Information Commissioner Elizabeth Denham acknowledged that she was “a long way from home” when she gave a recent speech to the International Privacy Forum in Wellington, New Zealand.
However, much that the head of the UK’s data protection watchdog said to her audience would also have been relevant to a British audience.
She began by referring to the recently introduced European Union General Data Protection Regulation (GDPR), and suggested it was now “a catalyst for law reform outside of Europe.”
Ms Denham added that GDPR had resulted in complaints made to the ICO from members of the public more than doubling in the space of six months, and that complaints about subject access, data portability and data security were especially common. She also referred to the increased number of breach reports the Information Commissioner’s Office (ICO) now needed to handle, especially as breach reporting is now mandatory in certain circumstances.
Firms are expected to report data breaches to the ICO within 72 hours if the incident is “likely to result in a risk to people’s rights and freedoms.” If the breach might expose the affected data subjects to harm or loss the firm will also need to notify each data subject. If a firm decides not to report a breach, it will need to be able to justify this decision, so it should document the reasons for such a decision.
The GDPR and recent high-profile data breaches have certainly made the general public more aware of data protection issues, and when their data may not be being handled appropriately. On this subject, the ICO chief commented:
“As people become more aware, they expect – they demand – greater safeguards and control. The ICO’s research tells us that only one in three people in the UK trust organisations to handle their personal data in line with the law. That’s better than it was, but it’s still not good enough.”
Nevertheless, Ms Denham said that not only must firms adapt to new data protection laws, but her organisation must as well, as she said:
“Now we are moving into a different phase where we engage with UK businesses and citizens differently. We need to be more of a collaborative, inquiring, helpful regulator — working with organisations on data protection impact assessments and codes of conduct. This is ICO 2.0.”
Impact assessments need to be carried out by firms in high-risk situations, for example in the use of new technology or where processing is likely to significantly affect individuals. These assessments must assess all risks that could arise from the change in practice and should consider ways these risks can be mitigated.
Almost inevitably, Ms Denham could not end her speech without mentioning Brexit. However, she emphasised that “whatever happens, the UK government has committed to retaining the GDPR and a strong independent well-resourced ICO.”
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article