How will the ICO police the GDPR in practice and how can companies demonstrate adequate procedures to avoid sanctions?

How will the ICO police the GDPR in practice and how can companies demonstrate adequate procedures to avoid sanctions?

Against a backdrop of data protection headlines, Jonathan Bamford, Head of Parliament and Government Affairs for the ICO opened GoodCorporation’s debate on GDPR enforcement by focussing on trust. 

According to research by the ICO, in the UK, only 1 in 5 consumers trusts organisations with their personal data, despite data protection legislation being in force for over 30 years. 

As the headlines show, existing Data Protection regulation has failed to keep up with the way our personal information is used in the fast-moving digital economy. Hence the need for new legislation that is both fit for purpose and able to rebuild consumer trust and confidence. 

So how will the ICO approach its regulatory functions under the new legislation? 

  • The ICO aims to create a culture of data confidence and wants to work with organisations to help them get it right and live up to their obligations, so building trust. 
  • BUT – the regulator intends to use the full range of powers available in an effective and proportionate way. 
  • In addition to the significantly increased penalties of the GDPR, the Data Protection Bill currently going through Parliament will provide the ICO with strengthened compulsory assessment powers (Part 6). 
  • The ICO is also seeking greater powers around information notices to enable the regulator to obtain the information needed to ascertain whether the law has been broken. Under the current regime, those with deep pockets can avoid co-operation by paying a fine, rather than providing the information requested and running the risk of a far larger penalty. 
  • The ICO will also focus on accountability, encouraging organisations to demonstrate compliance through Data Protection Impact Assessments (DPIA). The ICO recently consulted on its draft DPIA Guidance. 
  • There will be no grace period come May 25th as the new laws are evolutionary rather than revolutionary and there has been a two-year implementation period. 
  • However, those that can show they are embracing accountability and can evidence systems and procedures designed to comply will be treated more sympathetically than those who have done nothing. 
  • A contravention which would have fallen under the original Data Protection Act will receive no leniency. 
  • Good data protection is the cornerstone of the digital economy and can provide a significant business advantage. 

Summary of the views expressed: 

  • GDPR was likened to the UK Bribery Act, provoking much scaremongering around what is adequate. 
  • Compliance has board attention, but there were some concerns that insufficient resources are being provided to put all the necessary systems in place. 
  • Most organisations have taken a risk or principle-based approach to compliance and would be able to evidence actions taken to date and their plan for the future. However most felt they would not be fully compliant by May 25. 
  • Like effective health & safety procedures, a change in culture will be needed to ensure robust data protection practices are properly embedded. Some are using IT tools to create an audit trail. 
  • Communication and training programmes are underway in many organisations to raise awareness of the principles of data protection, make it clear where the responsibilities lie and what the expectations are.  

Summary of key challenges: 

  • Implementing uniform practice throughout all business entities  
  • Managing and monitoring data protection systems and processes 
  • Identifying data processing responsibility through the supply chain and ensuring standards are met 
  • Integrating old and new systems 
  • Protecting data from cyber-attacks  

More guidance on some of these issues would be welcomed. Businesses would also like clarification on how cyber-attacks will be treated and if there is such a thing as a ‘no-fault breach’. 

The ICO will take a risk-based approach to enforcement, assessing the extent of the risk to the data subject. They are unlikely to prosecute every minor offence but will come down heavily where individuals are compromised. A range of factors will be taken into account when deciding on the penalty and this would apply where there has been a malicious breach. There will be little sympathy afforded to large organisations who have failed to implement proper protection. 

The ICO will be consulting on a number of issues moving forwards, so business should watch out for opportunities to have their say. 

The GoodCorporation View: 

Data protection is more than a legal compliance issue; it is an indicator of how an organisation conducts its business. The regulations are not designed to curtail how data is used but to ensure that the information held is managed properly and used responsibly.  

Organisations getting this right can inspire trust, enhance customer service and secure a competitive advantage. They are also more likely to be properly protected from any reputational damage caused by a data breach. As the debate shows, many organisations are well on the way to having good systems in place but will need to ensure that they can demonstrate adequacy to their boards and in the event of a breach, to the regulator. Tools such as GoodCorporation’s Data Protection Framework are being used to assess GDPR compliance and provide boards and senior management with the assurances they need.