The tide is beginning to turn. In May this year, the UK Information Commissioner, Elizabeth Denham, heralded the arrival of the GDPR and the Data Protection Act 2018 with the forthright words – ‘laws built to last’. Our course through unchartered waters had been set.
“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning,” she wrote on the ICO blog. Data protection, Denham tells us, is an ‘evolutionary process,’ as no industry stands still. We must all continue to address privacy risks ‘in the weeks, months and years beyond 2018’.
Far from an idle threat to instil fear into boards of directors (or to drum up business for data protection practitioners), these words have already proven to be a prophecy fulfilled.
Leading by example, the ICO themselves have not been standing still. Alongside the routine name-and-shame enforcement action postings on the ICO website, they are also leading several projects to equip UK organisations with preventative data protection and privacy measures.
In their typically co-operative style, the ICO sent out a ‘Call for Evidence’ in June, with the aim of producing an ‘Age Appropriate Design Code.’
Children are afforded greater privacy under the GDPR. Written into the legislation are the words: “Children merit specific protection with regard to their personal data.”
To achieve this, organisations offering services to children have additional obligations to consider, such as providing privacy notification information in an age appropriate way. As a post-May priority, the ICO has opened the consultation with such organisations to produce a code for processing children’s data. If this applies to you, take note. The ICO has made it clear it has little patience for organisations that don’t take the requirements of processing children’s data seriously.
Last year saw the ICO awarding grants with the aim of supporting innovative data privacy and security research and solutions. The programme is being repeated this year, with grants of £20,000 to £100,000 to be won. Organisations can bid with projects that meet one or more of six strategic goals, with the overall intention of increasing the public trust and confidence in how personal data is used.
Data in politics
The ICO has tackled the use of personal data in targeted political campaigns. An investigation has been ongoing since March 2017 and shifted focus in February this year at the break of the Cambridge Analytica affair. The Commissioner’s goal: “To effect change and restore trust and confidence in our democratic system.”
The result is a 60 page report explaining how campaigners have been using personal data to target voters by demographic and micro-target individuals on social media. The report also sets out the enforcement actions being taken on political parties, with Denham urging government, parliament and political parties to reflect on their responsibilities, and the importance of transparency in the use of data analytics.
Beyond the decks of the ICO too, the storm surges on. The Department for Digital, Culture, Media and Sport has opened a consultation with the aim of being able to impose fines of up to £500,000 on the directors of companies making nuisance calls. At present, regulatory fines are made against the company, which according to the DCMS consultation document means a minority of company directors continue to breach direct marketing rules with little regard for the consequences.
In Europe, the newly minted European Data Protection Board is tentatively stepping up to its advisory role with guidance on the upcoming changes to the ePrivacy regulations. It has also opened consultation on the ethics of artificial intelligence.
With such free flowing resource available, there’s no excuse to be ignorant of the world of data protection. If your customers’ data is breached, we can’t stress enough how much more sympathetic the ICO will be if your organisation has embraced its data protection responsibilities and is in ship shape.
To learn more or for help with data protection, GDPR compliance or any IT legal issues, email [email protected] or call 0191 211 7777.