The Information Commissioner has described an effective data protection regime as being “essential for our democracy.” Giving the keynote speech at the IAPP Europe Data Protection Intensive 2018, Elizabeth Denham began by saying that” there has never been a better time to be in data protection.” To support this, she went on to mention the fact that data protection is now being discussed at the highest levels of government in both the UK and the US, in light of the Facebook/Cambridge Analytica scandal.

Ms Denham went on to speak of the increased powers her organisation will enjoy under the General Data Protection Regulation (GDPR), which now comes into force in less than one month, by commenting:

“Under the GDPR I will have the power to audit all those who hold, use and share personal data. In other words, soon I will be able to look behind the curtain and see what those who hold our data and personal information are doing with it.”

She next warned firms that the heightened publicity surrounding data protection is likely to make consumers ever more willing to complain should they disapprove of the way their personal data has been handled.

The Commissioner commented:

“We’re expecting more of everything. More breach reports because the law requires it in high-risk cases. More complaints, because people will be better informed of their rights. Greater engagement as you turn to us for advice at the outset of projects and submit your [Data Protection Impact Assessments] to us.”

However, for any firms feeling daunted by all the talk of how the data protection regime is about to get tougher, Ms Denham also made mention of the extensive guidance on GDPR that is available via the Information Commissioner’s Office (ICO) website.

Ms Denham also highlighted that it will certainly not be the case under GDPR that firms will need to report every single data breach to the ICO. She also said that the largest fines will only be imposed for serious breaches of the law, when she said:

“I have no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route.

“But we will back this up by tough action where necessary; hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law.

“Report to us, engage with us. Show us effective accountability measures. Doing so will be a factor when we consider any regulatory action.”

Ms Denham also gave a speech to the National Cyber Security Centre’s CYBERUK 2018 event. Whilst most of this speech concentrated on cybersecurity issues, she also took the opportunity to summarise firms’ obligations under GDPR as:

“The law requires you to be transparent and tell people what you will do with their data. You then have to stick to what you said.”

This speech also allowed her to highlight that data breaches will need to be reported to the ICO within 72 hours if the incident is “likely to result in a risk to people’s rights and freedoms.”

Specifically regarding cybersecurity, she called on firms’ boards of directors to address the issue personally, and not just leave it to their IT departments and/or external IT consultants.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article