What it was
A day of talks on Data Protection, with speakers from across Government, hosted by my Information Rights Team at the MOD in London on 16 November 2018.
What I learned
- Enormous amount of work across organisations in past six months to get compliant with the new data protection legal framework
- The sky did not fall in on 25 May! It was never a cliff edge in compliance, and organisations that were broadly compliant with the old legislation would have found compliance with the new legislation do-able.
- 94% increase in complaints received by the ICO this year versus last year
- The Data Protection Officer role is key. They are expected to be hands on in giving internal advice.
- It is more important to have a DPO in place than to worry about internal conflicts of interest
- New technologies are posing new challenges e.g. face recognition and biometrics. Biometrics are a specific new category of information under the new legislation.
- Data protection impact assessments must be completed for processing that is likely to result in high risk to individuals. You must come to the ICO if you identify a risk you cannot mitigate.
- Breach reporting: not later than 72 hours, and must inform the subjects if there is risk of significant harm
- ICO getting about 1400 beach reports per month. Part of their work now is in educating people not to over-report!
- New regulatory action policy sets out new provisions and regulatory priorities for the coming year
- ICO has published a technology strategy, covering the next three years, aiming to regulate new technologies such as AI and big data
- The number of people who have trust and confidence in how organisations store and user their personal information has gone up, from 25% to 34%
- The public are more likely to have trust and confidence in public authorities handling their personal data than private companies
- ICO’s fundamental objective is to build a culture of data confidence in the UK
- Fundamentals of being prepared for a breach – Have an evidence base in place:
- A DPO
- a breach procedure
- Policy relating to the personal data asset ( how long to keep it etc)
- Evidence of staff training
- Privacy notice
- Data protection impact assessment
- If using a processor, contractual clauses covering GDPR obligation
- Data sharing agreements
- Cyber security certificates
I gave the closing address. My main points were:
- We have seen numerous valuable internal and external perspectives.
- Some common themes emerging, e.g:
- Governance – organisations have not yet settled on a common model
- Still firming up on breach reporting – what constitutes a reportable breach?
- GDPR has rocketed Data Protection up the priority order in almost all organisations – we need to capitalise on that interest
- Worth taking stock of what we do in defence – remember that our challenges are very significant. We are essentially a microcosm of Government in terms of the services we provide to the Armed Forces, and many of our component organisations are larger than whole Government Departments
- The counterpart to GDPR compliance is risk. What is an acceptable level of breaches? Is risk always necessarily a bad thing in Data Protection?
- The analogy is Heath and Safety – contrary to popular myth, having a strong health and safety culture doesn’t stop you from doing things. In fact it’s the opposite – having a strong H&S culture enables you to do riskier things!
- In defence, we want to excel at exploiting information, therefore we need to excel at compliance too.
- Thanks for coming, thanks for your work. As I’ve said before, our biggest asset is you.
- To borrow from Churchill – it is not the beginning of the end for GDPR compliance, but it is perhaps the end of the beginning
What I will aim to do differently as a result
- We need to establish with ICO when, whether and how MOD will apply the Defence exemption under DPA18
- Establish whether our information stewardship construct will meet the direction coming from DCMS that we should separate the DPO from the data policy function