ICO issues warning to businesses as GDPR countdown reaches one year to go

Out-Law News | 25 May 2017 | 2:55 pm | 2 min. read

Businesses that cannot show that "good data protection is a cornerstone" of their "business policy and practices" will leave themselves "open to enforcement action" under the new General Data Protection Regulation (GDPR), the UK's information commissioner has said.

In a recorded statement marking one year to go until the GDPR will begin to apply, Elizabeth Denham warned businesses that enforcement action under the new Regulation could damage both their "public reputation and bank balance".

However, Denham said that businesses should be motivated to comply with the GDPR, which she described as the "biggest change to data protection law in a generation", due to the "business benefit" they can derive from doing so, and not just because of the threat of enforcement action.

"Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge," Denham said. "Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy and dignity of individuals. Over time this can play a real role in consumer choice, and now is the time to act."

The tone of Denham's message to boardrooms was replicated by deputy information commissioner Rob Luke in a speech he made at a techUK event in London on Thursday. Luke urged businesses "not to wait, nor … take a reactive approach" to their GDPR preparations. He said businesses should not be "motivated solely by a mindset of compliance or risk management".

"Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law," Luke said. "Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong."

In her statement, Denham explained that the GDPR will introduce "specific new obligations for organisations, for example around reporting data breaches and transferring data across borders". However, she said the "real change" for organisations will be in "understanding the new rights for consumers".

"Consumers and citizens will have stronger rights to be informed about how organisations like yours are using their personal data," Denham said. "They will have the right to request that personal data be deleted or removed if there's no compelling reason for an organisation to carry on processing it. There will be new rights around data portability and how they give consent. But at the centre of the GDPR is the concept of broader, and deeper, accountability for an organisations' handling of personal data."

"The GDPR brings into UK law a trend that we're seeing in other parts of the world: a demand that organisations understand and mitigate the risk that they create for others in exchange for using a person's data. It is about a framework that should be used to build a culture of privacy that pervades an entire organisation. It is about seeing the broader responsibility and impact of your work in your organisation on society," she said.

The GDPR will apply from 25 May 2018. Businesses face potential fines of up to 4% of their annual global turnover, or €20 million, whichever is highest, if they fail to comply with the new rules.

However, according to a recent survey, 42% of IT decision makers at large companies based in the UK, France, Germany and the US, do not view compliance with the GDPR by the 25 May 2018 deadline "as a priority". 

Data protection law expert Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, said businesses should conduct a data protection audit to ensure they are ready to comply with the GDPR.