GDPR: Accountability and company culture

GDPR: Six months on

By Emma Harbour, Senior Commercial Lawyer at Wavelength.law

This time last year it was hard to see beyond 25th May 2018.  It felt like the date had almost assumed the significance of 31st December 1999.  In the week leading up to the 25th we were all inundated with emails asking us to re-consent to receive marketing communications and to read shiny new versions of privacy policies.  All this whilst trying to ensure we were ourselves complying with the GDPR’s requirements.  Six months later what should we be focusing on now and in the months ahead?

I mentioned marketing re-consents and privacy policies in my introduction.  I think that most organisations focused on these areas before the 25th May, particularly those organisations that rely heavily on consumer marketing.  However, what isn’t so obvious is the number of organisations that addressed the GDPR requirements that aren’t necessarily visible to anyone outside of an organisation.  

A key change with the GDPR was the introduction of a new principle – accountability.  This states that organisations shall be responsible for and be able to demonstrate compliance with the other data protection principles which are summarised as:

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

The Information Commissioner’s Office (ICO) regards the new accountability principle as an opportunity for organisations to gain a competitive edge by showing that they respect individuals’ privacy.  In addition, if an organisation experiences a breach then being able to demonstrate that it considered the risks and put appropriate safeguards in place will assist in mitigating against any possible enforcement action.

In this blog post I want to focus on accountability in respect of the integrity and confidentiality principle; i.e. security.  The ICO has recently published two sets of detailed guidance on aspects of security (encryption and passwords).  If you have not already assessed the effectiveness of your security measures, then with the ICO focusing on the subject, now is a good time to do so. 

The security principle requires that organisations ensure appropriate security of personal data (to protect against various risks) using appropriate technical and organisational measures.  

But what constitutes ‘appropriate’ measures?  The GDPR does not include a mandatory list.  Instead appropriate measures are those which are appropriate to your organisation after you have fully risk-assessed your processing activities (allowing for the state of technological development and costs of implementation).  ‘Appropriate’ measures are therefore more than including a paragraph about security in your privacy policy.  

The ICO[1] advise that an organisation should consider factors such as:

  • the nature and extent of an organisation’s premises and computer systems;

  • the number of staff and the extent of their access to personal data; and

  • any personal data held or used by a data processor on an organisation’s behalf.

Whatever measures you choose to adopt you must be able to ensure the following:

  • the ongoing confidentiality, integrity, availability and resilience of your processing systems and services; and

  • the ability to restore availability and access to personal data quickly. When you are happy that you have achieved these two requirements then you must regularly test the effectiveness of your security measures.

The GDPR also requires organisations to consider whether the use of pseudonymisation and encryption of personal data may be appropriate.  The ICO’s guidance on encryption refers to having seen numerous examples where damage or distress caused by unlawful processing or destruction of personal data may have been reduced or even avoided if encryption had been used.

The ICO makes the point that the cost of encryption solutions is now relatively low and that they are widely available.  Accordingly, it advises that where unencrypted personal data is lost or destroyed it may decide to pursue regulatory action.  

As part of your security risk assessment you should therefore consider whether the use of encryption is appropriate and then document your reasons for adopting it or deciding on a different protection mechanism.

If you are unsure where to start with carrying out a security risk assessment, then the Security section of the ICO’s Guide[2] is a good place to start.  Their advice is clearly written and the most recent guidance on encryption and passwords includes detailed technical and practical advice.

Six months later my key takeaway is that we should no longer view GDPR compliance as a standalone project to be achieved but as a way of working that is embedded into an organisation’s culture.

[1] Guide to the General Data Protection Regulation (GDPR)

[2] ICO Guide to the GDPR (Security)


About the author: Emma Harbour is a Senior Commercial Lawyer at Wavelength and has spearheaded many of our GDPR initiatives

Thanks for reading this post, I’d like to hear your thoughts - get in touch or subscribe to be the first to receive our latest blog posts

Emma Harbour