better support those organisations without the capacity or obligation to maintain dedicated in-house compliance resources.
All organisations The ICO has put comprehensive guidance in place to help all organisations understand and comply with their obligations. The aim is now to focus on where existing guidance still needs to be updated and ensure the continued provision of a clear and comprehensive guide to the law.
Alongside guidance, the ICO also has responsibility for creating four statutory codes for:
data sharing
•
direct marketing
•
age-appropriate design
•
data protection and journalism
•
These codes are being developed and will play an important part in supporting the implementation of the GDPR in these areas.
Data sharing code The data sharing code will update the existing data sharing code of practice, which was published in 2011 under the DPA 1998. Data sharing brings important benefits to organisations, citizens and consumers, making their lives easier and helping with the delivery of efficient services. One of the myths of the GDPR is that it prevents data sharing, which isn’t true. The GDPR aims to ensure that there is trust and confidence in how organisations use personal data and ensure that organisations share data securely and fairly. To achieve this, it is important that data controllers have clear guidance on data sharing so that individuals can be confident that their data is shared securely and responsibly. A call for views on the data sharing code closed in September 2018. The ICO is currently considering the views presented and expect to launch a further consultation in June 2019 and for the code to be laid before Parliament in the autumn. Acting on personal data breaches The ICO received around 14,000 personal data breach (PDB) reports from 25 May 2018 to 1 May 2019, this is in comparison, to around 3,300 PDB reports in the year from 1 April 2017. 12,000 of these cases were closed during the year and of these, only around 17.5% required action from the organisation and less than 0.5% led to either an improvement plan or civil monetary penalty. While this means that over 82% of cases required no action from the organisation, it demonstrates that businesses are taking the requirements of the GDPR seriously and it is encouraging that these are being proactively and systematically reported. However, figures also show that it remains a challenge for organisations and Data Protection Officer’s (DPO) to assess and report breaches within the statutory timescales. The ICO recognise this and do provide support and guidance to help organisations to meet the requirements to report. Responding to public concerns Greater awareness of individual rights has meant that the ICO has seen a significant impact on the numbers of concerns raised with it by the public. From 25 May 2018 to 1 May 2019, over 41,000 data protection concerns were received from the public which is almost double for 2017/18 which was around 21,000. Subject access requests (SARs) remain the most frequent complaint category, representing around 38% of data protection complaints received. This is similar to the proportion before the GDPR (39%). In fact, the general trend is that all categories of complaint have risen in proportion with the overall increased number of complaints since the implementation of the GDPR. ICO resource Due to GDPR the ICO’s workforce has increased and it is anticipated that by early 2020/21 the ICO will have almost doubled in size over three years. As might be expected, training and developing new staff has been a key feature of the past year.
Looking forward
The Chartered Institute of Payroll Professionals
Payroll: need to know
cipp.org.uk
Page 87 of 629
Made with FlippingBook - Online magazine maker