SBphotos - stock.adobe.com

GDPR: Don’t panic, but seize the chance to build trust, says ICO

With the compliance deadline for the EU’s GDPR just 112 days away, the UK’s information commissioner has urged organisations not to panic, but to seize the chance to build trust with customers

The EU’s General Data Protection Regulation (GDPR) and the GDPR-aligned new UK data protection rules are an opportunity to build trust, according to the head of the UK privacy watchdog.

The 25 May is the beginning of something new, but it is an evolution of what’s gone before, information commissioner Elizabeth Denham told an event hosted by the Association of Chief Executives and the Public Chairs’ Forum in London.

The GDPR, she said, builds on what was good about the UK’s Data Protection Act of 1998 and brings it in line with our 21st century world.

“GDPR rebalances the relationship between individuals and organisations. It gives greater control to people over how their data is used, and compels organisations to be transparent and account for their actions.

“As individuals, most of us applaud a stronger framework. As heads of agencies, some of you may have a different view,” said Denham, adding that those organisations that thrive under the new rules will see the GDPR as an opportunity to commit to data protection and embed it in their policies, processes and people.

“Those that merely comply, that treat the GDPR as another box-ticking exercise, miss the point. And they miss a trick because this is about restoring trust and confidence. Only one in five people in the UK trust organisations to look after their data. That’s not good enough,” she said.

The GDPR is an opportunity to reset the equilibrium, said Denham, along with the UK government’s Data Protection Bill that will bring the GDPR into UK law and tackle some of the details over which the UK has discretion.

Read more about the GDPR

Denham said the ICO (Information Commissioner’s Office) will shortly publish an overview to help organisations navigate the Data Protection Bill, which is scheduled to come into force in early May.

“Add in the law enforcement directive, which sets out how we’ll tackle crime across borders, the NIS directive, which sets out reporting rules for organisations that suffer a cyber attack, and the e-privacy directive, which sets the rules for direct marketing via phone, text and email, and that is quite a substantial suite of data protection changes,” she said.

Denham said business needs to gear up to work in a new age of data protection, with the UK and other governments recognising that “personal data is the fuel that powers so much of what makes our economy, our home life, our public services function.”

In light of the fact the UK government has made clear its intention that to retain the country’s world-class status as a lead in data protection, Denham said she was strengthening her team at the ICO in number and expertise to meet that challenge.

“We are moving the ICO to a place where we can deliver our new responsibilities and obligations to organisations and, importantly, the public,” she said, adding that the government has provided the ICO pay flexibility for the next three years to enable the ICO to retain its expert staff and attract new technologists, lawyers and auditors to deal with the increased workload and deal with new challenges like auditing algorithmic decision making and tackling the ethical issues around artificial intelligence and machine learning.

Personal data

Other areas of work for the ICO include an investigation of the way universities handle personal data, the use of data analytics in political campaigning, and how personal data will flow between the UK and EU post-Brexit.

Denham said she hoped the UK businesses’ preparations for the GDPR are well underway, and that they have put in place key building blocks to ensure they implement responsible data practices.

However, she said that although many businesses understand the benefit of getting data protection right, when she speaks to the private sector, she sometimes can “sense the panic,” which is why the ICO has set up helplines and targeted resources to help them prepare.

In the public sector, Denham said she can sometimes “sense complacency” but despite their familiarity with the concept of data protection, it is now a critical time to refresh policies and processes, to upgrade staff training and revisit the approach to data protection.

“This is about commitment over compliance. It is up to you and your boards, and your leadership teams to foster a culture of transparency and accountability as to how you use personal data,” she said.

Training and tools

Organisations need to equip staff with the training and tools they need to get data protection right and ensure that their staff understand data protection is not a box-ticking exercise, but a commitment to people that the public sector will handle their personal data with care and respect.

Denham also highlighted the importance of accountability, which she described at the “most important aspect” of the GDPR. “The new legislation creates an onus on organisations to understand the risks that they create for others, and to mitigate those risks,” she said.

The benefit of working on a framework that can be used to build a culture of privacy, said Denham, will not only help organisations comply with the let of the law, but also provide an opportunity for organisations to develop the trust of the people they serve.

In light of the fact that the GDPR mandates organisations to put into place comprehensive but proportionate governance measures, she said good practice tools such as data protection impact assessments and privacy by design are now legally required in certain circumstances.

Denham said that while she recognises that public sector organisations typically have limited resources, they need to consider the risks of a cyber breach. “It will cost you money but it will also cost you your reputation, trust, social licence. This is collateral damage,” she said.

Rudimentary protections

At the same time, Denham said most cyber breaches and attacks are preventable through rudimentary protections. “We make a mistake if we throw up our hands and worry about state-sponsored attacks – we know those are rare.

“You should be worrying about the malicious kid in his bedroom who hacks in to your system because he can,” she said. “Or the opportunistic thief who understands the value of the data you hold and knows how to get his hands on it. Because you left the door wide open.”

Commenting on the huge fines provided by the GDPR and coming UK data protection laws, Denham said the ICO is a “risk-based, proportionate” regulator. The ICO has always preferred the “carrot” to the “stick” and prefers education, engagement and empowerment to enforcement.

Denham encouraged organisations to make use of the resources on the ICO website, including guidance, checklists, sector-specific FAQs, advice for local authorities about reporting personal data breaches, and guidance around using Public Task as a lawful basis for processing.

Voluntary audits

The ICO also offers voluntary audits to help organisations to check they are on the right track and identify weaknesses before they cause real problems.

“While there will be no grace period – you’ve had two years to prepare – I know that when 25 May dawns, there will be many organisations that are less than 100% compliant.

“This is a long haul and preparations will be ongoing. But if you self-report a breach, engage with us to resolve issues and can demonstrate effective accountability arrangements, you will find us to be fair. Enforcement will be proportionate and, as it is now, a last resort,” she said.

“Data protection is a critical part of ensuring you have the social license to innovate with data – you have to take the people with you.”

Read more on Regulatory compliance and standard requirements