The first time I saw Christopher Graham speak (he's the UK's Information Commissioner), I thought he still had a bit to learn about his new role. He was about to take office and gave a speech at an event (I've forgotten which one). He gave us a relatively bland snippet of information about his forthcoming reign (sufficiently bland that I can't remember what it was - maybe something about strategy or enforcement). The only bit that sticks in my mind is that he asked us to observe 'Chatham House rules' before he gave it.
Now for someone about to take the top job in information in the UK, charged with enforcing the 'right to know', I thought this was a little naive. It didn't seem to be very sensitive - but even if it was, there was no reason why we, probably a bunch of lawyers and civil servants, should have had privileged access to it. The ICO's in the public sector too, isn't it?
All of which is a slightly unfair way to introduce the fact that I saw him speak again yesterday at pdp's annual Data Protection Compliance Conference. What struck me most from his talk was that the current version of the General Data Protection Regulation is likely to be rather closer to the version that comes into force than I'd perhaps appreciated.
What does this mean for tech businesses?
- If you thought the Data Protection Directive/Act was difficult and they might make things easier, you'll be disappointed. They've cherry picked 'best practice' from across the EU and codified it - the Regulation is much bigger and much more onerous for businesses.
- If you hold data on behalf of your customers and currently take comfort that you are a mere 'data processor', think again. You'll have a raft of new obligations under the new Regulation.
- This probably means revisiting all your standard customer contracts to make sure you have proper protection.
- And it probably means revisiting any existing contracts too - there's not currently any carve-out for contracts signed before the Regulation comes into force.
- Start budgeting now for your Data Protection Officer and his or her team. If you've more than 250 employees or process a lot of data you'll be required to have one (and will probably need one to make sure you comply with your other obligations anyway).
- Don't take this lightly. The ICO will be able to impose penalties of up to 2% of turnover - and is quite likely to target data processors early on to set an example.
There's a whole lot more too. On the bright side, the law hasn't been finalised yet - so there's still time to lobby your MEP or tell the government if you're worried. And the IC made clear that he feels that the draft Regulation is too prescriptive - so he'll be trying to keep things in check. But he also made clear that people should start readying themselves for change because, diplomacy notwithstanding over the next year, something looking rather like the current draft is probably coming our way.