MOD Data Protection Conference

What it was

A day of talks on Data Protection, with speakers from across Government, hosted by my Information Rights Team at the MOD in London on 16 November 2018.

What I learned

  • Enormous amount of work across organisations in past six months to get compliant with the new data protection legal framework
  • The sky did not fall in on 25 May! It was never a cliff edge in compliance, and organisations that were broadly compliant with the old legislation would have found compliance with the new legislation do-able.
  • 94% increase in complaints received by the ICO this year versus last year
  • The Data Protection Officer role is key. They are expected to be hands on in giving internal advice.
  • It is more important to have a DPO in place than to worry about internal conflicts of interest
  • New technologies are posing new challenges e.g. face recognition and biometrics. Biometrics are a specific new category of information under the new legislation.
  • Data protection impact assessments must be completed for processing that is likely to result in high risk to individuals. You must come to the ICO if you identify a risk you cannot mitigate.
  • Breach reporting: not later than 72 hours, and must inform the subjects if there is risk of significant harm
  • ICO getting about 1400 beach reports per month. Part of their work now is in educating people not to over-report!
  • New regulatory action policy sets out new provisions and regulatory priorities for the coming year
  • ICO has published a technology strategy, covering the next three years, aiming to regulate new technologies such as AI and big data
  • The number of people who have trust and confidence in how organisations store and user their personal information has gone up, from 25% to 34%
  • The public are more likely to have trust and confidence in public authorities handling their personal data than private companies
  • ICO’s fundamental objective is to build a culture of data confidence in the UK
  • Fundamentals of being prepared for a breach – Have an evidence base in place:
    • A DPO
    • a breach procedure
    • Policy relating to the personal data asset ( how long to keep it etc)
    • Evidence of staff training
    • Privacy notice
    • Data protection impact assessment
    • If using a processor, contractual clauses covering GDPR obligation
    • Data sharing agreements
    • Cyber security certificates

I gave the closing address. My main points were:

  • We have seen numerous valuable internal and external perspectives.
  • Some common themes emerging, e.g:
  • Governance – organisations have not yet settled on a common model
  • Still firming up on breach reporting – what constitutes a reportable breach?
  • GDPR has rocketed Data Protection up the priority order in almost all organisations – we need to capitalise on that interest
  • Worth taking stock of what we do in defence – remember that our challenges are very significant. We are essentially a microcosm of Government in terms of the services we provide to the Armed Forces, and many of our component organisations are larger than whole Government Departments
  • The counterpart to GDPR compliance is risk. What is an acceptable level of breaches? Is risk always necessarily a bad thing in Data Protection?
  • The analogy is Heath and Safety – contrary to popular myth, having a strong health and safety culture doesn’t stop you from doing things. In fact it’s the opposite – having a strong H&S culture enables you to do riskier things!
  • In defence, we want to excel at exploiting information, therefore we need to excel at compliance too.
  • Thanks for coming, thanks for your work. As I’ve said before, our biggest asset is you.
  • To borrow from Churchill – it is not the beginning of the end for GDPR compliance, but it is perhaps the end of the beginning

What I will aim to do differently as a result

  • We need to establish with ICO when, whether and how MOD will apply the Defence exemption under DPA18
  • Establish whether our information stewardship construct will meet the direction coming from DCMS that we should separate the DPO from the data policy function


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.