Three Top Tips for Implementing GDPR from the ICO’s Data Protection Officer Regulating the Regulator

“Friday is a beginning and not the end. The GDPR is not Y2K” Louise Byers Delivers Keynote at IRMS Conference 2018 in Brighton

With four-days until GDPR enters UK law, the Information and Records Management Society (IRMS) hosted a keynote address from Louise Byers, Head of Risk and Governance at the Information Commissioners Office (ICO) at the IRMS Annual Conference 2018. Addressing delegates Louise Byers (also the ICO’s designated Data Protection Officer) took the opportunity to reiterate that “Friday is a beginning and not the end. The GDPR is not Y2K” and stressed information records management, collaboration and communication as key to compliance.

New data protection powers for the ICO

The GDPR and new Data Protection Bill will give the ICO new powers, enabling it to move at pace and secure information and evidence, which it sees as key requirements in the digital age. Louise Byers commented on the ICO’s updated regulatory action policy that it recently published for consultation. “Our new powers will include no notice inspections, compelling people and organisations to hand over information and making it a criminal offence to destroy, falsify or conceal evidence.”

Byers added: “Our policy makes it clear that we won’t be changing our approach to fines in four-days-time. Our aim is to prevent harm, to put support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route, but we will back this up with strong action where necessary. Hefty fines can be and will be levied on those organisations that persistently, deliberately, or negligently flout the law.”

Byers added: “If you report a breach to us, engage with us and show us effective accountability measures, then we will take this into account when considering regulatory action.” She also stressed that GDPR is isn’t just about massive fines, “It is about the public and it all comes down to building trust and confidence that people have in the organisations handling their data.”

Brexit and GDPR

Louise Byers explained that the UK’s planned withdrawal from the European Union has seen the ICO set two clear goals. The first is to maintain high-standards of data protection for UK citizens and consumers, wherever their data resides, this includes uninterrupted data flows to Europe and the rest of the world, and legal certainty for business and law enforcement. The second is to continue to play a full role in EU institutions and maintain influence and strong working relationships with the members of the European Data Protection Board (EDPB – the EU body in charge of GDPR).

“We are making good progress on both fronts,” noted Byers. “The Government has made good on its promise to fully implement GDPR and is going further through the Data Protection Bill and other legislation. In two recent speeches, the Prime Minister has made the case for an ongoing role for the ICO in the European landscape. We don’t know yet whether that will be a seat on the EDPB with full voting rights or some other relationship, but we remain deeply committed to and embedded in the EU regulatory community.”

Three pieces of advice to mark your out as data protection leader, from the ICO’s DPO regulating the regulator

  1. Information records management – “Good records management is the starting point for everything – know what you have got, why you have got it and who made you have it. You need to make sure that when processing is based-on consent, ensure those records are kept and that withdrawal mechanisms are clear and easy for people to use. And, document when and why you made decisions for the future.”
  2. Collaboration – “Securing senior buy-in is crucial. Identify your accountability framework with clear roles and responsibilities within the organisation and then tell people who they are. Make sure you work with all parts of the organisation to identify suppliers, this will help with privacy notices and contact clauses.”   
  3. Internal and external communications – “Work with all areas of the business to deliver strong communications around the importance of compliance and breach reporting. Working with Project Managers, communications departments and other areas to promote privacy-by-design.

Summing up the impact of GDPR in one word, Louise Byers focused on “People” concluding: “If every organisation in this country followed the principles of the IRMS then our job would be relatively easy. But, I also know that we have a unique opportunity. An active information rights community applying the principles and the tools within the GDPR and the Data Protection Bill can do and awful lot to improve public trust.”

The UK’s leading conference for information and records management professionals is taking place from 20th to 22nd May 2018 at the Hilton Brighton Metropole.