Out-Law News 2 min. read
19 Jan 2017, 1:15 pm
Data protection law specialist Rachel Forbes of Pinsent Masons, the law firm behind Out-Law.com, said recent comments made by the UK's information commissioner should prompt businesses to step up their preparations for the new General Data Protection Regulation (GDPR).
In a speech earlier this week, Elizabeth Denham said the GDPR will require businesses to "change their entire ethos to data protection", and warned that the Information Commissioner's Office (ICO) could issue fines on companies over failings of accountability.
Forbes said this would mark a change in approach from the ICO as, up until now, the watchdog has issued most of its fines for breaches of the Data Protection Act in relation to failings on data security.
Denham said: "For the most serious violations of the law, my office will have the power to fine companies up to €20 million or 4% of a company’s total annual worldwide turnover for the preceding year. In an ideal world we wouldn’t need to use those sticks, but policy makers are clear that breaches of personal privacy are a serious matter. Last year we issued more than £1m in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use."
"And our enforcement powers aren’t just for ‘typical’ data breaches, like laptops left on trains or information left open to a cyber attack. The GDPR gives regulators the power to enforce in the context of accountability – data protection by design, failure to conduct a data protection impact assessment, DPOs and documentation. If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation," she said.
The GDPR was finalised last year and will come into force across the EU on 25 May 2018, including in the UK.
Forbes said that while that may seem quite a long way off yet, the new rules, and the approach to regulation as indicated by the ICO, require many organisations to change their culture. She said it is vital that businesses "start getting things in place now".
"Businesses really need to start analysing and putting people and processes in place to assess, and rectify where necessary, their current approach," Forbes said. "It is important for businesses to know where they are, where they need to be to be Data Protection Act compliant if they are not already, and where they need to be in 16 months’ time to be GDPR compliant – and take positive steps to get there. It is not going to be an easy, quick or simple process."
"Going forward, it is not going to be enough to make a business simply appear compliant, it needs to genuinely be a fundamental part of daily business practice," she said.
"For example, if businesses are put under scrutiny by the ICO, they will need to do more than just point to the policies they have in place. They will need to demonstrate that an issue or failing was a one-off or stemmed from a risk that would be considered unforeseen, rather than as a consequence of a systemic fault in the organisation's methods or behaviour. The ICO is likely to look behind the policies that are in place to ensure they are living and breathing and that they are properly understood and acted on by employees," Forbes said.