Businesses are falling short on GDPR accountability says ICO head Small business owners across the UK admit they are still “clueless” about GDPR. That was the headline in a post from December 2018. Well, it seems that not a lot has changed, as businesses are still falling short of meeting the GDPR’s accountability requirements, according to the UK Information Commissioner Elizabeth Denham. Highlighting the issue in a speech at the 2019 Data Protection Practitioners’ Conference, “Accountability encapsulates everything the GDPR is about,” Denham said. She added:
It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks. It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation. And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after. But I’ll be honest, I don’t see that change in practice yet. …I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out. And you know, that’s a problem. Because accountability is a legal requirement. It’s not optional,
Laura Gillespie, data protection law expert at Pinsent Masons explained how the requirements of accountability have been embedded in the GDPR, saying “Accountability represents a fundamental shift from the UK’s previous Data Protection Act of 1998, in that data controllers not only need to comply with the principles of data protection law but demonstrate how that is being achieved,” She added:
In practice, this means that organisations need to ensure that they not only have appropriate policies and procedures in place but that they can demonstrate through risk assessment, audit and review that that the processes being adopted meet the standards of the GDPR and the UK’s new Data Protection Act of 2018. Essentially, the culture of compliance should be within the DNA of the business. There is inherent danger in businesses taking a formulaic or generic approach to their GDPR obligations,
During her speech, Elizabeth Denham told conference delegates that they have the chance to use the GDPR’s accountability requirements to alter the “cultural fabric” of their organisation… “This next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes,” Denham said. “An accountability approach gives those of you who have the skillset, who have the passion, a chance to see a changing world as an opportunity to have a real and lasting impact.” Sources: Pinsent-Masons