7 May 2019
Data Protection Act, nearly one year on
By Naomi Korn Associates
Photo by Joshua Sortino on Unsplash
It has almost been a year since the The Data Protection Act 2018 came into force 25 May 2018. For Elizabeth Denham, the ICO Commissioner, the crucial change that this law brought about is accountability;
‘It enshrines in law an onus on companies to understand the risks that they create for others with their data processing, and to mitigate those risks.
It formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.
And it reflects that people increasingly demand to be shown how their data is being used, and how it’s being looked after.’
These societal benefits are undeniable and in order to achieve lasting and genuine impact, practitioners must help their organisations to create a ‘Privacy by Design’ culture. Naomi Korn Associates is a keen advocate for this approach and has supported broader “rights and privacy by design” best practices through policy and procedural formulation for almost 20 years. Good data hygiene as well as understanding the importance of data management is vital, both in terms of commercial strategy and safeguarding data as something that is personal and not something which is vague and disposable. When processing data we are processing the details of a person’s life and so care should be given as if the details are our own.
The ICO have certainly been busy over the past year and are using their new capabilities to reprimand companies that fall below the standards that have been set. Facebook have made headline news but here are a few more examples, less well known.
- The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.
The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016. https://ico.org.uk/action-weve-taken/enforcement/uber/
- Heathrow Airport Limited (HAL) has been fined £120,000 by the Information Commissioner’s Office (ICO) for failing to ensure that the personal data held on its network was properly secured. https://ico.org.uk/action-weve-taken/enforcement/heathrow-airport/
- The University of Greenwich has been fined £120,000 by the Information Commissioner following a “serious” security breach involving the personal data of nearly 20,000 people. The personal data included contact details of 19,500 people including students, staff and alumni such as names, addresses and telephone numbers. However, around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records and was subsequently posted online. https://ico.org.uk/action-weve-taken/enforcement/the-university-of-greenwich/
The ICO clearly has the means and power to fine organisations for failing to uphold expectations. The guidance given last year by the ICO was often hazy, true, but one year on there are few excuses for not managing data lawfully. Further guidance has been supplied by the ICO on multiple topics within the last year such as encryption, exemptions and international transfers but the core principles remain the same.
Confidence in organisations’ ability to safely handle our personal data is key and the new regulation has given organisations’ the impetus they need to treat data management as an integral part of their business.
If you work for an organisation or are a practitioner interested in data protection training or consultancy, we can help. Please contact Patrick who would be delighted to speak to you firstname.lastname@example.org 0203 475 5122
(c) Naomi Korn Associates, 2019, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence