Information Commissioner's Office
Blog: GDPR – One Year on
Blog posted by: Elizabeth Denham, Information Commissioner, 30 May 2019.
Last May marked a seismic shift in privacy and information rights with the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Today, we’re publishing an update to share our reflections and learnings from the past twelve months. The change in the regulatory landscape has shown the importance of getting privacy right. People have woken up to the new rights the GDPR delivers, with increased protection for the public and increased obligations for organisations.
But there is much more still to do to build the public’s trust and confidence. With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes.
A key area of work for my office during 2019/20 will be to support all parts of the UK business community, from the smallest SMEs to the biggest boardrooms, to deliver what is needed. Where the law requires it, I want to see Data Protection Officers (DPOs) embedded and supported in their respective organisations by senior management.
The focus for the second year of the GDPR must be beyond baseline compliance - organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability.
Strong accountability frameworks are the backbone of formalising the move of our profession away from box ticking. They reflect that people increasingly demand to be shown how their data is being used, and how it is being looked after. They are an opportunity for data protection to be an enabler of growth and innovation whilst building people’s trust and confidence in the way their information is handled.
Just as organisations have had to change to meet the demands of the new regulations, so has my office. We have grown in size and capability as well as ambition, working tirelessly to provide guidance and expertise to individuals, to businesses, and to the public sector. We make sure our work is focussed on the areas of greatest risk as set out in our Regulatory Action Policy. This policy also describes our refreshed toolbox of enforcement powers in these areas - ranging from heavy fines to lighter sanctions depending on the relative harm to individuals.
We are committed to supporting DPOs and organisations to get things right. We celebrate and champion excellence in the data protection field. We recognise our role in helping small organisations to understand their responsibilities, but our role is not to be a ‘DPO for hire’ – responsibility for compliance lies with organisations. For those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively. We are using the intelligence we have gained - from more than 40,000 data protection complaints since May 25 2018 and over 14,000 personal data breaches reported to us, as well as intelligence from other regulators and investigations we have instigated- to take robust action.
Many of the investigations launched with our new powers are now nearing completion and we expect outcomes soon, demonstrating the actions my office is willing and able to take to protect the public.
The past 12 months have been pivotal for data protection, but they are only part of the story. Preparing for, launching and bedding in the GDPR has posed many challenges – for the ICO as well as those we regulate. This update provides an overview of our experience in the first year of the GDPR, and shares information and insights that will be further explored in our Annual Report later this year.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
Latest News from
Information Commissioner's Office
Blog: Adtech - the reform of real time bidding has started and will continue17/01/2020 16:25:00
A blog by Simon McDougall, ICO Executive Director of Technology and Innovation
National retailer fined half a million pounds for failing to secure information of at least 14 million people10/01/2020 13:25:00
The Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
ICO launches consultation on draft direct marketing code of practice09/01/2020 09:10:00
The Information Commissioner's Office (ICO) has launched a public consultation on a draft direct marketing code of practice.
Blog: The benefits of sharing personal data – what can we learn from Open Banking?07/01/2020 13:20:00
The ICO’s Regulators’ Business Innovation Privacy Hub has recently been looking at the key data protection considerations for innovators who are working in the Open Banking space.
Trust, technology and slippers with torches02/01/2020 14:10:00
Jonathan Bamford holds up a tatty bundle of papers. They’re scrumpled, time worn, ripped and held together with yellowing Sellotape, but with the Royal coat of arms crown still proudly visible on the cover.
Statement on ICO-approved certification schemes23/12/2019 12:10:00
The ICO has announced it will be working with UK Accreditation Service (UKAS) to deliver the ICO-approved certification schemes.
London pharmacy fined after “careless” storage of patient data20/12/2019 14:25:00
The Information Commissioner’s Office (ICO) has fined a London-based pharmacy £275,000 for failing to ensure the security of special category data.
Blog: The Data Protection Fee: does your company need to pay?04/12/2019 10:10:10
Blog posted by: Paul Arnold, Deputy Chief Executive Officer/Executive Officer, 03 December 2019.
Blog: ICO and The Alan Turing Institute open consultation on first piece of AI guidance03/12/2019 09:10:00
A blog aimed at data scientists, app developers, business owners, CEOs or data protection practitioners, whose organisations are using, or thinking about using, artificial intelligence (AI) to support, or to make, decisions about individuals, by Simon McDougall, Executive Director Technology and Innovation (02 December 2019).