The Information Commissioner Christopher Graham will today call for organisations to begin their preparations for the forthcoming EU data protection reforms.

Speaking at the ICO’s annual Data Protection Practitioners’ Conference, Christopher Graham will highlight how maximum fines as high as 20 million euros for breaches of the new data protection regulation mean organisations cannot afford to get data protection wrong:

“People have never been so aware of what their personal data is, and never cared so much about how it is used. The law is changing to reflect that.

“The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades. Organisations simply cannot afford to fall behind. We know data protection officers understand this, and we know they sometimes find their views ignored in the boardroom. The new law gives directors 20 million reasons to start listening.”

The EU’s General Data Protection Regulation is four years in the making. Agreement on the new rules was reached last December, and work is now ongoing around translation and legal accuracy. Final political sign-off is expected in the summer, followed by a two year transition period before the regulation becomes law across the EU, including replacing the EU Directive on which the UK’s Data Protection Act 1998 is based on.

As the regulator, the ICO’s role is not just about enforcement and fines, and there’s a significant amount of work to be done guiding organisations who want to make sure they’re following the new rules, and getting it right from the start. With that in mind, the ICO will today publish a guide setting out how organisations can begin their preparations for the changes. The 12 step guide, launched at the Manchester conference, will explain that many of the new laws’ concepts and principles are the same as those currently in UK law, but new elements and significant enhancements mean organisations will have to do some things differently.

The ICO conference brings together over 800 delegates attending from a variety of different sectors. As well as key speakers, the event includes workshops on a range of data protection topics, from handling subject access requests to CCTV.

The speakers and workshops will be live streamed throughout the day, and are available on the conference website. We’re working with Reframed, allowing people to comment on and share specific moments of video, either through the video player or on twitter using #dppc2016.

Notes for editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

  3. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.

  4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

    • Fairly and lawfully processed

    • Processed for limited purposes

    • Adequate, relevant and not excessive

    • Accurate and up to date

    • Not kept for longer than is necessary

    • Processed in line with your rights

    • Secure

    • Not transferred to other countries without adequate protection