As the final few days countdown until the GDPR becomes law, the Information Commissioner’s Office (ICO) reassured conference delegates that the regulation is an opportunity rather than a barrier.
Speaking in the opening keynote at the IRMS conference in Brighton, Louise Byers, head of risk and governance at the ICO, who also acts as the regulator’s data protection officer, and is responsible for the ICO’s records and management team, opened by acknowledging that she is in a unique position but “faces some of the same challenges and some of the same conversations that you are facing today as well.”
She said that as “custodians of information and data, records management professionals have a unique role to play in safeguarding information rights,” and referencing a talk given in April by the Information Commissioner Elizabeth Denham, she said: “There’s never been a better time to be in data protection.”
In current times, she said that allegations surrounding Cambridge Analytica have provided an opportunity for the public to focus on privacy and how their data is handled.
“The GDPR rebalances the relationship between the public and organizations and it gives greater control over how their data is used, and it compels organizations to be transparent about their actions, but it doesn’t end there.”
Along with new regulations such as the NIS Directive and E-Privacy Directive, Byers said that “Friday is a beginning not an end,” and that “GDPR is not Y2K”, but an opportunity to revolutionize the way that businesses work and engage with those who are most important to you.
Byers said that those organizations that thrive under the rules will see an opportunity to commit to data protection and embed it in their policies, processes and culture, and that some organizations are “embracing it for the opportunity it presents rather than the perceived barriers it throws up.”
Regarding its position as the regulator of the GDPR, Byers said that “we’re expecting more of everything.” This includes: more breach reports as the law requires it; more complaints as people will be better informed of their rights; and greater engagement as businesses turn to the ICO for advice at the outset of projects.
This has allowed the ICO to “develop, to grow and reinvent ourselves.” This has seen a “fundamental” series of changes at the ICO including its mission in transparency in digital economy, recruitment, funding and its approach to technology with its new three year strategy.
Byers went on to say that the ICO will “not be changing our approach to fines in four days time,” but its aim is to prevent harm, and put support and compliance at the heart of its regulatory action.
While voluntary compliance is the preferred route, she said that action will be taken where necessary and this will be backed up with “hefty fines” which can be levied on those who organizations who persistently, deliberately or negligently flout the law.
In conclusion, Byers said that its 12 Steps to GDPR compliance has been downloaded six million times in two years, and it will updating its guidance on how things change in the future. In her position as data protection officer for the GDPR, Byers identified three key areas to achieve compliance:
- The first regards information rights and records management, as this is “the starting point for everything as it enables you to know what you have got, and who knows what you have."
- The second is collaboration, as securing senior buy-in is crucial, and work with all parts of the organization to identify key players.
- The third is communications, both internal and external, and working with all areas of the business to deliver strong communications around the requirements and the importance of breach reporting and recording.
“If I had to sum up the impact of GDPR in one word, it would be people,” she said. “This is all about individuals, balancing the law and increasing the public’s trust and confidence in the way their data is handled.”