With exactly one year to the compliance deadline, the Information Commissioner’s Office has urged UK firms to seize the business benefits of being GDPR-ready
There is no time for businesses to delay in preparing for the General Data Protection Regulation (GDPR), says the UK information commissioner.
In a video address to UK business leaders, Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she termed “the biggest change to data protection law for a generation”.
It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks.
“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.
“But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit,” she said.
Deputy commissioner Rob Luke also highlighted the business benefits of GDPR compliance at a discussion about the legislation hosted by IT industry body TechUK.
The best outcome, he said, would be where organisations take an approach to data protection that earns the trust of consumers in a more systematic way, and where that trust translates into competitive advantage for those who lead the charge.
Luke said that while the GDPR presents some opportunities for organisations, the ICO recognises that there are some challenges too, noting that the GDPR is an indicator of change as much as it is an instigator.
“The GDPR is part of the response to the challenge of upholding information rights in the digital age; of protecting the rights and interests of the individual in the context of an explosion in the quantity and use of data and in an environment of extremely rapid technological change,” he said.
Luke said that GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data.
“The moment at which GDPR takes effect in the UK on 25 May 2018 will, of course, mark a change. In delivering legislation fit for the digital age GDPR confers new rights and responsibilities, and organisations need to be working now to prepare for them,” he said.
Luke said he hoped that UK organisations have already deployed the ICO’s 12 steps to take to prepare for GDPR and were familiar with the ICO’s Overview to GDPR, and were drawing on the ICO’s wider resources.
The ICO, he said, is working at pace to produce detailed guidance, both at a national and a European level, through the Article 29 EU Working Party.
While this guidance will continue to be developed, Luke said organisations should not wait for definitive guidance on every aspect of the GDPR before taking action.
“I urge you not to wait, nor to take a reactive approach to your GDPR preparations, motivated solely by a mindset of compliance or risk management. Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.
Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong,” he said.
Preparation for compliance with the GDPR can be boiled down to transparency and accountability, said Luke.
“It is about being clear with individuals how their personal data is being used, and placing the highest standards of data protection at the heart of how you do business,” he said.
As a result, said Luke, this means GDPR compliance is a board-level issue for every size of organisation, not only because under the GDPR the ICO can fine companies up to €20m or 4% of a company’s total annual worldwide turnover for the preceding year, whichever is greater, but also because of potential brand damage.
“As we’ve seen in well-publicised examples, the cost to business of poor practice in this area goes above and beyond any fine we can impose. Losing your consumers’ trust could be terminal for your reputation and for your organisation,” he said.
The ICO recognises that data is the fuel that powers the digital economy, said Luke, and the GDPR is a response to this evolving landscape. The GDPR builds on previous legislation, he said, but brings a 21st century approach and delivers stronger rights in response to the heightened risks.
These new rights include individuals’ rights to:
Be informed about the use of their data;
Access their information and move that information around;
Rectify and erase data where appropriate;
Challenge automated decisions.
“Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and ensuring privacy by design, are now legally required in certain circumstances,” said Luke.
Being transparent and providing accessible information to individuals about how you will use their personal data is another key element of the new law and our privacy notices code of practice is GDPR-ready, said Luke.
Luke also noted that data breach reporting would also change under the GDPR. Organisations will be required to notify the ICO, within 72 hours, of a breach where it is likely to result in a risk to the rights and freedoms of individuals.
The widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics, mean that profiling is becoming a much wider issue, he said.
According to the ICO, the GDPR is a principles-based law well equipped to take on the challenges of 21st century technology.
“It aims to be flexible – protecting individuals from harm while enabling you to innovate and develop services that consumers and businesses want,” said Luke.
In addition to gearing up the GDPR compliance within the ICO and the higher volume of activity that is bound to come as a result of mandatory breach notifications, Luke said the ICO is looking at how it might be able to engage more deeply with companies as they seek to implement privacy by design.
The ICO is also looking at how it can contribute to a “safe space” where companies can test their ideas and at how it can recognise good practice.
“We should be able to find ways to give credit where credit is due without that translating into a free pass for an individual organisation or practice. GDPR explicitly foresees wider use of tools such as codes of conduct and certification schemes, which potentially have an important role to play,” said Luke.