The UK ICO’s Data Dozen – Perhaps it should be a “Bakers Dozen”?

Now that I’ve moved on from the ICO and have settled into my new role as Special Adviser with Allen & Overy I’m getting a different view of the world of data protection – the view of responsible businesses and those that advise them rather than a regulator’s view. Everyone I come across is working hard to get data protection right but inevitably can’t be 100% compliant 100% of the time, something that has long been recognised by the ICO. Assessing privacy risks and setting priorities must always be an integral part of “getting it right” as far as data protection is concerned.

Take the ICO’s latest “Data Dozen” on steps to take now to prepare for the General Data Protection Regulation (GDPR). It’s great to see that the ICO is leading the way amongst data protection authorities in publishing timely, practical advice on how to get ready for the future. It’s also great to see how much there is in common with A&O’s own, earlier list of 8 things you should be doing now to prepare.

Indeed it’s hard to take issue with any of the ICO’s “Data Dozen”. Quite rightly the emphasis is on taking stock of where you are now and assessing how far you fall short of meeting the GDPR requirements, whether it’s in relation to how you obtain consent, your handling of subject access requests, your preparedness for data breaches or a host of other matters.

And don’t forget that this approach might well reveal gaps in how far you meet current requirements. Although it’s a long time ago it’s worth reflecting on how, when the Data Protection Act 1998 first came in, many of the grumbles about the supposedly new and onerous requirements that it heralded were not actually about new requirements at all. In fact they were about what were requirements of the existing law that either hadn’t been understood or hadn’t been properly applied by quite a few data controllers. And anyway the distinction between what is current compliance, good practice and future compliance is not always clear cut.

Take, for example, privacy notices. The GDPR is explicit in stating that privacy notices must be “in a concise, transparent, intelligible and easily accessible form, using clear and plain language…” but the fact that this is a new requirement can’t become  an excuse for continuing, for the next two years or more, with notices that are incomprehensible, legalistic or buried away in  small print. Almost regardless of the GDPR, privacy notices need to be evolving to keep up with the changing expectations of regulators, the courts and, most of all, those individuals it is whose personal data is being collected. The ICO is revising its Privacy Notices Code now, not waiting until 2018 and businesses should be echoing this approach.

Yes, do set your priorities and draw up implementation plans but those businesses that are most successful here are likely to be the ones that look on this as a process of transition rather than simply as a “Big Bang” coming in 2018. It’s also worthwhile embracing the spirit and not just the letter of the GDPR. Data protection officers are a good example. Even with the GDPR most businesses won’t be under an obligation to appoint a DPO but doing so doesn’t have to be onerous, is certainly in the spirit of the GDPR and will chime well with customers and with regulators so it might just be a prudent move anyway.

Top of the ICO’s “Data Dozen” is awareness. This is absolutely right but I’d couple awareness with governance. Again it’s been encouraging for me to see how much attention is paid to strong and effective data protection governance in the commercial world. Yes, decision makers and key people need to be aware of the changes that are coming down the track, but they also need to accept ownership, provide direction and put in place effective arrangements to deliver results that are right for the business, right for individuals and actually contribute to the underlying objective of the GDPR which is delivering real, better and more consistent privacy protection.

The steps in the ICO’s “Data Dozen” naturally focus on data controllers but I’m tempted to turn the list into a baker’s dozen by adding in something about processor obligations. The GDPR introduces direct legal obligations on data processors for the first time in many Member States so, if you supply services to others, ask yourself whether your business or, more likely, parts of your business are going to be caught. If so you also need to start preparing, not just to meet these legal obligations, which are accompanied by substantial penalties for failure, but also for how you and those you provide services to are going to allocate responsibilities between you and any liabilities that might arise from these.

Of course the GDPR isn’t all that’s on everyone’s minds at the moment. We also have the US Privacy Shield proposals, the possibility of a Brexit and, what seems like something new around every corner. Whatever view you have of the next few years of data protection, whether as a regulator, as a business or as an adviser there’s no doubt that it’s going to be a busy, challenging and eventful time for us all.