Three days to go until GDPR deadline
Chris Hamblin, Editor, London, 22 May 2018
With three days until the European Union's General Data Protection Directive comes into force, here are some words of wisdom from the British Information Commissioner's Office.
The Information and Records Management Society (IRMS) hosted a keynote address by Louise Byers, the head of risk and governance at the ICO, at its annual conference recently. Byers (also the ICO’s designated Data Protection Officer) told delegates that “Friday is a beginning and not the end; The GDPR is not Y2K” and identified the management of information records, collaboration and communication as the keys to compliance.
New powers for the ICO
The GDPR and the new Data Protection Bill will give the ICO new powers, enabling it to secure information and evidence swiftly. Byers commented on the ICO’s updated regulatory action policy that it recently published for public comments: “Our new powers will include no-notice inspections, compelling people and organisations to hand over information and making it a criminal offence to destroy, falsify or conceal evidence.”
She added: “We won’t be changing our approach to fines in four days' time. Our aim is to prevent harm, to put support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route, but we will back this up with strong action where necessary. Hefty fines can be and will be levied on those organisations that persistently, deliberately, or negligently flout the law.
“If you report a breach to us, engage with us and show us effective accountability measures, then we will take this into account when considering regulatory action. It all comes down to building trust and confidence that people have in the organisations handling their data.”
Brexit and the GDPR
Byers explained that the UK’s forthcoming withdrawal from the European Union has prompted her office to pursue two clear goals. The first is to "maintain high standards of data protection" (technically an impossibility, as the giant leap in regulatory complexity on Friday is proof that the existing standards are far from high and not to be 'maintained') for British citizens and consumers, wherever their data resides. This aim includes a desire not to let the advent of the new regime interrupt the flow of data overseas and not to leave businesses and the police open to confusion about the law. The second aim is for her office to "continue to play a full role in EU institutions" - a rather disturbing display of impatience with the results of democratic referenda - and keep working with the European Data Protection Board (EDPB). She added that things were going well on both fronts.
She added: “The Government has made good on its promise to fully implement GDPR and is going further through the Data Protection Bill and other legislation. In two recent speeches, the Prime Minister has made the case for an ongoing role for the ICO in the European landscape. We don’t know yet whether that will be a seat on the EDPB with full voting rights or some other relationship, but we remain deeply committed to and embedded in the EU regulatory community.”
Three pieces of advice
Byers gave the Brighton audience three pieces of advice "to mark you out as data protection leader." These were as follows.
- Information records management. “Good records management is the starting point for everything – know what you have got, why you have got it and who made you have it. You need to make sure that when processing is based on consent, ensure those records are kept and that withdrawal mechanisms are clear and easy for people to use. Document when and why you made decisions for the future.”
- Collaboration. “Securing senior buy-in is crucial. Identify your accountability framework with clear roles and responsibilities within the organisation and then tell people who they are. Make sure you work with all parts of the organisation to identify suppliers; this will help with privacy notices and contact clauses.”
- Internal and external communications. “Work with all areas of the business to deliver strong communications around the importance of compliance and breach reporting. Working with project managers, communications departments and other areas to promote privacy-by-design.
Summing up the impact of GDPR in one word, Louise Byers focused on 'people,' concluding: “If every organisation in this country followed the principles of the IRMS then our job would be relatively easy, but I also know that we have a unique opportunity. An active information rights community applying the principles and the tools within the GDPR and the Data Protection Bill can do and awful lot to improve public trust.”