Putting the GDPR into practice
As the UK regulator for data protection, the Information Commissioner’s Office (ICO) is overseeing the current data protection reforms in the UK and implementation of the GDPR. agendaNi discusses what it means for citizens and organisations.
UK Information Commissioner, Elizabeth Denham outlines that the GDPR is a much-needed reform of data protection legislation, rather than a totally new concept. “The GDPR is at root a modernisation of the law. The world has changed a lot since 1995, not only technology, but business models, people’s attitudes to their data, their demand that their information is properly looked after. The law needed to change too.”
The ICO, the UK’s independent authority, upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Its office in Belfast provides a local point of contact for members of the public and organisations based in Northern Ireland. As well as operating an advice service to address general enquiries on data protection and freedom of information, it promotes good practice in information rights by raising awareness of organisational responsibilities across all sectors. It also influences policy in related areas by working closely with the departments of the Northern Ireland Civil Service and the wider public sector.
Recently, much of the focus of the ICO has been around the GDPR and working to help organisations comply with its requirements by 25 May 2018, the date of implementation.
Offering a brief overview of what the GDPR means for the individual, Elizabeth Denham says: “The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it.
“Also, they’ll have the brand new right to data portability: to obtain and port their personal data for their own purposes across different services.”
The ICO has stressed that their guide, produced to help guide organisations to ensure compliance is a “living document”, which it continues to expand in key areas. The guide includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative. Alongside their Guide to GDPR, the ICO has also produced a ‘12 steps to take now’ preparation document and two digital ‘Getting Ready for the GDPR’ checklists, one for data controllers and another for data processors.
Speaking about the impact of the GDPR on organisations, the ICO says: “The GDPR will include new obligations for organisations. Businesses will have to report data breaches that pose a risk to individuals to us at the ICO, and in some cases to the individuals affected.
“They’ll have to ensure that specific protections are in place for transferring data to countries that haven’t been listed by the European Commission as providing adequate protection, like Japan and India. Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent.
“The real change for organisations is understanding the new rights for consumers and citizens. It’s an evolution of the current law and a step change that brings greater accountability, transparency and consumer control. These are the three pillars of data protection law that will give people agency over their information. Individuals will have stronger rights to be informed about how organisations use their personal data.
“They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent.”
Who does the GDPR apply to?
The GDPR applies to both controllers, who determine the purposes and means of processing personal data, and processors, who are responsible for processing personal data on behalf of a controller.
The ICO explains that the GDPR places specific legal obligations on processors, including a requirement to maintain records of personal data and processing activities and a legal liability for any breach. However, controllers are not relived of their obligations where a processor is involved. The GDPR places further obligations on controllers to ensure contracts with processors comply with the Regulation.
“The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. It applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
“This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
“The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – for example key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.”
Brexit
The UK’s Data Protection Bill, aimed at legislating for the changes that the GDPR will enforce, is currently going through Parliament. Describing the Bill as “one of the final pieces of much needed data protection reform”, Denham adds: “Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information within the digital economy, the delivery of public services and the fight against crime.”
Addressing any potential divergence away from the GDPR once Brexit, in whatever form, is implemented, she says: “The exact form of legislation may vary the route, but the direction of travel for privacy and data rights remains the same.
“When I speak to people – regular people – they aren’t concerned about the details of GDPR or the new Bill or what legislation might follow it. They want to know ‘is my personal information safe?’ Who’s making sure it is? Who’s on my side?
“For me, the end game in the data protection field is always about increasing public trust and confidence in how their personal data is used. And I will always stand up for the privacy rights of UK citizens. That’s what the ICO wants to achieve. It’s our mission.”
The ICO has stated that the challenges facing the regulator and organisations in maintaining the importance of public trust and confidence amongst fast moving technology is also an opportunity.
“In a world where technology is moving so fast, it’s hard for considerations of personal privacy to keep pace. But as the regulator it’s our job to protect the rights of citizens and ensure that privacy is afforded the same consideration as innovation,” says Denham.
“There is little doubt that there are challenging times now, and challenging times ahead. But we are well placed to tackle them. We have a voice. It’s a powerful one and it is heard around the world. But we are excellent listeners too. That is our strength.
“These challenges, they are opportunities. A chance to give people back control of their own data.”