Elizabeth Denham explores future of enforcement under GDPR

“I just want to remind you, there’s a whole set of new tools that we have that we intend on using and not just fines”

Elizabeth Denham is the UK Information Commissioner. She is the person overseeing our data protection laws and clearly has ideas, with an agenda, on how GDPR and DPA18 will be enforced in the UK.

These were made clear in a recent interview hosted by the Institute for Government The whole speech is available on YouTube or on the Institute for Government website.

Our interpretation of the key points of interest for schools and LAs

“You will see an increase in enforcement”

Elizabeth Denham, Information Commissioner

No surprise here – we all expected that this would happen.

“I think government departments have got themselves over the line, as of May, 25 2018”

Elizabeth Denham, Information Commissioner

Spot on, there was a scrabble to do the most basic reviews for May 2018.

“The GDPR is not Y2K for data protection so getting over the mark doesn’t actually get you all the way there.”

Elizabeth Denham, Information Commissioner

There are many people who think that because the world of data protection didn’t end on GDPR Day then that’s it! Oh no, it’s just the beginning!

“There’s much more to be done in public bodies and I am concerned about the level of resources that have been put into data protection.”

Elizabeth Denham, Information Commissioner

So true – school budgets are very tight with no extra resources. However, the ICO expects data protection to be implemented as required by law.

“We are doing more enforcement in in the public sector”

Elizabeth Denham, Information Commissioner

Reinforcing again that public bodies will be part of her policing strategy.

“To comply, they have to do more than privacy notices and ensuring that they have the right process in place they actually have to look at how they’re managing data and especially how they’re implementing new technology including biometrics”

Elizabeth Denham, Information Commissioner

Her expectations are quite clear. Just looking at your privacy policy and determining the legal basis for processing is not enough. You need to carryout DPIAs and risk assessments on all high-risk processing – new and existing.

“I think a stop processing order against the large tech companies could actually have a greater impact than a fine.”

Elizabeth Denham, Information Commissioner

This is mind blowing! No organisation could survive this, and if you were to put this into the context of schools and school suppliers…

In schools this could mean:

  • No electronic registers
  • No electronic record keeping
  • No access to MIS
  • No online payments
  • No cashless catering
  • No CCTV

Everything would need to be done manually, back to the Victorian classroom!

“The first questions we’re going to ask when a data breach is reported is, show us your accountability program. Show us and prove to us that this data breach wasn’t just a one off, but you actually have the rigor of good sound data governance in place”

Elizabeth Denham, Information Commissioner

Accountability that’s the key word here.

  • Where is the evidence of the way you manage breaches?
  • Where is your breach log and is it laid out in the correct manner?
  • Show how you meet the 72 hours breach notification window?
  • You may have done much to align your data protection processes to the new laws but where’s the proof?
  • Have you mapped your data and reviewed data sharing agreements, if so prove it?
  • Where is the evidence that you have trained all staff?

Our recent article shows that the ICO has already started carrying out audits in MATs with some positive feedback on best practice.

Elizabeth Denham means business and we are going to be hearing a lot more from this lady.