Presentation given by Peter Brown, Senior Technology Officer, ICO as part of the BCS DMSG/ DAMA UK seminar on GDPR 12/6/17

1. GDPR: The Regulator’s
Perspective
Peter Brown
Senior Technology Officer
GDPR: Making it Real
DAMA-UK and BCS-DMSG, 12 June 2017

2. Openness by public bodies:
• Freedom of Information Act
• Environmental Information
Regulations
• RPSI
• INSPIRE
Privacy for individuals:
• Data Protection Act > GDPR
• PECR > ePR
• eIDAS (EID and trust services)
“Upholding information
rights in the public
interest”

3. GDPR: (Less than) a year to go…
General Data
Protection Regulation
EU 2016/679
In force: 04 May
2016
TODAY
Applies: 25 May
2018

4. DPA: the Data Protection Principles
2. Personal data
must be processed
for limited purposes
3. Personal data
must be adequate,
relevant, and not
excessive
4. Personal data must be
accurate and, where
necessary, kept up to date
5. Personal data must not
be kept for longer than is
necessary
1. Personal data
must be processed
fairly and lawfully
7. Personal data
must be
processed
securely
6. Personal data must
be processed in line
with the data subjects’
rights
8. Personal data
must not be
transferred to other
countries without
adequate protection

5. 2. Personal data must be processed
for specific, explicit and legitimate
purposes
3. Personal data must be adequate,
relevant, and limited to what is
necessary
4. Personal data must be accurate
and, where necessary, kept up to
date
5. Personal data must not be kept for
longer than is necessary
1. Personal data must be processed
fairly, lawfully and transparently
6. Personal data must be processed
securely
Accountability Principle:
The data controller shall be able to demonstrate
compliance with the above
GDPR: the principles relating to
data processing

6. Enforcement
action
Reputational
damage
Why bother?

7. When things go wrong

8. The opportunity
General Data
Protection Regulation
EU 2016/679

9. 77%
are concerned that
organisations are not
keeping their data
secure
Source: ICO Annual Track 2016

10. 14%
think they have
control over the use
of their personal data
Source: ICO Annual Track 2016

11. 20%
would definitely stop
using a company’s
services after hearing
of a data breach
Source: YouGov poll for Data Protection Day

12. Powers of the Supervisory
Authority

13. Powers of the Supervisory
Authority
• Investigation
– Including ‘data protection audits’
• Correction
– Including warnings, reprimands, bans on
processing and administrative fines
• Authorisation and advisory
– Including opinions, approval of BCRs,
accreditation and certification

14. Regulatory Action Policy
‘[The] “carrot and stick” approach
means that we will adopt a
targeted, risk-driven approach to
regulatory action – not using our
legal powers lightly or routinely,
but taking a tough and purposeful
approach on those occasions
where that is necessary’
https://ico.org.uk/media/1853/data-protection-regulatory-
action-policy.pdf

15. Five guiding principles
1. Transparency
2. Accountability
3. Proportionality
4. Consistency
5. Targeting

16. Regulatory Action Policy

17. Regulatory Action Policy
Goal #5: Enforce the laws we help shape and
oversee.
‘A new Regulatory Action Policy will be
prepared as part of our preparations for
the forthcoming EU data protection
reform package. It will be laid before
Parliament in 2018.’

18. Regulatory Action Policy
• We will take fair, proportionate and
timely regulatory action
• Identify areas of poor practice/non-
compliance
• Use all powers available to improve
practice, but will be fair and
proportionate

19. Security of processing

20. Security as a principle: compare and contrast
Directive 95/46/EC
“ … “
Regulation (EU)
2016/679
“Personal data shall be
processed in a manner that
ensures appropriate security
of the personal data,
including protection against
unauthorised processing and
accidental loss, destruction
or damage, using
appropriate technical or
organisational measures”
Note: Article 17 of the
Directive contains the
security provisions
transposed as Principle 7
DPA

21. ?
What does
compliance look
like today?

22. ?
What does
compliance look
like under
GDPR?

23. ICO activity
• Continuing to work on advice and guidance
– GDPR overview; 12 steps to take now; draft guidance on consent
– New GDPR-ready privacy notices code of practice
– GDPR assessment toolkit
– And more on the way (profiling, accountability)
– And outreach at events like these!
• Contributing to work at European level
– Published: Guidelines on data portability, data protection impact
assessments, data protection offices and lead supervisory authority
– In-progress: Profiling, consent, breach notification, administrative
fines

24. Preparing for the General
Data Protection Regulation (GDPR)
12 steps to take
now
https://dpreform.org.uk

25. 1. Awareness
2. Information you hold
3. Communicating privacy information
4. Individuals’ rights
5. Subject access requests
6.Legal basis for processing personal data

26. 7. Consent
8. Children
9. Data breaches
10. Data protection by design & DPIAs
11. Data protection officers
12. International

27. Toolkits

28. Getting ready for the GDPR
Five step process:
1.Accountability and
governance
2.Key areas to consider
3.Individuals’ rights
4.Breach notification
5.International
Provides overall rating
and suggestions for
improvement (where
applicable)

29. Information security assessment
Four step process:
1. Management and
organisational
information security
2. Staff and information
security awareness
3. Physical security
4. Computer and network
security
Provides overall rating
and suggestions for
improvement (where
applicable)

30. Guidance

31. Keep in touch
@iconews/iconews /icocomms /company/information
-commissioner’s-office
Subscribe to our e-newsletter at ico.org.uk, or find us on…
peter.brown@ico.org.uk