Companies warned that GDPR compliance is not enough

Over ten months after GDPR came into force, companies have been warned that simply complying with the new regulation is not enough, they must – by law – demonstrate how that is being achieved or face the wrath of the regulator.
That was the stark message from Information Commissioner Elizabeth Denham’s opening speech at this week’s 2019 Data Protection Practitioners’ Conference, in which she warned businesses that implementation of GDPR is at a “critical stage”.
Denham explained: “For me, the crucial, crucial change the law brought was around accountability. “Accountability encapsulates everything GDPR is about. It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks.
“It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation. And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after. But I’ll be honest, I don’t see that change in practice yet.
“I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out. And you know, that’s a problem. Because accountability is a legal requirement. It’s not optional,” she added. “But it is an opportunity because accountability allows data protection professionals to have a real impact on that cultural fabric of your organisation.”
In essence, Denham insisted that companies must embed sound data governance in all business processes so that it is within the DNA of the organisation.
“An accountability approach gives those of you who have the skillset, who have the passion, a chance to see a changing world as an opportunity to have a real and lasting impact,” she said.