What it was

A day of talks on Data Protection, with speakers from across Government, hosted by my Information Rights Team at the MOD in London on 16 November 2018.

What I learned

• Enormous amount of work across organisations in past six months to get compliant with the new data protection legal framework
• The sky did not fall in on 25 May! It was never a cliff edge in compliance, and organisations that were broadly compliant with the old legislation would have found compliance with the new legislation do-able.
• 94% increase in complaints received by the ICO this year versus last year
• The Data Protection Officer role is key. They are expected to be hands on in giving internal advice.
• It is more important to have a DPO in place than to worry about internal conflicts of interest
• New technologies are posing new challenges e.g. face recognition and biometrics. Biometrics are a specific new category of information under the new legislation.
• Data protection impact assessments must be completed for processing that is likely to result in high risk to individuals. You must come to the ICO if you identify a risk you cannot mitigate.
• Breach reporting: not later than 72 hours, and must inform the subjects if there is risk of significant harm
• ICO getting about 1400 beach reports per month. Part of their work now is in educating people not to over-report!
• New regulatory action policy sets out new provisions and regulatory priorities for the coming year
• ICO has published a technology strategy, covering the next three years, aiming to regulate new technologies such as AI and big data
• The number of people who have trust and confidence in how organisations store and user their personal information has gone up, from 25% to 34%
• The public are more likely to have trust and confidence in public authorities handling their personal data than private companies
• ICO’s fundamental objective is to build a culture of data confidence in the UK
• Fundamentals of being prepared for a breach – Have an evidence base in place:
  • A DPO
  • a breach procedure
  • Policy relating to the personal data asset ( how long to keep it etc)
  • Evidence of staff training
  • Privacy notice
  • Data protection impact assessment
  • If using a processor, contractual clauses covering GDPR obligation
  • Data sharing agreements
  • Cyber security certificates

I gave the closing address. My main points were:

• We have seen numerous valuable internal and external perspectives.
• Some common themes emerging, e.g:
• Governance – organisations have not yet settled on a common model
• Still firming up on breach reporting – what constitutes a reportable breach?
• GDPR has rocketed Data Protection up the priority order in almost all organisations – we need to capitalise on that interest
• Worth taking stock of what we do in defence – remember that our challenges are very significant. We are essentially a microcosm of Government in terms of the services we provide to the Armed Forces, and many of our component organisations are larger than whole Government Departments
• The counterpart to GDPR compliance is risk. What is an acceptable level of breaches? Is risk always necessarily a bad thing in Data Protection?
• The analogy is Heath and Safety – contrary to popular myth, having a strong health and safety culture doesn’t stop you from doing things. In fact it’s the opposite – having a strong H&S culture enables you to do riskier things!
• In defence, we want to excel at exploiting information, therefore we need to excel at compliance too.
• Thanks for coming, thanks for your work. As I’ve said before, our biggest asset is you.
• To borrow from Churchill – it is not the beginning of the end for GDPR compliance, but it is perhaps the end of the beginning

What I will aim to do differently as a result

• We need to establish with ICO when, whether and how MOD will apply the Defence exemption under DPA18
• Establish whether our information stewardship construct will meet the direction coming from DCMS that we should separate the DPO from the data policy function