Speaking at the lecture for the Institute of Chartered Accountants in England and Wales in London earlier this year, Elizabeth Denham of the ICO, discussed the role of accountability in GDPR and how people must adjust their mindsets in regard to how we think about data protection as well as what GDPR may actually look like in reality.
The ICO (Information Commissioner’s Office) is one of the UK’s main regulators in the digital space. They are the independent UK regulator enforcing the laws that govern privacy.
Below is a brief summary of some of the key points made during the speech:
Impact of GDPR:
The new legislation, namely GDPR, means that we’ll have new data legislation both in the UK and the EU. The GDPR builds on the previous Data Protection Act but provides more protection for consumers, and more privacy considerations for organisations. It brings a more 21st-century approach to the process of personal data. The theme around GDPR is continuity and change.
There’s a lot in the GDPR that overlaps with the current law but there are some important changes that everyone needs to be aware of..
One crucial difference is that if you’re a data processor, processing personal data on behalf of another business – you’ll have more direct compliance responsibilities than under the current legislation.
The SME sector:
99% of the UK’s 5.5 million businesses employ fewer than 250 people, and the proportion is growing.
When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.
GDPR – A modernisation of the law:
A common view among the public is that a reform is long overdue. Technology, business models and the way in which we handle our data has changed so much since 1995, that the law has needed to catch up.
The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how businesses use their personal data. They will also have the right to request that personal data be removed or deleted if there’s no legitimate reason for an organisation to carry on processing it.
The biggest change in legislation is around accountability and a departure from the traditional box-ticking exercises to a framework that can be used to build a culture of privacy that spreads across an entire company.
Companies will need to understand the risks that they create for others and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and working towards a framework.
The GDPR also permits that organisations put into place comprehensive governance measures. Practices such as privacy impact assessments and privacy by design – are now a legal requirement in certain cases.
This means a change to the culture of an organisation in a lot of instances. That isn’t an easy thing to do, and it’s certainly true that accountability needs to be a part of the company’s overall systems approach to how it manages and processes personal data.
A shift to this approach is exactly whats needed. The benefit for organisations is not just compliance but also providing an opportunity to develop the trust of its consumers in a sustainable way.