Out-Law News 1 min. read

ICO: businesses falling short on GDPR accountability


Businesses are falling short of meeting the General Data Protection Regulation's (GDPR's) accountability requirements, the UK's information commissioner has said.

Elizabeth Denham highlighted the issue in a speech at the 2019 Data Protection Practitioners' Conference on Monday.

"Accountability encapsulates everything the GDPR is about," Denham said. "It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks. It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation. And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after. But I’ll be honest, I don’t see that change in practice yet."

"I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out. And you know, that’s a problem. Because accountability is a legal requirement. It’s not optional," she said.

Data protection law expert Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, explained how the requirements of accountability have been embedded in the GDPR.

"Accountability represents a fundamental shift from the UK's previous Data Protection Act of 1998, in that data controllers not only need to comply with the principles of data protection law but demonstrate how that is being achieved," Gillespie said.

"In practice, this means that organisations need to ensure that they not only have appropriate policies and procedures in place but that they can demonstrate through risk assessment, audit and review that that the processes being adopted meet the standards of the GDPR and the UK's new Data Protection Act of 2018. Essentially, the culture of compliance should be within the DNA of the business. There is inherent danger in businesses taking a formulaic or generic approach to their GDPR obligations," she said.

In her speech, Denham told conference delegates that they have the chance to use the GDPR's accountability requirements to alter the "cultural fabric" of their organisation.

"This next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes," Denham said. "An accountability approach gives those of you who have the skillset, who have the passion, a chance to see a changing world as an opportunity to have a real and lasting impact."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.