Fines key attention to data privacy from boards, says ICO head | Article

Elizabeth Denham, UK Information Commissioner and Chair of the Global Privacy Assembly, an organization dedicated to coordinating best practice and enforcement among data protection authorities around the world, believes that executives simply fail to comply with data protection laws without the threat of substantial fines think – and especially not cyber security – as a risk issue, boards should be concerned.

“Fines grab directors’ attention, encourage better behavior and are an invaluable tool for any regulatory agency,” Denham told attendees Tuesday at a webinar on the need for privacy regulation organized by the International Association of Privacy Professionals. “How can you regulate without fines?”

Under the previous UK Data Protection Act of 1998, the maximum penalties were capped at £ 500,000 (US $ 700,000) – a number that few believed would have changed the behavior of many large companies towards better data protection.

In the run-up to the EU’s General Data Protection Regulation (GDPR) coming into force at the end of May 2018, companies complained that the costs of compliance had skyrocketed in preparation “as if no national legislation had previously been enacted. ”Said Denham.

The Information Commissioner’s Office (ICO) imposed 17 fines totaling £ 42.4 million (US $ 59.2 million) last year, with three GDPR fines against British Airways, Marriott International and Ticketmaster 39.65 million. £ 55.4 million.

Denham believes that awareness of the need for better privacy protection is “undoubtedly” due to the GDPR’s ability to punish companies with a maximum penalty of up to 4 percent of global sales for serious violations.

While a more palpable threat from meaningful enforcement has put privacy on a board’s risk agenda, Denham also pointed out that there are still significant barriers to reaching the levels of privacy that regulators want best practice to see.

One of the main problems is that some data protection concepts are either not well defined, not understood, or not practical.

For example, Denham said, there is a challenge worldwide as to what constitutes or should constitute “consent”. The phrase “has no meaning and is not scalable,” she cited as a notable example of consent to cookies (where users of a website give permission to track and process their personal data, ostensibly to improve service – but not necessarily ).

Denham suggested that data regulators around the world need to push to determine what “consent” really means, what it entails, and how it can be enforced. She added that a certification process to ensure compliance might be more appropriate as a way forward.

In general, Denham advocates better coordination between data protection authorities in order to achieve a globally similar view of privacy. Approval; and enforcement, possibly through standards. She hopes the Global Privacy Assembly will do more to move this forward.

Denham also highlighted new challenges that data regulators are facing post-pandemic.

She said there is a “very real danger” that organizations given “privileged” access to sensitive data, particularly health and medical records, will be reluctant to oppose any data restrictions or attempts to gain access because of fears reduce thus prevents innovation.

As a result, she suggested, the ICO – and other EU data authorities – need to have “deep discussions” about the “beneficial” use of people’s data during future national or global crises.

Recent articles

Crypto exchanges struggle as El Salvador adopts Bitcoin

Today, Bitcoin is becoming an official currency in El Salvador, and the markets and crypto exchanges seem to be struggling. On...

Schools are back – and time to comply with the ICO’s Age Appropriate Design Code

As of September 2, 2021, the United Kingdom's Information Commissioner's Office ("ICO") expects organizations to use their Age Appropriate Design Code ("AADC"). The...

the ICO wants input on when personal data goes international

You don't have to be a data-focused IT service provider to realize that the UK was lucky enough to receive an adequacy decision from...