Beyond Law: Ethical Culture and GDPR

What it was

A CIPR Business Ethics Briefing, completed as part of my CIPR continuous professional development.

What I learned

GDPR can be seen as a gift – an opportunity for fresh thinking and a challenge to make sure we are being fair and open in our dealings with customers.

At heart, GDPR seeks to give control to individuals over how organisations use their personal data (and to harmonise such privacy laws across the EU).

Getting GDPR wrong could mean significant fines, negative publicity, loss of trust, reputation and brand damage, legal actions and regulatory enforcement.

Rather than embracing GDPR out of fear of the negative consequences, organisations can look to how it supports ethical business practice.

The need to separate Ethics from Compliance – “Ethics starts where the law ends”.  Compliance is arguably too narrow a prism through which to see GDPR.

The  briefing proposes practical steps for ensuring that organisations use data ethically – and so comply with GDPR along the way.

What I will aim to do differently as a result

Consider the wider ethical considerations of GDPR in our implementation plans

Communicate the importance of the ethical usage of personal data, and importance of leaders setting the tone

Consider how our organisation could go beyond compliance and address cultural issues on data handling

MOD Data Protection Conference

What it was

A day of talks on Data Protection, with speakers from across Government, hosted by my Information Rights Team at the MOD in London on 16 November 2018.

What I learned

  • Enormous amount of work across organisations in past six months to get compliant with the new data protection legal framework
  • The sky did not fall in on 25 May! It was never a cliff edge in compliance, and organisations that were broadly compliant with the old legislation would have found compliance with the new legislation do-able.
  • 94% increase in complaints received by the ICO this year versus last year
  • The Data Protection Officer role is key. They are expected to be hands on in giving internal advice.
  • It is more important to have a DPO in place than to worry about internal conflicts of interest
  • New technologies are posing new challenges e.g. face recognition and biometrics. Biometrics are a specific new category of information under the new legislation.
  • Data protection impact assessments must be completed for processing that is likely to result in high risk to individuals. You must come to the ICO if you identify a risk you cannot mitigate.
  • Breach reporting: not later than 72 hours, and must inform the subjects if there is risk of significant harm
  • ICO getting about 1400 beach reports per month. Part of their work now is in educating people not to over-report!
  • New regulatory action policy sets out new provisions and regulatory priorities for the coming year
  • ICO has published a technology strategy, covering the next three years, aiming to regulate new technologies such as AI and big data
  • The number of people who have trust and confidence in how organisations store and user their personal information has gone up, from 25% to 34%
  • The public are more likely to have trust and confidence in public authorities handling their personal data than private companies
  • ICO’s fundamental objective is to build a culture of data confidence in the UK
  • Fundamentals of being prepared for a breach – Have an evidence base in place:
    • A DPO
    • a breach procedure
    • Policy relating to the personal data asset ( how long to keep it etc)
    • Evidence of staff training
    • Privacy notice
    • Data protection impact assessment
    • If using a processor, contractual clauses covering GDPR obligation
    • Data sharing agreements
    • Cyber security certificates

I gave the closing address. My main points were:

  • We have seen numerous valuable internal and external perspectives.
  • Some common themes emerging, e.g:
  • Governance – organisations have not yet settled on a common model
  • Still firming up on breach reporting – what constitutes a reportable breach?
  • GDPR has rocketed Data Protection up the priority order in almost all organisations – we need to capitalise on that interest
  • Worth taking stock of what we do in defence – remember that our challenges are very significant. We are essentially a microcosm of Government in terms of the services we provide to the Armed Forces, and many of our component organisations are larger than whole Government Departments
  • The counterpart to GDPR compliance is risk. What is an acceptable level of breaches? Is risk always necessarily a bad thing in Data Protection?
  • The analogy is Heath and Safety – contrary to popular myth, having a strong health and safety culture doesn’t stop you from doing things. In fact it’s the opposite – having a strong H&S culture enables you to do riskier things!
  • In defence, we want to excel at exploiting information, therefore we need to excel at compliance too.
  • Thanks for coming, thanks for your work. As I’ve said before, our biggest asset is you.
  • To borrow from Churchill – it is not the beginning of the end for GDPR compliance, but it is perhaps the end of the beginning

What I will aim to do differently as a result

  • We need to establish with ICO when, whether and how MOD will apply the Defence exemption under DPA18
  • Establish whether our information stewardship construct will meet the direction coming from DCMS that we should separate the DPO from the data policy function