10/06/2019 0 Comments
GDPR - One year on - The focus of the ICO
We take a look at the focus of the ICO as we head into the second year.
We were surprised by the lack of attention that the anniversary of GDPR received across the press considering the impact that G-day had when it landed on 25th May 2018.
That being said, the ICO have published an update on what they have achieved in terms of supporting organisations and individuals as well as what their focus will now be as we move firmly out of the period of implementation into the operationalisation of GDPR on an enduring basis.
A couple of the key take home messages from this is that the ICO herself has stated “I want to see Data Protection Officers (DPOs) embedded and supported in their respective organisations by senior management”. In our experience, employees answering calls or working in the back office try their hardest to comply with Data Protection rules, but it is the drive, support and encouragement from Senior Managers that really helps to make the change in the behaviour that a company needs. We can work with senior management to help with that understanding and cultural shift to allow compliance to be woven through an organisational structure.
Another key point is around “Accountability” with the ICO saying “The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated”.
Accountability is a fundamental part of GDPR, obligating organisations to take responsibility for complying with the GDPR and to be able to demonstrate that compliance.
This is a real shift in focus for organisations forcing you to stand up and take action, ensuring that you have in place appropriate technical and organisational measures in place that meet the requirements of accountability. This includes things like:
> Implementing data protection policies:
> Having written contracts in place with organisations that process personal data on your behalf:
> Maintaining documents of your processing activities: and
> Recording and reporting personal data breaches.
There are many more!
The ICO are clear that “For those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively” continuing to say that “we will not hesitate to act in the public interest when organisations wilfully or negligently break the law.”
Statements like this should not be taken lightly and with the ICO increasingly using their powers to change behaviours the actions that you take could leave you open to action if you are not complying with the rules of Data Protection.
Having a Data Protection Officer (DPO) in place or an Outsourced Data Protection Officer such as Beacon Consultant Services will help you to ensure that you are meeting your obligations as a responsible organisation who cares about the personal data that you are processing.
Get in touch with us by giving us a call, dropping us an email or filling in the contact form available on the website to discuss your data protection needs or for a free no obligation health check to understand your current data protection risks.
The full update from the ICO can be found below.