One of the critical questions regarding the General Data Protection Regulation (GDPR) is where the focus of Regulators and the Government will be when it comes to implementation and enforcement. We have been given clues to this in recent pronouncements from both the Information Commissioner (ICO) and the UK Government.
The first indication came in a speech given by the Information Commissioner, Elizabeth Denham, to the Institute of Chartered Accountants in England and Wales on 17 January 2017.
The key word from the ICO is “Accountability”. What does this mean? It means changing the culture of an organisation to take data protection and privacy seriously. This is perhaps the most difficult aspect of any GDPR compliance programme. As the Information Commissioner explains in her speech, the onus will be on organisations to understand the risks around personal data and privacy and to mitigate them, not in ways that involve box ticking exercises, but through a framework pervading an organisation which builds a culture of privacy. The focus will be on having effective data protection leaders in an organisation, up-to-date training and the capacity and controls to assess privacy risk across the entire organisation. It will not be enough to draw up policies that simply gather dust on a shelf.
In terms of enforcement, Elizabeth Denham talks about her experience when she held a similar role in British Columbia where there was a focus on policy advice, pro-active investigations as well as Audits with the concept of Accountability as a key focus. The message here is expect the same from the ICO once GDPR takes effect in May 2018.
The UK Government also gave clues to its approach in its Cyber Security Regulation and Incentives Review, published in December 2016.
This is a review by the UK Government of whether there is a need for additional steps to be taken across the UK economy to boost Cyber security. The main outcome is that the Government sees the implementation of GDPR as the main way to improve cyber risk management across the wider economy, emphasising that it is for organisations to manage their own risk. In the Government’s view, GDPR will lead to significant change in cyber risk management.
In this respect, the review specifically refers to elements of the GDPR which might be expected including mandatory data breach reporting to the ICO and affected individuals (as opposed to the mainly voluntary reporting in the current regime), the much higher fines regime and provision for Group litigation by individuals affected by a data breach. The review indicates that the level of fines will be used to incentivise good cyber security practices. However, the review also points to perhaps less obvious areas of GDPR for cyber risk management including: privacy impact assessments; the concept of privacy by design; and requirements for Data Protection Officers. This is very much aligned with the ICO’s focus on Accountability referred to above.
The review could not be clearer and specifically says that cyber security will be at the centre of the way the Government will promote and implement GDPR. There also appears to be a commitment to scale-up the capability of the ICO on cyber-security issues and to ensure that the ICO works closely with the new National Cyber Security Centre, part of GCHQ. With the ICO and NCSC working together, the Government promises details of clear information security principles for organisations, so watch this space.