just as much as enforcement. It will be hosting a variety of international conferences in the coming years including the International Conference of Data Protection and Privacy Commissioners.
To that end, the office will establish an International Strategy and Intelligence Department, to help carry out the strategy.
These points are all set out under the assumption that the GDPR will be incorporated into UK law before Brexit, to ensure continuity as the UK departs.
Confusion reigned for a time as organisations jostled with the seemingly paradoxical situation of complying with the GDPR while also preparing to leave the European Union, the body that provides the weight to the bill.
The ICO has done its best to clear up that confusion. Elizabeth Denham, the Information Commissioner, has been unequivocal in her desire to see the GDPR applied in the UK, with or without Brexit. She even appeared in front of the House of Lords in March announcing her desire to grow the ICO by around 40 percent over the next two years.
The 200 more lawyers, investigators and specialists the ICO wants to hire are intended to help UK organisations comply with exactly that European law.
And for those that were still unsure, the UK's commitment to the GDPR was made clear in The Queen's June speech: “To implement the General Data Protection Regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.”
“GDPR drives companies toward best practice for individual personal data, that alone should be reason enough to work toward compliance”, Brian Chappell, senior director of enterprise and solutions architecture at BeyondTrust told SC Media UK.
Any company that wanted to do business in the EU would have had to comply, with or without the ICO's watchful gaze: “The scope of GDPR is effectively defined as wherever data about an EU citizen who is in the EU is processed or stored. The law does not need to be integrated with UK law to be applicable, although it may be harder to enforce without it being incorporated in UK law. “
Anyway, added Chappell, “At the base level, GDPR is there to force companies to do what they should be doing anyway; with that in mind, is there any excuse for not complying?”