GDPR and the ICO State of Play

Transcript of the video

Good evening ladies and gentlemen. Suzanne Dibble here, data protection law expert, coming to you raw and uncut, and today I just want to bring you up to date with the ICO and their attitude towards compliance with GDPR. It was their data protection practitioners' annual conference today in Manchester, and I listened in for a while to the first few speakers. There was a live stream, in case you're wondering. I didn't just commute back to Manchester from Thailand to watch that. Just wanted to bring you up to speed on the ICO's view of the world, according to GDPR. It's nothing really different to what I've said before, but there were some interesting points that came out of it, and I think it's a useful reminder for all of us.

So Elizabeth Denham, who is the Information Commissioner, started off the conference and said a few very interesting things. Firstly that in her view, and indeed it should be our view, there isn't a deadline. People are talking about 25 May as a deadline and for her, it isn't a deadline. Arguably that's when the real work starts because what they're expecting is more. More data breach reports as business owners become more conscious of what a data breach is, and also with the backdrop of the increased sanctions and the increased fines of not reporting a data breach. If you watched the video that I did yesterday about data breaches, you'll know that if you are supposed to notify a data breach and you don't, then that potentially carries a fine of 10 million euros or 2% of your global turnover, whichever is the higher. Do go and watch that video, because you don't have to report every single breach. It's only in certain circumstances. So go and watch that video if you haven't done that.

But they're expecting more data breach reports and they're expecting more complaints because consumers will be becoming savvier about their data protection rights. I did a video about this a while ago, but it's today that the ICO is kicking off their consumer-facing campaign, raising awareness about GDPR. As I said in the video that I did a while ago where I was explaining that the ICO was about to do this campaign, that's why in my view it's so important to start taking steps to comply if you haven't already, because at this point very shortly, your customers are going to be asking you questions about how you are looking after their data. If you don't know what they're talking about or you can't show that you're working towards compliance and you don't show that you're treating their data protection seriously, then you really do risk losing customers and at the least damaging the trust that your customers will have in you.

So because the Information Commissioner's office is expecting more, in terms of more data breach reports, more complaints, they are building their team and they will be adding a number of enforcement officers to the ICO team. However, the Information Commissioner did repeat again that the ICO's approach is very much with the carrot, not with the stick. They really do want to work with businesses in helping businesses to become GDPR-compliant, not try to trip them up and then levy a big fine. It's not about a revenue-raising exercise. Hence with the self-reporting and the reporting of the data breaches, someone asked in the group as a follow-on from my video about data breaches, what will the ICO actually do when they receive a data breach? Well, they will, of course, investigate that and if they see that you have not complied and that's what's caused the data breach, then they will give you solutions as to how to comply, and will more than likely give you a period of time in which to show your compliance.

If, however, you don't report that data breach and a consumer report you, and then the ICO goes to investigate, then you'll find that you're dealing with a very different situation. So that's what happens if you don't report the breach. If you do report the breach, then the ICO will more than likely work with you to try and get to the bottom of that data breach, work out why it happened, help you to put new systems and procedures in place that mean that that data breach won't be repeated, etc.

So that's what the Information Commissioner's said, and she did again repeat that the fines will be reserved for the most serious breaches. So again, this has always been my standpoint right from the outset of creating this group. Indeed it's one of the reasons that I created the group, was that I was just fed up of seeing the headline fines and the scaremongering of 20 million. I guess, probably the reason that people do it is because it's shorthand for, "You've got to pay attention to this", and of course you do. Even as small businesses, we do have to pay attention to this for a number of reasons. But the risk of being fined is probably not in the top five of those reasons, because in my view, for what most small businesses are doing with data, as long as you're working towards compliance, if there is a slight non-compliance you're not going to get fined. As I said, the ICO work with the carrot, not the stick.

What the fines do is represent the seriousness with which the European Commission, and indeed the UK in leaving Europe, the seriousness with which governments are taking data protection. That's why we all, even though we might be small businesses, we might be micro-businesses, we might be solopreneurs, we still have to take it seriously because at the end of the day, we're in charge of other people's data and as we know, data is now the most valuable asset in the world, so it is worthy of that protection.

Now then Margot James, who's the minister for digital and creative industries, came on after the Information Commissioner. She had a few interesting things to say, but the main thing that I picked up on from her was she was talking about data portability, specifically in the context of social media platforms. I imagine that this is in the wake of the Facebook and Cambridge Analytica case, and I certainly got the impression that what she was envisaging was a world where if Facebook users decided that enough was enough, Facebook should have had more controls in place that meant that what happened couldn't have happened and they decided to move to a different social media platform, there should be some way in which I could port all of the data that I've upload ... I joined Facebook in 2007, so that's ... Goodness me ... 11 years, and I've put quite a bit of stuff onto Facebook.

There should be some way of me being able to port all of that data onto a different social media platform, which astonished me, and just the scope of that exercise astonished me. There was actually a question from somebody in the audience who said, "How on earth is that going to work in practice?" and she said, "Yes, the exact practicalities will need to be worked out sector-by-sector, I'm sure working with the advice of the ICO". What a technical operation that would be, when 11 years of all of the data that I've added to Facebook ... And I'm just one of their however many billion users ... And then to try and migrate that over to another platform, when they're all set out in such different ways. I thought that was astonishing, actually.

But presumably, what they're thinking with that is that if there is another Facebook case and people think, "I don't want to use Facebook anymore", but equally, "I don't want to use my 11 years of data that I've been inputting into that platform." I certainly would not close my Facebook account lightly, because of everything that's on there. But if users could, at the push of a button, transport all of that data onto a different social media platform ... Well, that would be a complete game changer, wouldn't it? It would certainly re-address the balance of power between the big social media players and governments, and other social media platforms. So how exactly that would work, goodness only knows, but a great principle. How it'll work in practice will remain to be seen.

So they were the ... As I say, the main interesting points from the first bit of the conference, but I think the main things to think about are, yes, 25 May is when GDPR comes into force, but that is not the end-game. As I've always been saying in my two-hour training and throughout these videos, GDPR is not about a legislative box-ticking exercise. It's about much more than that. It's about thinking of data protection in every step of your business's journey, and as I say, the things that they're likely to expect more of, data breach reports, more complaints. We will have to watch this space, won't we? But they're certainly expecting more. That's what I'll be doing after 25 May. I'll be keeping a watching brief on what is going on in practice when GDPR comes into force, so it might be that I don't end my daily videos on 25 May. I might keep going.

Anyway, so that's all I want to say about that, and just the final point, remember ICO, carrot not the stick. If you're working towards compliance, which I know so many of you in this group are doing, if you are reporting breaches when you need to and taking all the steps that you can towards compliance, then you will find that the ICO will work with you, not against you. That's good to know, isn't it? It's comforting. Good stuff.

Okay, well I will leave it there. Got a few videos that I consciously want to do, so I think I've got the next few days lined up, but as ever if you've got any other thoughts about what you'd like me to do a video on, then there is a note in the files section of this Facebook group where you can add any requests to that. Again, I've seen lots of questions in the group about individual circumstances. I just can't answer them all. I'm sure you can appreciate that. If I see that there are a number of people interested in that I will do a video about it, otherwise I just can't answer individual questions.

If you do want that level of support, then you can think about joining my elite Small Business Legal Academy membership, and in that level of service, I do guarantee to answer your questions. So if you want to know about that, then you can email the support team at [email protected], and they will give you some more information about that. The elite membership, I believe, is still at a slightly discounted rate until 25 April, but the support team can give you more details on that. Okay, awesomeness. Thank you as ever for all of your engagement, and I'll see you tomorrow.