As we head toward the one year mark since GDPR became enforceable by law, the post-GDPR world continues to expand at a pace.
GDPR came into effect on 25th May 2018 and has since transformed the way businesses hold data and keep in touch with their clients and customers.
However, at the recent Data Practitioners Conference 2019 in Manchester, a lot was said about how much more needs to be done to ensure that companies remain accountable and lessen the risks that comes with processing data.
Khurrum Bhatti, Head of Compliance, attended the conference, and in this article he takes a look at some of the key points and discusses what we are doing at BW Legal to ensure that we remain accountable to the principles of GDPR and our customers and clients.
Elizabeth Denham, the UK Information Commissioner, spoke at the conference and highlighted how business need to do more to be accountable and how it impacts the cultural fabric of the business.
“Accountability encapsulates everything the GDPR is about,” Denham said in her speech.
“It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks.”
“It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.”
“And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after. But I’ll be honest, I don’t see that change in practice yet.”
“I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out.”
“And you know, that’s a problem. Because accountability is a legal requirement. It’s not optional.”
“But it is an opportunity. Because accountability allows you, as data protection professionals, to have a real impact on that cultural fabric of your organisation. Beyond bolt on compliance work.”
Marc Rotenberg discussed his experience of challenging the Authorities in the USA to take enforcement action against Facebook for breaching legal obligations placed on them in relation to breaching privacy.
However, the real message was perhaps the benefit and importance of having a Regulatory body such as the Information Commissioner’s Office with enforcement powers.
Margot James MP focussed on the fact the ICO has been given the powers needed under the new DPA 2018 and Brexit.
There were interesting panel discussions regarding Brexit and about ethics in AI, particularly in light of developments at Google resulting in the Ai Ethics Board being disbanded.
During a seminar, the ICO highlighted the increasing volume of complaints being received by the ICO. It was questioned why this was the case and if there is anything organisations can do to reduce the number of complaints.
The response from delegates included:
During a separate seminar, the ICO also explained their proposed process for reviewing Codes of Conduct under Articles 40 and 41 GDPR.
Being accountable is part of our culture at BW Legal. We demonstrate accountability through various approaches which are overseen by our dedicated data protection officer.
To be accountable for data protection, we keep evidence of the steps we take to comply with GDPR requirements.
All employees are trained on GDPR, and crucially, the principles that underpin them to ensure a good level of understanding and awareness of data protection amongst staff at all levels.