“This next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes.”Elizabeth Denham, Information Commissioner
Leading up to, and indeed since the implementation of the GDPR we had numerous conversations with schools, local authorities and EdTech suppliers regarding what the GDPR truly meant. The majority of those we spoke to were simply terrified about fines! We tried to reassure them that monetary fines and other penalties were not the essence of the GDPR, it was about the six principles and the overarching principle of accountability being able to evidence and demonstrate the steps you are taking to protect the personal data you hold and process.
During her opening speech at the ICO Data Protection Practitioners Conference (DPPC) in Manchester on 8 April, Information Commissioner Elizabeth Denham reinforced this message saying “For me, the crucial, crucial change the law brought was around accountability. Accountability encapsulates everything the GDPR is about.”
She went on to say that she is not yet seeing this focus on accountability in practice “I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits, we carry out. And you know, that’s a problem. Because accountability is a legal requirement. It’s not optional.”
We recently wrote a case study about the successes of a central approach to monitoring, managing and evidencing data protection across the London Borough of Merton. Derek Crabtree, DPO for schools in Merton was shortlisted for the Data Protection Officer of the Year award presented at the DPPC and offers the following advice to any local authority, multi-academy trust or outsourced DPO service looking for a centralised solution “Don’t be afraid to have difficult conversations with your schools. They are all worried about compliance, choosing the right supplier to help you manage this can help to ease the burden.”
The Information Commissioner said that accountability is an opportunity allowing data protection professionals to have a real and lasting impact on the fabric of their organisations. She also outlined how the ICO is trying to lead by example referring to various initiatives such as the challenge of Brexit – the ICO’s fresh approach to global relationships and how it influences the data protection debate.
Elizabeth Denham ended by referencing a quote from Alan Turing “We can only see a short distance ahead, but we can see plenty there that needs to be done” and in her words “There is plenty there that needs to be done. Let’s get on with doing it.”