Cramming for compliance - last minute GDPR advice from the ICO
Last month saw a flurry of surveys and stories about organisations not being on track to be compliant with GDPR by the 25th May deadline. With this in mind, the Direct Marketing Association (DMA) organised a roundtable with experts in data and privacy to discuss what companies can do in the remaining 24 days.
Speaking at the event, senior policy officer at the Information Commissioners’ Office, Richard Sisson, said: “We are very keen that sectors be proactive - as proactive as they can." He added that organisations themselves should look at how GDPR would be applied specifically to their sector because the ICO needs to take a broader view and produce guidance for everyone - giving sector-specific advice is difficult.
"I wish industry would do more to self-help and produce guidance and codes."
Robert Bond, a solicitor and partner at Bristows and a member of the Data Protection Network, a group of privacy managers from a range of businesses and not-for-profits, noted that its guidance on consent had received positive feedback from the ICO, along with 53 comments and suggestions.
“The Information Commissioner Elizabeth Denham told us, ‘I wish industry would do more to self-help and produce guidance and codes’,” reported Bond.
Sisson stressed that GDPR compliance should be seen a journey, rather than a destination to be reached. “It’s an on-going thing. If you are working to the accountability principle, if you have records of what you are doing, if you have plans in place that show you are working towards compliance, we will take those things into consideration," he said.
"If you show trust to customers, then their trust will come back to you."
The senior policy officer also said openness and clarity is the key to earning trust from customers. “Something the ICO is very keen to promote is if you do these things well and you can show that to your customers, that you take care of their information, then their trust will have them come back to you,” said Sisson.
Bond’s key piece of advice was, “say what you do and do what you say.” This was important given that, in the past, privacy policies were often cut and pasted from other organisations or were written in obtuse language that nobody could understand. “We need plain, intelligible, concise information notices that tell people, ‘this is what we do,’ and then we go and do what we say we are doing. That’s how we’ll win trust - by being open.”
This same sentiment was expressed by Chris Combemale, the chairman of the DMA. He said: “The main thing is to be open, honest and transparent about what you are doing, and if you are offering a benefit, make sure that value proposition is very clear and well understood.”
The intent of GDPR is to create an economy that is based on trust.
Combermale referred to the results of a survey that the DMA conducted as to why openness resonates with consumers and aligns with the spirit of GDPR. “It found that 54% of people said trust is the most important reason as to why they'll share data, and the intent of GDPR is to create an economy that is based on trust.”
Richard Merrygold, director of group data protection at HomeServe, explained what happened when his company displayed openness and transparency by using its newsletter to make customers aware of an update to the privacy notice. He stated: “We said, ‘we suggest that you go and have a read. We want you to know who we are and what we do with your data’. The instant impact of that was a threefold increase in the number of subject access requests we got.”
Bond agreed that there will be a sharp increase in the number of subject access requests, initially from privacy advocacy groups. He also predicts that large scale data and privacy breaches after 25th May will lead to a proliferation of solicitors who might call themselves names such as databreachlawyers4u.com, offering to get compensation for victims on a no win, no fee basis.
Businesses are becoming aware that GDPR is a massive C-suite compliance issue.
The cost implications of such compensation claims could be immense. Bond made reference to a breach of the data of asylum applicants by the Home Office. The High Court awarded damages of between £2,500 and £12,400 each to six asylum seekers after their personal data was published on the Home Office website.
With such significant sums at stake, he said that businesses are becoming aware that this is a massive C-suite compliance issue. Bond said: “The businesses that proactively reach out and say, ‘you should trust us because we take a proactive approach,’ are going to manage the storm better than those who are pretending it isn’t going to happen.”