Implementation of the European Union’s GDPR rule – standing for General Data Protection Regulation – has hit an unexpected snag in the UK.
The legislation is designed to protect data and privacy and give individuals control over their personal data, but there had been fears that due to its sweeping requirements, companies needing to comply would find it difficult to implement.
But who knew the UK Information Commissioner’s Office (ICO), the domestic data protection body issuing guidelines on GDPR compliance, would fail to provide its own staff with a privacy notice even a year after the new rules had first been enforced.
The Register writes about this, citing the ICO’s own guidelines as stating that individuals “have the right to be informed about the collection and use of their personal data” as this is “a key transparency requirement under the GDPR.”
However, ICO’s privacy notice remains “under construction.” An ICO’s spokesperson sought to minimize the controversy by telling the website that ICO employees are “aware of policies” used by the office while collecting and handling their personal data – and that they will have it in writing, as GDPR notices, “in the coming days.”
ICO’s disregard for its own recommendations was discovered in a response the office provided to a question posted under the Freedom of Information Act on the website WhatDoTheyKnow, requesting an up to date copy of the ICO employee privacy notice.
But the data protection body said the notice was “currently under construction.”
In other words, the GDPR, touted only recently by EU Commissioner Digital Economy and Society Mariya Gabriel as having become “a global standard in just under a year” – is yet to become a standard with the British data protection regulator.
Previously, the ICO advised everybody else that “getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.”
This bit has been highlighted in a personal blog post written by Jon Baines, a data protection advisor with Mishcon de Reya law firm.
If you’re wondering, the GDPR will continue to live on in the UK even if the country leaves the EU, as Data Protection Act 2018 that contains equivalent protections.