IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ICO calls for GDPR transparency and accountability

Put individuals at the heart of data protection, urges data watchdog

An impending overhaul of data protection law will present "opportunities and challenges" for companies as they prepare for the changes, which are one year away today.

The General Data Protection Regulation (GDPR) will hand EU citizens more control over how organisations use their personal data, and impose stringent rules on how organisations handle that data and what they can use it for.

In a discussion at TechUK's London headquarters today, Rob Luke, deputy information commissioner of the Information Commissioner's Office (ICO), said that organisations typically ask the UK data watchdog for granular guidance "often people will say to us: tell us what we need to do'".

He added that the ICO was "working at pace to produce detailed guidance, both at national level but also European level guidance produced by the Article 29 EU Working Party, to which we are making a major contribution".

Organisations should be proactive in gaining compliance, rather than adopt a reactive approach to their GDPR preparations, motivated solely by a mindset of compliance or risk management, the ICO contends.

"Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law," says Luke.

"Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won't go far wrong," he adds.

Luke believes that preparations for the forthcoming regulations boiled down to two words: "transparency" and "accountability".

"Being clear with individuals how their personal data is being used, and placing the highest standards of data protection at the heart of how you do business," Luke explains

GDPR, he believes, is a board-level issyue no matter the size of the company, not least because under GDPR the regulator "wields a bigger stick". For the most serious violations of the law, the ICO will have the power to fine companies up to 20million or 4%of a company's total annual worldwide turnover, whichever is larger.

But the cost to business of poor practice in this area goes above and beyond any fine the ICO could impose, Luke argues.

"Losing your consumers' trust could be terminal for your reputation and for your organisation," he says."A model where organisations take an approach to data protection which earns the trust of consumers in a more systematic way [is better]. And where that trust translates into competitive advantage for those who lead the charge."

Andrew Rogoyski, vice president of cyber security services at CGI UK, urges boards and CEOs to plan how their firms will achieve compliance, but doesn'tthink organisations could already be compliant with one year to go.

He warned that the regulations could "amplify potential share price movements as a result of a data breach" and therefore boards' and CEOs' attention is "crucial".

While GDPR is helpful now, he thought it would be different in a few years' time. "If you think about 2025 and automation there will be key differences in handling information and privacy."

David Erdos, a lecturer in law and the open society at Cambridge University, sees GDPR as a step up in terms of a rules-based approach. "The aim is harmonisation across Europe" but derogations from this will have an important impact," he says.

Erdos adds that he doesn't think the UK will move away from EU's fundamental values on data protection following Brexit.

Emma Butler, data protection officer at digital identity firm Yoti, says that adhering to GDPR regulations starts in the legal department but "actually it is [about] change management".

"GDPR is an opportunity to make sure you are doing information governance really well," she claims, adding that there are threats and risks coming from GDPR but these shouldn't be an organisation's sole focus.

Antony Walker, deputy CEO of TechUK, believes there are questions about whether the UK will continue to stay in step with evolving data policy discussions in Europe, adding that the ICO is "clearly very influential" but Brexit now "limits the amount of time available to consider how to implement GDPR in a UK context".

Picture credit: Rene Millman/IT Pro

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

ICO: The public sector isn’t getting 'an easier ride' with GDPR penalties
Policy & legislation

ICO: The public sector isn’t getting 'an easier ride' with GDPR penalties

23 Nov 2022
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million
data protection

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million

14 Jul 2022
Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Google rolls out patch for high-severity Chrome browser zero day
zero-day exploit

Google rolls out patch for high-severity Chrome browser zero day

25 Nov 2022