Regulatory Update – ICO Privacy Seals
The ICO has announced it will go ahead with the implementation of its privacy seal schemes. This will mean companies can receive a “stamp of approval” regarding data protection regulations, which will prove that they are serious about their customers’ personal data. Organisations that show good practice will be awarded the privacy seal by ICO approved third party schemes, which will be designed to operate in different sectors/industries. The ICO has stated that some of these schemes could be operational as early as 2016.
The ICO will require that schemes in each industry follow the same objectives including improving data protection compliance and monitoring constantly evolving privacy and technology issues. To be eligible for issuing the “stamp of approval” member schemes must demonstrate clear assessment criteria and regular audit or reviewing processes. The aim being, to ensure that when individual organisations earn the privacy seal, consumers really can be confident that their data is in safe hands.
Full Steam ahead
In a public consultation regarding the matter, suggestions to hold off the implementation until the new General Data Protection Regulation is in force were disregarded by the ICO:
“We do not agree that we should delay our progress and intention to introduce a privacy seal scheme in the UK. We are taking this opportunity to build the ICO’s expertise in an area that will become significant in the near future because of the Regulation. Ideally, we would like to see ICO endorsed schemes to be consistent with the provisions at the European level once the Regulation is in force, and are watching developments closely.”
UK/EU distinction
Despite the proposed harmonisation with the imminent European regulations, the seal of approval will be somewhat limited to UK data processors. Some responses to the consultation suggested that an EU-wide seal of approval might be more appropriate given the proposed GDPR, However, the ICO stated that it can only operate within its jurisdiction, and that mutual recognitions of schemes by more than one data protection authority are unlikely.
A nationally recognised seal of approval
The ICO did make some changes to their daft framework, and have developed the branding strategy to design a single universal seal to be used by endorsed schemes. The plan is to trademark the seal to enable the licensing of its use under ICO guidelines.
For organisations that process personal data in the UK, the ICO’s plans could be an excellent opportunity to boast good data protection practices to consumers and potential customers. Developing a responsible image is important in many industries and shouldn’t be underestimated.