Businesses Need to Be More Accountable When It Comes to GDPR, say ICO

As we head toward the one year mark since GDPR became enforceable by law, the post-GDPR world continues to expand at a pace.

GDPR came into effect on 25th May 2018 and has since transformed the way businesses hold data and keep in touch with their clients and customers.

However, at the recent Data Practitioners Conference 2019 in Manchester, a lot was said about how much more needs to be done to ensure that companies remain accountable and lessen the risks that comes with processing data.

Khurrum Bhatti, Head of Compliance, attended the conference, and in this article he takes a look at some of the key points and discusses what we are doing at BW Legal to ensure that we remain accountable to the principles of GDPR and our customers and clients.

Accountability an Opportunity to Alter ‘Cultural Fabric’ of Organisation

Elizabeth Denham, the UK Information Commissioner, spoke at the conference and highlighted how business need to do more to be accountable and how it impacts the cultural fabric of the business.

“Accountability encapsulates everything the GDPR is about,” Denham said in her speech.

“It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks.”

“It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.”

“And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after. But I’ll be honest, I don’t see that change in practice yet.”

“I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out.”

“And you know, that’s a problem. Because accountability is a legal requirement. It’s not optional.”

“But it is an opportunity. Because accountability allows you, as data protection professionals, to have a real impact on that cultural fabric of your organisation. Beyond bolt on compliance work.”

Rotenberg Takes on USA Authorities over Facebook Privacy Breach

Marc Rotenberg discussed his experience of challenging the Authorities in the USA to take enforcement action against Facebook for breaching legal obligations placed on them in relation to breaching privacy.

However, the real message was perhaps the benefit and importance of having a Regulatory body such as the Information Commissioner’s Office with enforcement powers.

Margot James MP focussed on the fact the ICO has been given the powers needed under the new DPA 2018 and Brexit.

There were interesting panel discussions regarding Brexit and about ethics in AI, particularly in light of developments at Google resulting in the Ai Ethics Board being disbanded.

Reducing Number of Complaints to ICO

During a seminar, the ICO highlighted the increasing volume of complaints being received by the ICO. It was questioned why this was the case and if there is anything organisations can do to reduce the number of complaints.

The response from delegates included:

  • There is an obligation to refer customers to the ICO;
  • Customers often use data protection as stick against organisations; and
  • The lack of any deadlock process

During a separate seminar, the ICO also explained their proposed process for reviewing Codes of Conduct under Articles 40 and 41 GDPR.

How We Remain Accountable

Being accountable is part of our culture at BW Legal. We demonstrate accountability through various approaches which are overseen by our dedicated data protection officer.

These include:

  • adopting and implementing data protection policies;
  • taking a ‘data protection by design and default’ approach;
  • putting written contracts in place with organisations;
  • maintaining documentation of processing activities;
  • implementing appropriate security measures;
  • recording and, where necessary, reporting personal data breaches;
  • carrying out data protection impact assessments for uses of personal data;
  • publishing a clear Privacy Notice.

To be accountable for data protection, we keep evidence of the steps we take to comply with GDPR requirements.

All employees are trained on GDPR, and crucially, the principles that underpin them to ensure a good level of understanding and awareness of data protection amongst staff at all levels.

If you would like any advice or would like to find out how we can assist your business please call 0113 468 3000 or email

Back To News