What the Information Commissioner (didn’t) do when she was on her holidays
August is a funny time of year, isn’t it? If you’re not on holiday – and as long as your colleagues’ absence hasn’t meant that you’re up to your eyes in their work – then August can be a great time to catch up on the things you’ve been putting off. Putting in plans for your ’peak’ season, reading some of those thought leadership articles you’ve downloaded and never had a chance to catch up on, swapping your wonky chair with a better one from the first floor, completing that mandatory e-learning course that no-one’s noticed you’ve not yet done, etc.
You could start blogging about your work and your organisation, make a commitment to write a blog every week and (the really impressive bit) actually do so. It would seem to be a strange time to start, though, when a large proportion of your audience is either away from work or distracted from their typical working routine.
However, that’s what Elizabeth Denham, the Information Commissioner, has done this month.
August is a funny time of year, isn’t it? If you’re not on holiday – and as long as your colleagues’ absence hasn’t meant that you’re up to your eyes in their work – then August can be a great time to catch up on the things you’ve been putting off. Putting in plans for your ’peak’ season, reading some of those thought leadership articles you’ve downloaded and never had a chance to catch up on, swapping your wonky chair with a better one from the first floor, completing that mandatory e-learning course that no-one’s noticed you’ve not yet done, etc.
You could start blogging about your work and your organisation, make a commitment to write a blog every week and (the really impressive bit) actually do so. It would seem to be a strange time to start, though, when a large proportion of your audience is either away from work or distracted from their typical working routine.
However, that’s what Elizabeth Denham, the Information Commissioner, has done this month.
Why? Well, I don’t think the Wilmslow area is renowned for its go-to summer events (though I see there is a Fun Dog Show and Fete in Over Alderley on bank holiday Monday), but there must be more to it than that.
Elizabeth Denham has made it clear that she’s on a mission to bust a number of ‘GDPR myths’ which she feels are unhelpfully misinforming organisations and standing in the way of their understanding and preparing for GDPR, in the guise of a new Data Protection Act.
So far the blogs have covered:
1. ‘Fake news’ – specifically criticising the media and some data protection commentators for over-emphasising the potentially very high level of fines that could be levied by the Information Commissioner’s Office (ICO) on organisations that don’t comply with GDPR. Both fair enough and – as a recent DMA and Quocirca article demonstrated https://dma.org.uk/article/the-ico-pragmatic-enforcement-and-the-gdpr – accurate.
Though it has to be said that “…fines of up to €20m or 4% of global turnover” probably remains the most reliable way of getting the distracted C-suite to pay attention to the dull old subject of data protection.
https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/
2. Consent – in this blog the Information Commissioner explains that Consent (which GDPR requires to be “…freely given, specific, informed and unambiguous”) is not the only basis for organisations to process personal data. Absolutely true, of course, but for most commercial organisations looking to market to people, then there are just two bases they may draw on; either Consent or Legitimate Interest. Legitimate Interest is a disputed area, reliant on a balancing of interests and the ICO won’t provide its guidance on it until next year. The Blog argues that even without the final word in guidance from the ICO, organisations can make a good start with their preparations – but lots of commercial organisations wanting to communicate directly with prospects and customers will be stymied without absolute clarity about the scope and applicability of Legitimate Interest.
https://iconewsblog.org.uk/2017/08/16/consent-is-not-the-silver-bullet-for-gdpr-compliance/
The ICO does a really good job of communicating its regulatory and oversight work – and I’d typically recommend people go to https://ico.org.uk/for-organisations/data-protection-reform/ as their first stop for useful guidance. But the ICO doesn’t generally concern itself with correcting misunderstandings. That it is doing so now, starting in August of all times, is reflective of a confused situation which is only part of the ICO’s own making.
GDPR is misunderstood by some, confused with the forthcoming ePrivacy Directive by others and still totally disregarded by most. The first reading of the new Data Protection Bill will be in a few weeks, but some key pieces of ICO Guidance won’t be provided until next year.
So, any and all examples of myth-busting, reiteration, clarification and even reminders of what we won’t be told for some time yet from the ICO are welcome.
Keep up the blogging, Ms Denham!
