Information Commissioner Elizabeth Denham has made it clear that while enforcement is part of her remit, she prefers that “education, engagement and empowerment” comes first, adding: “Prevention is better than cure”. It is a key point in how organisations and businesses should regard GDPR compliance, said Douglas McLachlan, a Partner at Anderson Strathern.
“There is this focus on 25 May, but the reality is that many will overshoot this date. The public sector is probably the best prepared, along with regulated and larger businesses. But a significant proportion of businesses are not ready, or at least not completely ready. The Information Commissioner recognises this; that compliance is a process, not an event.
“Working with clients on compliance, we have been getting them to look at their procedures and processes and using this as an opportunity to understand what data they hold, what they are doing with it – and what’s the legal basis for that – asking themselves are they collecting too much or keeping it too long? Making sure they have the right protocols, that they have strong defences, that staff are knowledgeable and trained, and that there is good governance.”
However, McLachlan believes that the problem for organisations and businesses may come from complacency: “The reality is that the Information Commissioner is not going to be inspecting everyone from 25 May; her office simply does not have the resources.
“But the risk is that if there is not a sudden rush of news, people become complacent; looking at 25 May as a bit like Y2K, the millennium computer bug which did not cause the problems that were anticipated – as though it was a big fuss about nothing.
“And the danger is that 12 or 18 months down the line, an organisation or business may become the victim of computer hacking, or maybe an employee will just lose a paper file full of people’s personal data – both of which could be a reportable personal data breach under GDPR.
“At this stage, the Information Commissioner may investigate the organisation further and the problems for them will stem from how little they have done to mitigate against a personal data breach occurring, or how little they have done in terms of GDPR compliance overall. If they have not considered and addressed their compliance risks and do not have good policies and procedures, and strong defences, in place then they risk a high-level fine.”
Data incidents occur, but you are for more protected against the consequences if you follow best practice, invest in your IT and physical security, and invest in and train your staff – Douglas McLachlan, Anderson Strathern.
So, McLachlan has been advising clients to conduct their own audit of what data they hold and process, for what purpose, on what legal basis, and how the data are handled. That includes looking at how well protected is the data. As well as good IT security, organisations and companies need also to look at their physical structures; the external and internal security of their building, how visitors are managed, and document handling issues such as shredding.
“The human element of data security can’t be overlooked either,” said McLachlan, “by having the right vetting procedures, good training, creating a culture of confidentiality and compliance where employees should not fear reporting a data incident. And these IT and human elements combine in terms of things like password strength and vulnerability to social engineering.
“The Information Commissioner recognises that data incidents occur, but you are for more protected against the consequences if you follow best practice, invest in your IT and physical security, and invest in and train your staff.”
Accountability and security
- Accountability is one of the data protection principles – it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.
- You need to put in place appropriate technical and organisational security measures to meet the requirements of accountability and the principle of “integrity and confidentiality” (security).
- There are a number of measures that you can, and in some cases must, take including: adopting and implementing data protection policies; taking a ‘data protection by design and default’ approach; putting written contracts in place with organisations that process personal data on your behalf; maintaining documentation of your processing activities; implementing appropriate security measures; recording and, where necessary, reporting personal data breaches; carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests; appointing a data protection officer; and (in the future) adhering to relevant codes of conduct and signing up to certification schemes.
- Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
- If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.
- Being accountable can help you to build trust with individuals. It may also help you mitigate against any risks of enforcement action.
Please mind the gap… or healthcare may fall
Imagine sharing a lengthy train journey with others. From beginning to end, imagine how often you might hear ‘mind the gap’ messages about embarking and disembarking safely. Picture how navigating…
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…
Look anywhere – the future is ‘aged tech’. But Scotland needs to be more adventurous
Scottish Care, as the representative body of independent social care providers of care home, care at home and housing support services, has been working over several years with colleagues in…
Women Lead: Engineer turned entrepreneur
We are always fascinated by other people’s stories. It’s how we connect, grow and learn from each other. Until very recently I always felt like I didn’t have a story to tell. Who…
‘Women – together we will change the dynamic in tech’
I was inspired to start a career in technology when personal computers were in their infancy and the internet decades away. My childhood dream of becoming a scientist was shaped by…
It’s time to change the future of tech apprenticeships – and we need your help
In his latest exclusive column for Futurescot, Ross Tuffee, chair of the Skills Development Scotland (SDS) Digital Economy Skills Group, calls on tech employers to get involved in shaping the…
What AI difference a year makes
Amazingly, it’s been one year since the publication of Scotland’s AI Strategy. And what a year it has been. Demanding but rewarding, with good progress made and great foundations laid…
International Women’s Day: It’s time to harness power of women in technology
As we celebrate International Women’s Day, I hope to be part of a future where barriers that prevent women from competing on a level playing field in the work environment…