Now that GDPR has become a fact of life, the Information Commissioner’s Office (the ICO) is acting to establish what, and how, will be the effects upon companies and how they interact with their customers.
To that end, the ICO is consulting on a new Regulatory Action Policy (the RAP). This will clarify and provide “direction and focus” on how the newly enforceable EU GDPR provisions will affect both those they regulate (companies, public bodies and organisations) and their customers and the public.
Although the regulator, the ICO says that its commitment is an approach to “balanced regulation”. This means that it wants to ensure that customers and the public can be confident that their private data is protected while at the same time allowing businesses and other bodies to “operate and innovate efficiently”, says London-based commercial law firm Kingsley Napley, which has a specialist GDPR team.
To quote the ICO: “We will be as robust as we need to be in upholding the law, whilst ensuring that commercial enterprise is not constrained by red tape, or concerns that sanctions will be used disproportionately.”
To that end, the ICO has set out its regulatory priorities for 2018-2019, and given a good idea of the sectors and instances it is especially concerned with. These are:
- Large-scale data and/or cyber security data breaches that involve financial or sensitive information (that could mean banks, merchants or other holders of sensitive information such as medical or care records)
- Companies or organisations that use AI or automated decision-making (these include, for instance, insurance and financial companies that rely on so-called “robo-advisers”)
- Anyone using web and cross-device tracking software (famously, Facebook but also smaller organisations that “track” users activity and preferences, including for political purposes)
- Companies with privacy implications for children (including IoT-connected toys, social media sites that target the under-16s and developers of apps aimed at children)
- Anyone using or developing applications involving facial recognition
- Credit reference agencies and data broking
The last of these has huge implications for the financial services sector, which relies on sharing of information. The ICO is also flagging up services that use and share law enforcement and intelligence data, which will have implications for organisations that include those in the care and social services sector.
And it also states that it will be examining how the “right to be forgotten” and erasure applications will be affected by the new GDPR regime.
Find out more about Me Learning’s selection of GDPR training courses here.