Insurance Regulatory eBulletin - Data protection

ICO seeks comments on draft data protection impact assessment guidance
On 26 March, the Information Commissioner's Office (ICO) issued a notice regarding the new General Data Protection Regulation (GDPR), which comes into force on 25 May 2018. The GDPR makes data protection impact assessments (DPIAs) a legal requirement in certain circumstances. Under the Data Protection Act 1998, privacy impact assessments for new and innovative, but potentially high-risk types of processing, were voluntary but recommended by the ICO.

The ICO notes that DPIAs will allow organisations to comply with data protection obligations, privacy expectations and to help prevent damage to reputations. The draft DPIA guidance builds on the ICO's PIA code, with further detail on specific GDPR requirements, and gives detail on circumstances when controllers will be required to consult with the ICO prior to processing if potential risks cannot be identified in their DPIA to an acceptable level.

The ICO is seeking comments on this draft guidance, particularly on whether or not it is clear when a DPIA will be necessary, and is requesting controllers to inform it if they consider that they may need to submit a DPIA to the ICO for written advice in the 12 months, following 25 May 2018.
In addition, the ICO is planning a podcast on the DPIA guidance in the coming weeks.