[BreachExchange] ICO warning over personal data breaches

[Audrey McNeil]

http://www.lawgazette.co.uk/law/ico-warning-over-personal-data-breaches/5054234.fullarticle

Forthcoming data protection reforms will impose new notification
requirements on companies in the event of a personal data breach, the
Information Commissioner’s Office has warned.

A new EU General Data Protection Regulation will replace all data
protection legislation in EU member states, including the UK’s Data
Protection Act (DPA), without the need for further national legislation. It
is expected to come into force in 2018.

Publishing a 12-step checklist this week for companies to ‘take now’ to
prepare for the forthcoming regulation, the ICO says companies must have
the right procedures in place to detect, report and investigate a personal
data breach.

Some organisations are already required to notify the ICO when they
experience a personal data breach. However, the regulation will introduce a
‘breach-notification duty across the board’ which, the ICO said, will be
‘new’ to many organisations.

Organisations operating internationally will also need to determine which
data protection supervisory authority they come under.

The ICO said the regulation contains ‘quite complex’ arrangements for
working out the correct authority that will take the lead when
investigating a complaint with an international aspect.

‘Put simply, the lead authority is determined according to where your
organisation has its main administration or where decisions about data
processing are made,’ it says.

‘In traditional headquarters this is easy to determine. It is more
difficult for complex, multi-site companies where decisions about differing
processing activities are taken in difference places.’

The ICO’s head of policy, Steve Wood, said people were beginning to
‘develop a plan’ and wanted to take ‘key steps’ ahead of the regulation’s
implementation.

In a blog post on the ICO’s website, Wood said: ‘Many of the principles in
the new legislation are much the same as those in the current DPA. If you
are complying properly with the current law, then you have a strong
starting point to build from.

’But there are important new elements, and some things will need to be done
differently.’

The new law, he added, would ‘enhance the rights of data subjects and place
more obligations on organisations to be accountable for their use of
personal data’.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160317/96114523/attachment.html>