ICO conference and cyber threat report
In the final run-up to GDPR - there are now fewer than 35 working days until it comes into force - two significant events have taken place. They both offer insights into some of the questions law firms are grappling with.
The first was the ICO’s (Information Commissioner's Office) 11th Data Protection Practitioner’s Conference and the second was the publication of the National Cyber Security Centre and National Crime Agency report, 'The cyber threat to UK business 2017-2018'.
Cyber threats, breach reporting and enforcement
The cyber threat report identifies the major trends in 2017-2018: ransomware and distributed denial of service attacks, massive data breaches, supply chain compromise and fake news operations.
It points out that organizations of all sizes are vulnerable and that not ensuring effective cybersecurity could lead to severe fines under the GDPR.
The report includes links to recommended mitigations against these threats, including guidance on avoiding phishing attacks and email security.
Elizabeth Denham, the Information Commissioner, spoke on enforcement and emphasized prevention. ‘I don’t want to punish organizations for breaching the law,’ she said. ‘I want to help stop that happening in the first place.’
Ms Dunham also said that the ICO’s approach would remain proportionate and pragmatic and that ‘organizations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action’.
There are a range of transparency obligations under the GDPR including requirements for information to be provided in privacy notices.
However, the bigger picture concerns trust and confidence in organizations. In speaking about data protection practitioners as not just guardians of privacy, but also as ambassadors for the appropriate use of personal data in line with the law, Elizabeth Denham might have been talking about solicitors.
Solicitors wishing to act as ambassadors in this way may wish to make use of the materials launched at the conference as part of the ICO’s Your Data Matters campaign. The ICO is encouraging organizations to download material and share them with customers, service users and staff.
Finding out more
You can watch plenary sessions from the ICO conference, including a session on regulatory action from James Dipple-Johnstone, Deputy Commissioner for Operations at the ICO (and previously with the SRA); and you can download the cyber threat report .
Don’t know where to start with GDPR? Try a 14-day free trial with GDPR Portal
GDPR Portal has been selected as a Law Society endorsed partner. Their cloud-based solution is designed to help small and medium-sized practices to manage the GDPR compliance process. It’s intuitive and easy-to-use interface enables firms to take a systematic and structured approach to recording how personal data is processed, and to produce evidence that they have taken the right steps to comply with GDPR.
Watch a short video about GDPR Portal or sign-up for a no-obligation, 14-day free trial
Our GDPR pages provide useful information on various elements of GDPR as well as external links which may be of use.
The ICO provides a guide on preparing for GDPR which should be your first stop as you work towards compliance. They have also developed two checklists for data controllers and data processors which may be of use.
We have provided guidance for law firms on when it may be necessary to appoint a data protection officer.
We encourage you to share useful information with your colleagues. Everyone in your firm will have some responsibility for GDPR compliance.