Britain’s public sector is too complacent about GDPR, the Information Commissioner has said. In a speech given to the Association of Chief Executives and Public Chairs’ Forum today, Elizabeth Denham called for “commitment over compliance”. “When I speak to the private sector, I can sense the panic, but also the incentive to get it right … when I speak to the public sector, I can sense complacency,” she told the public sector bosses.
Describing GDPR as an opportunity to restore public trust and confidence in data protection, she urged organisations to revisit their approach to data protection. “It’s about moving away from the paperwork of privacy, and instead, working on a framework that can be used to build a culture of privacy that pervades your entire organisation,” Denham noted, pointing out that the change of tone would need to come from the top level of organisations. To those who are planning on taking their time to become GDPR compliant the Commissioner offered a warning: “there will be no grace period – you’ve had two years to prepare”.
The new data protection rules, which come into force on May 25, require changes in approach for many companies and public sector organisations. A focus on security by default, new rules on individuals’ access to their own data and a requirement to self-report data breaches will mean that many firms’ current approach to privacy falls short of the requirements. Ant the ICO is expecting to be busy. “We’re expecting more of everything. More breach reports because the law requires it in high risk cases. More complaints, because people will be better informed of their rights. Greater engagement as organisations turn to us for advice at the outset,” Denham told the Forum.
The Commissioner may sense that the private sector is working to comply, but a study by Mercer reveals that they too may fall short of the mark. Just 8% of firms say that they are fully ready for GDPR, while 11% say that they have not developed or are not planning to develop a plan to comply with the new rules. Although Ms Denham told delegates that she plans to use the carrot more than the stick, GDPR gives her a very big stick, raising the maximum fine her office can levy from £500,000 to a whopping €20 million, or 4% of global profits. With so much at stake, surely this is no time for complacency.