With the GDPR and the UK data protection law coming into effect in less than 10 days I thought it was important to reflect both on Elisabeth Denham’s recent speech at the IAPP and the Regulatory Action Policy that was released by the Information Commissioner’s Office on May 4.
The Commissioner’s speech at the IAPP
Elisabeth Denham laid out the focus of the Information Commissioner’s Office, that being cyber security, artificial intelligence and device tracking. She reiterated the ICO’s intent to have a proportionate and pragmatic approach after May 25, and was clear that the hefty fines will “be levied on organisations that persistently, deliberately or negligently flout the law.” She reaffirmed that fines are not the only sanctions to expect and that “compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders” may be used where appropriate. If you want to read the full transcript of her speech you can find ithere.
As we’ve stated frequently, the risks of non-compliance aren’t just financial – they’re reputational. So what you do need to do is have begun the compliance process, determined where your biggest risks lie and, most importantly, have a means to document what you’ve done. The ICO has created a campaign called Your Data Matters and is giving its creative content to companies to use to increase awareness amongst customers and staff. If you’ve not yet registered with the ICO you can do so here.
The Draft Regulatory Action Policy
In the policy, the Information Commissioner’s Office makes it clear that it intends to focus on data breaches and will respond swiftly to those that impact large groups of individuals. We know there’s already a large enquiry afoot to investigate more than 30 companies in relation to the Facebook–Cambridge Analytica fiasco. The ICO states it would like to increase its ability to go to court to request warrants to search organisations’ premises so that it’ll be in a better position to investigate breaches. Clearly, breaches are a focus. The ICO has also increased its capacity for handling data breach reports, stating it can manage up to 30 000 calls a year with the new reporting system. That said, it stresses companies understand they don’t need to report all data breaches. Needless to say, as a first line of action you should have a process in place for logging, evaluating and reporting, when necessary, data breaches. Which other areas does the draft report address? The ICO will conduct compliance audits, issue warnings, produce codes of practices and review DPIAs. So again make sure you’ve got your documentation in place and think about using a tool like GDPR365 to help you with that. If you want to review the draft policy you can find it here.