April 12, 2019

Shred-it response to ICO speech at CBI Cyber Security: Business Insight Conference

ICO seeks to address fears around GDPR at CBI Cyber Security: Business Insight Conference

While the initial flurry of activity around the introduction of the European Union’s new legislation the General Data Protection Regulation (GDPR) has calmed down, there’s still much confusion and fear in the minds of businesses and the general public about what it actually means.
 
To address these concerns, the Deputy Commissioner (Operations) at the UK’s Information Commissioner's Office (ICO), James Dipple-Johnstone, delivered a speech during the CBI’s Cyber Security: Business Insight Conference in September. Through that delivery, he sought to reassure businesses that the ICO recognises that no precautions are perfect, and no cybersecurity defences are immune to being breached. The role of the GDPR and the ICO is to ensure businesses are doing the best they can to mitigate risk.
 
So far, he pointed out, the ICO has not levied any fines under GDPR, and the ICO is fully aware that breaches will continue to happen in the GDPR era and it doesn’t intend to penalise businesses just because they are a target for criminals.
 
“If you take your responsibilities seriously,” says the ICO’s Deputy Commissioner (Operations), Mr. Dipple-Johnstone, “We will recognise that.”
 
Taking responsibilities seriously in this case means taking reasonable steps to protect data in line with official guidance. This includes adopting strong policies at the board level to ensure that the internal culture across a company is one that respects accountability and transparency; and recognises the responsibility you have for the personal data of your employees and customers.
 
Dipple-Johnstone wants to be reassuring, telling businesses that so long as they can show they are working in good faith to be compliant they have nothing to fear. The majority of the regulator’s work, he explained, is spent in audits, advisory visits and guidance sessions, not issuing fines left, right and centre.
 
Even so, not every business can receive direct advice from the ICO before it’s too late, and drawing up, implementing and monitoring policies is a difficult job to do from scratch. The processes for compliance, however, are straightforward if you approach them in a methodical manner. Demonstrating a commitment to be compliant in the event of an inspection or investigation by the regulator is critical – and as Dipple-Johnstone says, the ICO will recognise that.