With four days until GDPR comes it to force, the Information and Records Management Society (IRMS) hosted a keynote address from Louise Byers, Head of Risk and Governance at the Information Commissioners Office (ICO) at the IRMS Annual Conference 2018. Addressing delegates Byers (also the ICO’s designated Data Protection Officer) took the opportunity to reiterate that “Friday is a beginning and not the end. The GDPR is not Y2K” and stressed information records management, collaboration and communication as key to compliance.
The GDPR and new Data Protection Bill will give the ICO new powers, enabling it to move at pace and secure information and evidence, which it sees as key requirements in the digital age. Byers commented on the ICO’s updated regulatory action policy that it recently published for consultation. “Our new powers will include no notice inspections, compelling people and organisations to hand over information and making it a criminal offence to destroy, falsify or conceal evidence.”
Byers added: “Our policy makes it clear that we won’t be changing our approach to fines in four days time. Our aim is to prevent harm, to put support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route, but we will back this up with strong action where necessary. Hefty fines can be and will be levied on those organisations that persistently, deliberately, or negligently flout the law.
“If you report a breach to us, engage with us and show us effective accountability measures, then we will take this into account when considering regulatory action.” She also stressed that GDPR is isn’t just about massive fines, “It is about the public and it all comes down to building trust and confidence that people have in the organisations handling their data.”
Byers explained that the UK’s planned withdrawal from the European Union has seen the ICO set two clear goals. The first is to maintain high-standards of data protection for UK citizens and consumers, wherever their data resides, this includes uninterrupted data flows to Europe and the rest of the world, and legal certainty for business and law enforcement. The second is to continue to play a full role in EU institutions and maintain influence and strong working relationships with the members of the European Data Protection Board (EDPB – the EU body in charge of GDPR).
Byers commented: “We are making good progress on both fronts. The Government has made good on its promise to fully implement GDPR and is going further through the Data Protection Bill and other legislation. In two recent speeches, the Prime Minister has made the case for an ongoing role for the ICO in the European landscape. We don’t know yet whether that will be a seat on the EDPB with full voting rights or some other relationship, but we remain deeply committed to and embedded in the EU regulatory community.”
Byers has provided three pieces of advice for businesses:
- Information records management – Good records management is the starting point for everything – know what you have got, why you have got it and who made you have it. You need to make sure that when processing is based-on consent, ensure those records are kept and that withdrawal mechanisms are clear and easy for people to use. And, document when and why you made decisions for the future.
- Collaboration – Securing senior buy-in is crucial. Identify your accountability framework with clear roles and responsibilities within the organisation and then tell people who they are. Make sure you work with all parts of the organisation to identify suppliers, this will help with privacy notices and contact clauses.
- Internal and external communications – Work with all areas of the business to deliver strong communications around the importance of compliance and breach reporting. Working with Project Managers, communications departments and other areas to promote privacy-by-design.
Summing up the impact of GDPR in one word, Byers focused on “People” concluding, “If every organisation in this country followed the principles of the IRMS then our job would be relatively easy. But, I also know that we have a unique opportunity. An active information rights community applying the principles and the tools within the GDPR and the Data Protection Bill can do and awful lot to improve public trust.”
Protecting and managing your assets has never been as important as it has been in recent times, and is a vital part of a successful business, economy and country. For three days only join more than 11,000 of your FM colleagues by clicking here and gain access to over 300 suppliers, for career development, training, networking, complimentary CPD workshops and so much more on 19th – 21st June.