tashka2000 - Fotolia

Infosec17: UK business should be working on GDPR compliance, says ICO

With less than a year to the deadline for compliance with the General Data Protection Regulation, all companies should have assessed what they need to do and should be working on that, says the Information Commissioner’s Office

The main driver for compliance with the EU’s General Data Protection Regulation should be building trust and enabling new business models, according to Peter Brown, security technology officer at the ICO.

“GDPR is an opportunity to ensure good data protection practice to gain the confidence and trust of the people whose data you hold and process,” he told Infosecurity Europe 2017 in London.

The GDPR, he said, is a response to the challenges of holding data in the digital age and therefore makes good business sense.

This is the first approach organisations should take if they are struggling to get executive support, but if that fails, Brown said the next step is to use the significant increase in fines for non-compliance.

Good data governance is an issue that should be addressed at board level, he said, because failure to do so risks not only enforcement action, but also losing public trust. He later added that GDPR needs to be addressed by the entire business, and is not just something for IT to deal with.

“You can use the stick in the cupboard as a strategy [for getting executive buy-in], but the carrot approach might be much better,” said Brown. “Think of it as an opportunity to make more money by getting [data protection] right.”

According to research by the ICO, 77% of UK consumers are concerned that their personal data is not being kept securely and 20% would take their business elsewhere in response to a data breach.

Although many companies are working to bring their data protection capabilities in line with the GDPR, Brown said the biggest problem is companies that have recognised they have work to do in terms of data protection, but have yet to do anything about it with less than 12 months left.

Key areas for meeting the security and confidentiality requirements of the GDPR include best practices around confidentiality, integrity and availability, resilience, access control, and encryption, he said.

Brown said that because the GDPR is an evolution of data protection regimes, companies that are compliant with current UK data protection law will not have much to do to comply with the regulation, but they will at least have to check that they are able to comply with what is new, such as the right to be forgotten and the right to data portability.

“Companies that are compliant with the Data Protection Act and follow best practice are in a good place, but the current level of compliance with the DPA is not as good as it should be,” he said.

Read more about GDPR

To help UK organisations comply, particularly with new requirements, Brown said the ICO has published an Overview to GDPR  and 12 steps to take to prepare for GDPR, and is continually adding toolkits, such as the self-assessment toolkit to identify gaps and guidance on topics such as consent.

On the topic of consent, Brown said it was important to note that the GDPR does not require personal data to be processed on the basis of consent. “Consent is just one of a number of different lawful bases for processing personal data, and may not be the one that applies the most to your organisation,” he said.

Data breach notification is another requirement to be introduced by the GDPR, and in this regard, Brown said organisations need to ensure they have the procedures in place to detect, investigate and report personal data breaches. “Failure to report a personal data breach will result in a fine as well as the breach itself,” he said.

On the topic of the appointment of data protection officers (DPOs), Brown emphasised that there is no exemption for small to medium-sized enterprises (SMEs).

In the final version of the GDPR, he said, in addition to public authorities – except courts – all organisations that carry out large-scale systematic monitoring of individuals, such as online behaviour tracking or large-scale processing of special categories of data or data relating to criminal convictions and offences, are required to appoint a DPO.

“There is a general derogation for SMEs [with fewer than 250 employees], but it applies only to record-keeping and processing activities, and does not apply if an organisation is processing personal data that could result in a risk to the rights and freedoms of an individual, or the processing of special categories of data or criminal convictions and offences,” he said.

While urging all UK organisations to take the opportunity to establish good data protection practices by ensuring they are compliant with the GDPR by the deadline of 25 May 2018, Brown said the ICO would not “bang everyone’s door down on 26 May”.

Read more on Privacy and data protection