Steve Wood, the Information Commissioner’s Office Head of International Strategy & Intelligence has quashed any suggestions of a soft start to GDPR at the IAPP’S Data Protection Intensive in London.
“You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.”
He explained the ICO intend to focus on risk and will be happy to work with organisations if there are any areas that seem unclear but there will be no grace period.
Consent and Transparency
Wood outlined the ICO’s main concerns will be transparency, control and accountability as well as focusing on the issue of consent. “Data protection authorities across Europe will be asking penetrating questions about records of consent and will be looking very much at how organisations got the record, who has consented, when they consented, what they were told, as well as mechanisms for withdrawing.”
Accountability and Data Protection Audits
On the accountability front, Wood suggested organisations will thrive when and if accountability is embedded organisation-wide and a range of stakeholders take responsibility for different parts of the process.
In terms of clear advice in the event of an audit, he said “If we come knocking on the door, if we investigate or conduct an audit in an organisation, the best way you can demonstrate to us that we won’t need to delve deeper and you’ve got covered all the compliance issues is to have a comprehensive accountability program, and to be able to take us through the different steps you’ve taken to address compliance issues.”
It’s Now Time to Invest
Wood concluded by offering some sage advice – “The key thing to do is invest now and convince people in your organisation why data protection is important for trust.”