As the countdown to Friday’s GDPR D-Day enters the final phase, the head of risk and governance at Information Commissioner’s Office has revealed the regulator’s “three top tips” for compliance with the new regulation, and reiterated that “May 25 is a beginning and not the end. GDPR is not Y2K”.
Addressing delegates at the Information & Records Management Society’s annual conference 2018 in Brighton, Louise Byers – who is also the ICO’s designated data protection officer – stressed information records management, collaboration and communication as key to compliance.
The GDPR and new Data Protection Bill will give the ICO new powers, enabling it to move at pace and secure information and evidence, which it sees as key requirements in the digital age. Byers commented on the ICO’s updated regulatory action policy that it recently published for consultation. “Our new powers will include no notice inspections, compelling people and organisations to hand over information and making it a criminal offence to destroy, falsify or conceal evidence.”
She added: “Our policy makes it clear that we won’t be changing our approach to fines in four days’ time. Our aim is to prevent harm, to put support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route, but we will back this up with strong action where necessary. Hefty fines can be and will be levied on those organisations that persistently, deliberately, or negligently flout the law.”
“If you report a breach to us, engage with us and show us effective accountability measures, then we will take this into account when considering regulatory action.” She also stressed that GDPR is is not just about massive fines: “It is about the public and it all comes down to building trust and confidence that people have in the organisations handling their data.”
Byers explained that the UK’s planned withdrawal from the European Union has seen the ICO set two clear goals.
The first is to maintain high-standards of data protection for UK consumers, wherever their data resides, including uninterrupted data flows to Europe and the rest of the world, and legal certainty for business and law enforcement.
The second is to continue to play a full role in EU institutions and maintain influence and strong working relationships with the members of the European Data Protection Board, which will take over the work of the Article 29 Working Party.
“We are making good progress on both fronts,” Byers said. “The Government has made good on its promise to fully implement GDPR and is going further through the Data Protection Bill and other legislation. In two recent speeches, the Prime Minister has made the case for an ongoing role for the ICO in the European landscape. We don’t know yet whether that will be a seat on the EDPB with full voting rights or some other relationship, but we remain deeply committed to and embedded in the EU regulatory community.”
She went on to detail three pieces of advice for data protection leaders:
1. Information records management – “Good records management is the starting point for everything – know what you have got, why you have got it and who made you have it. You need to make sure that when processing is based-on consent, ensure those records are kept and that withdrawal mechanisms are clear and easy for people to use. And, document when and why you made decisions for the future.”
2. Collaboration – “Securing senior buy-in is crucial. Identify your accountability framework with clear roles and responsibilities within the organisation and then tell people who they are. Make sure you work with all parts of the organisation to identify suppliers, this will help with privacy notices and contact clauses.”
3. Internal and external communications – “Work with all areas of the business to deliver strong communications around the importance of compliance and breach reporting. Working with project managers, communications departments and other areas to promote privacy-by-design.”
Summing up the impact of GDPR in one word, Louise Byers focused on “people”, concluding, “If every organisation in this country followed the principles of the IRMS then our job would be relatively easy. But, I also know that we have a unique opportunity. An active information rights community applying the principles and the tools within the GDPR and the Data Protection Bill can do and awful lot to improve public trust.”
Four days until GDPR D-Day: Public happy to share data
Four days until GDPR D-Day: Only seven EU states ready
Seven days until GDPR D-Day: Firms still floundering
MPs ‘as clear as mud’ about how to comply with GDPR
‘Inadequate’ Data Protection Bill is ‘already out of date’
Parish councils win reprieve as ICO gets more powers
Most EU data enforcers in a shambles as GDPR looms
Half of UK firms have set aside money for GDPR fines