Accountability the new normal from the ICO
The latest Data Practitioner’s Conference was in Manchester recently, and the Information Commissioner, Elizabeth Denham, told the gathering that as GDPR was now a year old, the focus of the ICO for the future would be on Accountability.
What does this mean for UK companies? It means you need to ensure you have documented your thinking regarding the processing of personal data. For example, why did you think that a particular activity would have a lawful basis of legitimate interest? Did you do a legitimate interest assessment? Can you find it quickly?
Or what considerations did you think about when you started designing a new software system? Can you show that you were thinking of data protection from the outset?
Many firms are using legitimate interest as their basis for processing personal data, but absent a legitimate interest assessment that cannot be considered properly thought through. The ICO has on their website a legitimate interest assessment template which can show your thinking was detailed, structured, and compliant.
If you can’t demonstrate your thinking about processing personal data, then you risk being found to be non-compliant. Perhaps the fines won’t be large, and it might be a smack on the wrist, metaphorically speaking, but the ICO’s findings and comments will be published for all to see, and your customers might not be too happy with your laissez-faire approach to personal data, and might opt not to renew or purchase from you again.
020 3896 3896