UK businesses 'struggle to translate' ICO's GDPR guidance

HSBC and John Lewis criticise watchdog's "woolly" data protection guidelines

EU flag flying

Some of the UK's biggest companies are struggling to interpret guidance around incoming data protection rules, with some believing they will not have the systems in place to deal with specific compliance requirements in time for the enforcement date.

The EU's General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018, giving EU citizens more control over their personal data and introducing new restrictions on how organisations can use it - and hefty fines for mishandling it.

Advertisement - Article continues below

Yet, speaking at a panel discussion at London's Infosecurity Europe 2017 conference yesterday, HSBC and John Lewis executives expressed concerns that the Information Commissioner's Office's (ICO) guidelines are too ambiguous.

"There are large areas of GDPR that are the same as the existing rules," said Cameron Craig, deputy general counsel for HSBC. "Unfortunately instead of having a single black line saying 'these are the changes', you have to work out what is actually different."

The financial services sector is used to regular changes in compliance, and has systems in place to deal with disruption normally caused by new regulations. However, the "woolly" nature of the ICO's guidance has proven difficult to enforce, he said.

"You can't just write them down on a piece of paper, and say 'you have to comply with this, this and this'," added Craig, "you have to have a highly sophisticated digital rights management system in place to do that. We're just not going to get that by 2018."

Advertisement - Article continues below
Advertisement - Article continues below

The ICO has published a 12-step guideline for complying with the new GDPR regulations, but it is proving difficult to apply to industries with specific operational requirements.

"I have had the pleasure of working with some fantastic lawyers, but even they are struggling to give a true interpretation," said Steve Wright, group data and infosec officer at John Lewis. "There are seven rights under GDPR, the Right to be Forgotten is just one. For us as a retailer it is going to be incredibly difficult to fulfill [requests for data deletion] within 30 days."

One example given was the issue of lengthy warranty periods - John Lewis will need to honour warranty periods of 10 years in some cases, and will be unable to entirely delete that data when requested.

HSBC's Craig believed that early negotiations on GDPR failed to take into account specialist industries such as the financial sector.

Advertisement - Article continues below

"All the discussions were around online services, the likes of Facebook and Google. It might be ok to have a consent-based system for that type of processing, but for financial services there is a huge amount you need to do without consent. Just getting that reassurance that you can continue doing that is quite a challenge."

Peter Brown, senior technology officer at ICO, present at the discussion, urged concerned companies to continue consulting with ICO guidance.

"We're not going to bang everyone's door down on 26 May, saying 'give us a cheque for 4% of your annual turnover [the maximum fine for a breach]. But it is an opportunity to put in place the right data protection practices, and those that get it right will benefit."

He added: "There has been a consistent message that we have tried to get across. We are continually working on new guidance, and more will be coming out. It may not arrive as quickly as people want, but it is on the way."

Advertisement - Article continues below

Yet issues such as Brexit remain outside the influence of the ICO, and while GDPR will still apply to the UK once it leaves, there is no guarantee that the UK will remain a 'whitelisted' zone - geographies not within the EU but considered to operate under similar data protection legislation.

"The key risk is that the EU may not recognise the UK as an adequate jurisdiction," said Craig. "So there may be problems with transferring data from the EU to the UK. The hope is that we will be given some recognition of adequacy, so that we will be a whitelisted country, and the UK government have indicated that that is a key objective."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020