UK ICO Not Afraid to Use New Powers to Issue Significant GDPR Fines
The UK Information Commissioner, Elizabeth Denham recently gave a speech to the Institute of Chartered Accountants in England and Wales outlining her latest guidance on the GDPR.
Here are some of the highlights from her speech
This one’s a game changer for everyone
The General Data Protection Regulation builds on the previous legislation: but provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection.
There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.
The GDPR also brings a change in the rules if you’re a data processor, processing personal data on behalf of another business – you’ll have more direct compliance responsibilities than under the current law.
Businesses will have to ensure that specific protections are in place for transferring data to countries that haven’t been listed by the European Commission as providing adequate protection, like Japan and India.
The biggest change is around accountability
The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks.
In British Columbia, my regulatory office investigated a power company rolling out a smart meter programme, an auto insurance firm implementing facial recognition, the provincial ministry of health enhancing the use of data analytics. We didn’t just investigate whether these new specific initiatives complied with the law, but evaluated and reported out on how well organisations met their accountability requirements across the entire business. Their capacity and controls to assess privacy risk in all business processes.
And then we started to see a cascading effect. Peer companies adopting comprehensive programmes too. Businesses seeing the value of accountability to client relations and customer retention.
The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time – such as privacy impact assessments and privacy by design – are now legally required in certain circumstances.
Consumers feel a loss of control
The last ICO survey found 75 per cent of adults in the UK don’t trust businesses with their personal data.
Think about that. Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.
Imagine if 75% of us didn’t trust businesses to be honest about pricing, or to keep their own service agreements. We’d say something fundamental had broken down.
Upfront investment will bring a payoff
I think it’s clear some businesses will thrive in this changing environment. They’ll be the ones that look at this whole issue with a mindset that appreciates what consumers want. What consumers expect.
Today, many companies think data protection is just about ‘compliance.’ It’s a mindset that says: ‘my job is to meet the legal requirements. As long as I tick the right boxes, we’ll be OK’.
But to meet the challenges I’ve described, we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.
Not just because it’s the law, but because it’s part of basic good business practice, like honest pricing or good customer service.
Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.
There’s a pretty big stick
That’s the carrot for getting it right. And there’s a pretty big stick too.
For the most serious violations of the law, my office will have the power to fine companies up to twenty million Euros or four per cent of a company’s total annual worldwide turnover for the preceding year.
In an ideal world we wouldn’t need to use those sticks, but policy makers are clear that breaches of personal privacy are a serious matter, so it’s not a power we’re afraid to use.
And our enforcement powers aren’t just for ‘typical’ data breaches, like laptops left on trains or information left open to a cyber-attack. The GDPR gives regulators the power to enforce in the context of accountability – data protection by design, failure to conduct a data protection impact assessment, DPOs and documentation. If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.
Accountability is the future
If businesses are looking beyond the current laws, and are trying to future proof themselves against changing or uncertain legislation, the answer takes us back to accountability. I make no apologies for returning to this. It is that important.
Having the right mindset towards data protection helps to future proof a business. It will put it in the right place to keep up with legislation.
Start taking action now
Start taking the first steps towards understanding how GDPR expects businesses to put data protection accountability at the centre of their business processes. I’d particularly recommend our code of practice for conducting privacy impact assessments. These assessments will have a key role to play under GDPR where organisations look at new ways of using people’s personal data, particularly when that involves using new technologies.
GDPR – an opportunity for every company
I’ve talked tonight about the sense people have that they are losing control of their data.
As a regulator, it’s one of my jobs to turn that around, to start re-establishing that trust.
The GDPR gives us all greater power to do that. Not just in terms of a bigger sticks for those who get it wrong, but in presenting an opportunity for every organisation to reconsider their data protection approach.
I want organisations to think to themselves: “we base our online user experience around what consumers want. We shape our products and services around what consumers want. We need to shape our data protection approach around what consumers expect.”
It’s something, as a regulator, I’ll demand of businesses. It’s something consumers increasingly demand.
The full text of Elizabeth’s speech can be found here – https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/01/gdpr-and-accountability/