If you were hoping EU regulators are feeling generous ahead of GDPR enforcement, you're out of luck. Information Commissioner's Office Head of International Strategy & Intelligence Steve Wood made that clear in his keynote at the IAPP's Data Protection Intensive in London on Wednesday.
"Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy," he said. "What you will see is a common-sense, pragmatic approach to regulatory principals."
The ICO will focus on risk, he said, adding it's happy to work with organizations if there's an area that seems a little shady or unclear. But grace period? No.
The ICO's main focuses will be on transparency, control and accountability. To that end, it is currently facilitating a public consultation on consent guidance, which opened March 2 and ends March 31. Wood said the ICO is focused on whether data controllers are giving individuals real choice and control, and organizations "need to focus on situations where you have a power imbalance. Is consent a pre-condition of using a service? Is that a fair way of obtaining consent?" He added consent mechanisms have to be prominent, concise, granular, easy to understand, and cannot be bundled into one big, rubber-stamp package.
"You can't dress something up as consent if it's not consent." — Steve Wood, Information Commissioner's Office
"You can't dress something up as consent if it's not consent," he said. "The GDPR clearly sharpens the focus of consent as a tool for giving individuals control over their personal data. It shouldn't be consent if it's not really the correct basis, and you shouldn't give illusory consent to individuals," he said.
And he means it: "Data protection authorities across Europe will be asking penetrating questions about records of consent ... Looking very much at how organizations got the record, who has consented, when they consented ... what they were told, mechanisms for withdrawing."
They want records they can audit.
Organizations also need to be thinking about and documenting how that consent will be obtained, whether it's a tick-box, a physical signature, or whichever method makes most sense.
On the accountability front, Wood said organizations will thrive when and if accountability is embedded organization-wide and a range of people take responsibility for different parts of the process.
"If we come knocking on the door, if we investigate or conduct an audit in an organization, the best way you can demonstrate to us that we won't need to delve deeper and you've got covered all the compliance issues is to have a comprehensive accountability program, to be able to to take us through the different steps you've taken to address compliance issues," he said.
"If we come knocking on the door, if we investigate or conduct an audit in an organization, the best way you can demonstrate to us that we won't need to delve deeper and you've got covered all the compliance issues is to have a comprehensive accountability program." — Steve Wood, ICO
For guidance, Wood pointed to the privacy notices code published on the ICO's website late last year, which aims to help organizations seeking advice on how to meet standard GDPR requirements, including how to produce clear and accessible information, just-in-time notices, and how information can be layered while still "providing all the information an individual needs, not just in one big monolithic policy."
Wood was clear that transparency on big data, artificial intelligence and machine learning is complicated under the GDPR. The ICO released an updated big data report, initially released in 2014, last week, which found there is a combination of both technical and organization approaches organizations should take working in the big data context.
"It's about how big data can work for the individual. How can you explain it in simple terms, what the impact or the implications are of an algorithm." It's not like you're going to try to explain the math to the data subject, but you can explain what happens as a result.
In the future, Wood can see codes and certifications incentivizing companies to demonstrate accountability, but that's not likely to happen by next year's GDPR deadline.
As far as organizations looking to stay off the regulators' radars, be it the ICO or another DPA, Wood said the answer is simple:
"The key thing to do is invest now, convince people in your organization why data protection is important for trust."
If you want to comment on this post, you need to login.