Reflecting on the first year of GDPR, the ICO highlights that ‘the focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability.’
It highlights that SMEs have faced a number of challenges in becoming GDPR compliant. ACCA recognised these challenges and made available guidance, policies and procedures which could be adapted.
In its report the ICO highlight that it will soon be establishing ‘a one-stop shop for SMEs, drawing together the expertise from across our regulatory teams to help us better support those organisations without the capacity or obligation to maintain dedicated in-house compliance resources’.
One area which you may wish to consider is certification. This is planned for the autumn when the additional accreditation is expected to be made available via third parties.
It also highlights that it undertakes investigations into organisations of all sizes. Many of you will have seen its action against HMRC and the use of voice recognition software with the ICO stating that ‘HMRC failed to give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent. This is a breach of the General Data Protection Regulation.’
The ICO has highlighted that it is also ensuring that businesses are registered with it, stating that ‘up to 30 April 2019, we issued over 3,800 [penalty] notices of intent to fine for failure to pay the [data protection] fee’.
As a reminder of the fees, charities and organisations with ten or fewer staff – or a maximum turnover of £632,000 – pay a fee of £40, those with staff numbers between 11 and 250 or not exceeding a turnover of £36m pay £60. Large organisations with over 250 staff or with a turnover over £36m pay £2,900.