A recent blog published on the Information Commissioner's Office (ICO) website sets out the UK regulator's opinions on the current draft of the General Data Protection Regulation.
The ICO welcomes recent comments by the director general of the commission's Justice Directorate that the final regulation will adopt a more risk-based approach, allaying fears that the new framework would place excessive burdens on SMEs that would otherwise face significant administrative obligations to comply with by the law. The ICO also welcomed the draft regulation's emphasis on the privacy rights of individuals, particularly those designed to ensure an individual's genuine consent where personal data are processed on the basis of consent and strengthening individuals' rights to object to processing of their data—one element of the so-called “right to be forgotten.”
However, the ICO highlighted some concerns, including the additional flexibility the framework is offering to the public sector; the increased role expected of national data protection authorities (DPAs) in signing-off arrangements for protecting personal data in international data transfers, and the impact the draft regulation will have on how DPAs are funded.
The ICO also supports proposals for encouraging “pseudonymisation”—whereby through measures taken to disguise an individual's identity, data relating to that individual could be collected and processed without attracting the full force of all legal obligations imposed by the regulation. For instance, reduced responsibilities to notify data breaches of pseudonymised data.
The ICO concludes that it remains hopeful that an improved regulation will emerge at the end of the year, despite highlighting that a European Parliament vote on the regulation has been rescheduled to May 29 in order to allow more time for political discussions on the 3,000-plus proposed amendments that have been tabled.
The full ICO blog is available here.