momius - stock.adobe.com

GDPR at a critical stage, says information commissioner

The ICO is calling on data protection officials to help kick off the next phase of the GDPR by embedding sound data governance at its annual conference, where another DPO was recognised for excellence

Implementation of the EU’s General Data Protection Regulation (GDPR) is at a “critical stage” just 11 months in, according to UK information commissioner Elizabeth Denham.

“I believe we’re entering a new stage in the GDPR’s development. I want to talk about how that gives you, as data protection practitioners, an opportunity to make a positive impact,” she told the12th annual Data Protection Practitioners’ Conference (DPPC) hosted by the Information Commissioner’s Office (ICO) in Manchester.

“We find ourselves at a critical stage. For me, the crucial, crucial change the law brought was around accountability. Accountability encapsulates everything the GDPR is about.”

Denham said the GDRP enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks. It also formalises the move away from box ticking to seeing data protection as something that is part of the cultural and business fabric of an organisation, and it reflects that people increasingly demand to be shown how their data is being used, and how it is being looked after, she added.

However, she said this change is not yet evident in practice. “I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out,” she said.

Denham said this is both a problem and an opportunity. “It’s a problem because accountability is a legal requirement, it’s not optional. But it is an opportunity because accountability allows data protection professionals to have a real impact on that cultural fabric of your organisation,” she said.

By helping organisations to understand the need to reassess the relationship with patients, employees, donors, residents and the general public, she said data protection professionals can have a real and lasting impact.

According to Denham, the next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all business processes.

“An accountability approach gives those of you who have the skillset, who have the passion, a chance to see a changing world as an opportunity to have a real and lasting impact,” she said.

In this regard, Denham said the ICO is trying to lead by example, citing, among other initiatives, the ICO’s response to the challenge of Brexit by developing an international strategy that takes a fresh approach to the ICO’s relationship with the world and how it influences the global data protection debate.

Commenting on the government’s newly published Online Harms whitepaper, Denham said the proposals reflect people’s growing mistrust of social media and online services.

“People want to use these services, they appreciate the value of them, but they’re increasingly questioning how much control they have of what they see, and how their information is used,” she said.

“That relationship needs repairing, and regulation can help that. If we get this right, we can protect people online while embracing the opportunities of digital innovation.”

Recognising the DPO role

Denham was joined at the conference by digital minister Margot James to present the ICO’s second Data Protection Officer of the Year award for excellence in data protection to Mikko Niva, group policy officer at Vodafone Group Services based in London.

The ICO said the award is aimed at recognising the increasingly vital role played by professionals working in the sector.

The independent judging panel said the award recognises Niva for delivering a pioneering global privacy compliance programme for Vodafone across 21 different countries, and for being a constant advocate for information and privacy rights.

Denham said data protection practitioners play a “crucial role” in ensuring that organisations’ data protection practices are keeping up with changes in technology and truly putting people at the heart of what they do.

“I would like to congratulate Mikko Niva for winning this year’s award. His dedication in leading his business to understand how important privacy is to inspire public trust and confidence is truly commendable,” she said.

Niva said Vodafone places great importance on privacy. “As privacy professionals we are fortunate to work at the intersection between technology, ethics and compliance. The work we do is vital to ensuring that the digitisation of our society happens with the highest standards for the benefits of consumers and society. It’s a privilege to be a part of that,” said Niva.

One of the judges, Paul Jordan, managing director for Europe at the International Association of Privacy Professionals (IAAP), said the nominations were all of high calibre.

He congratulated the winner, describing him as a recognised data protection expert and data protection officer (DPO) who has been a “tremendous advocate” for the EU’s General Data Protection Regulation (GDPR) and data protection both within Vodafone as well as outside his organisation.

Another judge, Jon Baines, chair of the National Association of Data Protection Officers (NADPO), said it is “fantastic” that DPOs are finally getting the recognition they deserve.

“A DPO has such a complex and challenging task, but one that can be tremendously rewarding. A national award from the regulator is truly a badge of honour for a DPO,” he said.

Winner of the 2018 award, Esther Watt, data protection officer at North Kesteven Council in Lincolnshire, said the past year has been busy and fulfilling.

“On a personal level, I’ve been making sure that we, as an organisation, are doing everything correctly and consistently when it comes to data protection legislation, while educating our colleagues and elected members of their obligations. I continue to look forward to taking data protection forward and have been excited to play a key part in this,” said Watt.

Attended by more than 800 delegates, this year’s DPPC highlighted the ICO’s current and future work in areas including technology policy and grants programme, enforcement and regulatory action, and the challenge of Brexit to data protection.

Read more about trust in the digital world

Read more on Privacy and data protection