Countdown to the General Data Protection Regulation (GDPR): The UK Information Commissioner’s Priorities
By Deborah Blaxell, Senior Consultant, Consulting Services
Elizabeth Denham, Information Commissioner for the U.K. since July 2016, joins the regulator at a time when the U.K. is undergoing seismic changes to its political and legislative frameworks. With Brexit looming large on the U.K.’s horizon, her role has never been more challenging.
During a recent well-attended seminar entitled “A Fireside Chat” held at Dentons LLP’s London offices on 17 October, she highlighted the following issues as just a few of the competing priorities the Information Commissioners Office (ICO) will be managing during the coming months:
ICO GDPR Priorities
Ensuring the Information Commissioners Office is an efficient, fit-for-purpose, regulator:
- Internal restructuring: The volume of work at the ICO has increased dramatically over the past year, with a 34% increase in data breach notifications and an overall 12% increase in the volume of ICO casework. To respond to this growth, and the increasingly complex nature of the matters the regulator is asked to respond to, a restructuring exercise is underway to ensure it has the right teams with the right skills in place to implement the ICO’s strategic plans. Recent additions include:
- A new head of legal
- A senior technical strategist arrives in November
- A new office opened in London to navigate the challenges of data protection laws in the U.K. post-Brexit
- Stress testing internal processes: On 7 November, the ICO will introduce a hotline for reporting data breaches. The will enable the ICO to:
- Test its processes
- Assess how it will cope with the anticipated increase in breach notifications post-May 2018
- Implement new strategies in light of the results of the pilot
Recruiting and retaining the best and the brightest
The ICO is subject to the government’s public sector 1% pay cap, which has contributed to a startling 30% loss of staff over the past year, as the private sector lures ICO professionals with impressive salaries and promises of career progression. To be ready to implement the GDPR, the regulator estimates it will need at least 75 new staff members. However, recruitment is challenging and the commissioner has put a business case to the government to loosen the pay cap to help retain and recruit staff.
Helping U.K. organisations prepare for GDPR
The ICO is committed to helping U.K. organisations prepare for GDPR. The following are just a few examples of upcoming initiatives:
Helping small businesses: On 1 November, a new helpline will be launched to help small businesses prepare for the new data protection laws.
Providing guidance: The commissioner continues to work with the Article 29 Working Party toward a clear GDPR guidance note. The commission is also working on producing its own, user-friendly, anglicised guidance note to be published by the end of 2017.
Encouraging innovation: Many organisations have asked whether the ICO might consider establishing a ‘regulatory sandbox’ – a safe place where organisations can discuss their preparation for GDPR without fear of enforcement action. The Financial Conduct Authority already does it. To this end, the ICO is taking advice on how a test environment might work.
Certification: Compliance with GDPR is not simply a “tick box” exercise. It is about creating a programme of data governance which organisations can produce to prove they are doing the required compliance work. Accountability is the linchpin that links all of the requirements of the GDPR together and the commissioner strongly supports the development of corporate certification around accountability to illustrate what a good compliance programme looks like.
Embracing the ICO’s role in Europe and forging new relationships beyond
Europe: The commissioner is a very active member of the Article 29 Working Party and believes that the ICO must continue to influence activities in Europe. The government also has ambitious plans to enforce the highest possible standards of data protection law so that the U.K. can achieve adequacy status allowing data to move freely between the U.K. and Europe post-Brexit. The commissioner will press for a continuing role in Europe for the ICO after Brexit and the continuation of good bilateral relations with her European counterparts.
Non-European relationships: While Europe is understandably the main focus of attention at present, the commissioner is also keen to facilitate stronger relationships with her counterparts in other countries such as Australia, Hong Kong, Canada, Singapore and New Zealand, which have strong or developing data protection regimes.
The commissioner has great ambitions for the ICO in the coming months and years, but is realistic about the challenges ahead. Above all, she is a pragmatist: for those organisations worried that their GDPR readiness programmes may not be fully compliant by 25 May 2018, she advises that the ICO will not be looking for perfection, rather they will be looking for evidence of programs toward compliance. They will not expect all organisations to be flawless from day one (although the commissioner did make the point that organisations have had two years’ notice to prepare) and will take a proportionate, reasonable, risk-based approach to enforcement.
However, make no mistake - if there is a serious contravention of the GDPR post 25 May 2018, there will be no amnesty. The law will be enforced.
To learn more about GDPR, click here.