Information Commissioner's Office
Blog: GDPR – One Year on
Blog posted by: Elizabeth Denham, Information Commissioner, 30 May 2019.
Last May marked a seismic shift in privacy and information rights with the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Today, we’re publishing an update to share our reflections and learnings from the past twelve months. The change in the regulatory landscape has shown the importance of getting privacy right. People have woken up to the new rights the GDPR delivers, with increased protection for the public and increased obligations for organisations.
But there is much more still to do to build the public’s trust and confidence. With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes.
A key area of work for my office during 2019/20 will be to support all parts of the UK business community, from the smallest SMEs to the biggest boardrooms, to deliver what is needed. Where the law requires it, I want to see Data Protection Officers (DPOs) embedded and supported in their respective organisations by senior management.
The focus for the second year of the GDPR must be beyond baseline compliance - organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability.
Strong accountability frameworks are the backbone of formalising the move of our profession away from box ticking. They reflect that people increasingly demand to be shown how their data is being used, and how it is being looked after. They are an opportunity for data protection to be an enabler of growth and innovation whilst building people’s trust and confidence in the way their information is handled.
Just as organisations have had to change to meet the demands of the new regulations, so has my office. We have grown in size and capability as well as ambition, working tirelessly to provide guidance and expertise to individuals, to businesses, and to the public sector. We make sure our work is focussed on the areas of greatest risk as set out in our Regulatory Action Policy. This policy also describes our refreshed toolbox of enforcement powers in these areas - ranging from heavy fines to lighter sanctions depending on the relative harm to individuals.
We are committed to supporting DPOs and organisations to get things right. We celebrate and champion excellence in the data protection field. We recognise our role in helping small organisations to understand their responsibilities, but our role is not to be a ‘DPO for hire’ – responsibility for compliance lies with organisations. For those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively. We are using the intelligence we have gained - from more than 40,000 data protection complaints since May 25 2018 and over 14,000 personal data breaches reported to us, as well as intelligence from other regulators and investigations we have instigated- to take robust action.
Many of the investigations launched with our new powers are now nearing completion and we expect outcomes soon, demonstrating the actions my office is willing and able to take to protect the public.
The past 12 months have been pivotal for data protection, but they are only part of the story. Preparing for, launching and bedding in the GDPR has posed many challenges – for the ICO as well as those we regulate. This update provides an overview of our experience in the first year of the GDPR, and shares information and insights that will be further explored in our Annual Report later this year.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
Latest News from
Information Commissioner's Office
Former motor industry worker ordered to pay £25,500 from proceeds of data theft18/07/2019 11:32:00
A motor industry employee who was sentenced to six months in prison in November 2018 for accessing personal data without permission, has been ordered to pay a £25,500 confiscation order in a case brought by the Information Commissioner’s Office (ICO).
Speech: The future of online advertising regulation12/07/2019 13:47:00
Simon McDougall, Executive Director for Technology Policy and Innovation’s speech at the Westminster Media Forum Keynote Seminar: The future of online advertising regulation.
Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach10/07/2019 12:20:00
Statement given yesterday in response to Marriott International, Inc’s filing with the US Securities and Exchange Commission that the Information Commissioner's Office (ICO) intends to fine it for breaches of data protection law.
Blog: Live facial recognition technology - data protection law applies10/07/2019 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 09 July 2019.
ICO publishes annual report covering an ‘unprecedented’ year09/07/2019 15:51:00
The public has woken up to the potential of their personal data, the Information Commissioner has said as the ICO’s annual report for 2018-19 was published today. Elizabeth Denham also said it covered an ‘unprecedented’ year for the regulator.
ICO statement: Intention to fine British Airways £183.39m under GDPR for data breach08/07/2019 13:10:00
Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).
Blog: Cookies – what does ‘good’ look like?04/07/2019 12:25:00
Blog posted by: Ali Shah, Head of Technology Policy, 03 July 2019.
Former company director believed to have profited by more than £1.4 million after selling personal data illegally01/07/2019 12:25:00
A former company director found guilty of illegally obtaining people’s personal data and selling it to solicitors chasing personal injury claims, has been fined for breaches of data protection and issued with a confiscation order under the Proceeds of Crime Act 2002.
ICO searches Liverpool addresses as part of investigation into suspected illegal acquisition and sale of personal data28/06/2019 15:20:00
The Information Commissioner’s Office (ICO) yesterday (27 June) searched two addresses in Liverpool, as part of an ongoing investigation into the acquisition and sale of illegally obtained personal data.