There is no time for businesses to delay in preparing for the General Data Protection Regulation (GDPR), says the UK information commissioner.
In a video address to UK business leaders, Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she termed “the biggest change to data protection law for a generation”.
“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.
“But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit,” she said.
The best outcome, he said, would be where organisations take an approach to data protection that earns the trust of consumers in a more systematic way, and where that trust translates into competitive advantage for those who lead the charge.
Luke said the ICO’s vision regarding the GDPR is of increasing data trust and confidence among the UK public, but that this can be achieved only by working in partnership with the private, public and third sectors.
“An important part of that is developing key relationships with representative or umbrella organisations as multipliers and amplifiers for our engagement with different constituencies,” he said, adding that the ICO’s strong relationship with TechUK is a good example of that partnership approach.
Legislation fit for the digital age
Luke said that while the GDPR presents some opportunities for organisations, the ICO recognises that there are some challenges too, noting that the GDPR is an indicator of change as much as it is an instigator.
“The GDPR is part of the response to the challenge of upholding information rights in the digital age; of protecting the rights and interests of the individual in the context of an explosion in the quantity and use of data and in an environment of extremely rapid technological change,” he said.
Luke said that while he was unable to speculate about the post-Brexit environment or comment on proposals in political party manifestos in the run-up to the election, it was safe to say that one way or another, GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data.
“The moment at which GDPR takes effect in the UK on 25 May 2018 will, of course, mark a change. In delivering legislation fit for the digital age GDPR confers new rights and responsibilities, and organisations need to be working now to prepare for them,” he said.
Luke said he hoped that UK organisations have already deployed the ICO’s 12 steps to take to prepare for GDPR and were familiar with the ICO’s Overview to GDPR, and were drawing on the ICO’s wider resources.
The ICO, he said, is working at pace to produce detailed guidance, both at a national and a European level, through the Article 29 EU Working Party.
Act now to protect customer data
While this guidance will continue to be developed, Luke said organisations should not wait for definitive guidance on every aspect of the GDPR before taking action.
“I urge you not to wait, nor to take a reactive approach to your GDPR preparations, motivated solely by a mindset of compliance or risk management.
“Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.
Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong,” he said.
Preparation for compliance with the GDPR can be boiled down to transparency and accountability, said Luke.
“[It is about] being clear with individuals how their personal data is being used, and placing the highest standards of data protection at the heart of how you do business,” he said.
As a result, said Luke, this means GDPR compliance is a board-level issue for every size of organisation, not only because under the GDPR the ICO can fine companies up to €20m or 4% of a company’s total annual worldwide turnover for the preceding year, whichever is greater, but also because of potential brand damage.
“As we’ve seen in well-publicised examples, the cost to business of poor practice in this area goes above and beyond any fine we can impose. Losing your consumers’ trust could be terminal for your reputation and for your organisation,” he said.
Focus on data rights of individuals
The ICO recognises that data is the fuel that powers the digital economy, said Luke, and the GDPR is a response to this evolving landscape.
The GDPR builds on previous legislation, he said, but brings a 21st century approach and delivers stronger rights in response to the heightened risks.
These new rights include individuals’ rights to:
- Be informed about the use of their data;
- Access their information and move that information around;
- Rectify and erase data where appropriate;
- Revoke consent;
- Challenge automated decisions.
Good data practice a legal responsibility
“Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and ensuring privacy by design, are now legally required in certain circumstances,” said Luke.
The ICO covers privacy impact assessments in its existing Privacy by Design guidance, he said, and the European Article 29 Working Party has also issued draft guidelines.
Being transparent and providing accessible information to individuals about how you will use their personal data is another key element of the new law and our privacy notices code of practice is GDPR-ready, said Luke.
“Increased responsibilities for data processors are another feature. Data processors, companies using personal data on behalf of others, will have specific legal obligations to maintain records of personal data and processing activities,” he said.
Luke also noted that data breach reporting would also change under the GDPR. Organisations will be required to notify the ICO, within 72 hours, of a breach where it is likely to result in a risk to the rights and freedoms of individuals.
The widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics, mean that profiling is becoming a much wider issue, he said.
“People have legitimate concerns about surveillance, discrimination and the use of their data without consent. Data protection can be challenging in a big data context, and some types of big data analytics, such as profiling, can be intrusive.
“We explore many of these issues in detail in our recently updated paper on big data, artificial intelligence, machine learning and data protection,” said Luke.
“Harnessing the benefits of big data, AI and machine learning, as it relates to healthcare for example, will be sustained by upholding the key data protection principles and safeguards set out in GDPR,” he said.
Transparent data processing
Although the means by which personal data is processed are changing, Luke said the underlying issues remain the same. This means organisations need to consider if people are being treated fairly, if decisions are accurate and free from bias, and if there is a legal basis for any data processing activity.
According to the ICO, the GDPR is a principles-based law well equipped to take on the challenges of 21st century technology.
“It aims to be flexible – protecting individuals from harm while enabling you to innovate and develop services that consumers and businesses want,” said Luke.
Turning to the topic of data analytics, he said that as data becomes the fuel powering the modern economy, it becomes a key element of many of the debates in modern society. This is evidenced by the fact that the ICO has opened a formal investigation into the use of data analytics for political purposes.
Given the big data revolution, Luke said it was understandable that political campaigns were exploring the potential of advanced data analysis tools to help win votes.
“But the public have the right to expect that this takes place in accordance with the law as it relates to data protection and electronic marketing,” he said, adding that this is a complex and rapidly evolving area of activity and the level of awareness among the public about how data analytics works, and how their personal data is collected, shared and used through such tools, is low.
“What is clear is that these tools have a significant potential impact on individuals’ privacy. It is important that there is greater and genuine transparency about the use of such techniques to ensure that people have control over their own data and the law is upheld.”
In addition to gearing up the GDPR compliance within the ICO and the higher volume of activity that is bound to come as a result of mandatory breach notifications, Luke said the ICO is looking at how it might be able to engage more deeply with companies as they seek to implement privacy by design.
The ICO is also looking at how it can contribute to a “safe space” where companies can test their ideas and at how it can recognise good practice.
Aim for goals and benefits
“We should be able to find ways to give credit where credit is due without that translating into a free pass for an individual organisation or practice. GDPR explicitly foresees wider use of tools such as codes of conduct and certification schemes, which potentially have an important role to play,” said Luke.
The ICO, he said, is also committed to exploring innovative and technologically agile ways of protecting privacy and will continue to develop and deepen effective relationships with international partners.
“These goals among others feature in our new Information Rights Strategic Plan, being launched today (25 May 2017) by Elizabeth Denham, which sets out the ICO’s plan for the coming four years,” said Luke.
Reiterating that it is not the GDPR that is pushing data protection up the public, political and media agenda, but the changing nature of the world and the ubiquity of data that is causing society to reflect on the consequences for our personal information and for privacy itself, he said the UK tech sector is at the heart of that change.
“Your response to the challenges and opportunities of GDPR will set a marker for other sectors. You have a major stake in the enterprise of increasing data trust and confidence among the UK public.
“By putting the individual in genuine control of their own data you can help achieve that goal, delivering benefits for your consumers, your business and society as a whole,” he said.
Read more about GDPR
- GDPR: One year to compliance and opportunity.
- Finding customer data is big hurdle to meeting GDPR right to erasure.
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office sets out plans for publishing guidance on the EU General Data Protection Regulation.