UK businesses 'struggle to translate' ICO's GDPR guidance

HSBC and John Lewis criticise watchdog's "woolly" data protection guidelines

EU flag flying

Some of the UK's biggest companies are struggling to interpret guidance around incoming data protection rules, with some believing they will not have the systems in place to deal with specific compliance requirements in time for the enforcement date.

The EU's General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018, giving EU citizens more control over their personal data and introducing new restrictions on how organisations can use it - and hefty fines for mishandling it.

Advertisement - Article continues below

Yet, speaking at a panel discussion at London's Infosecurity Europe 2017 conference yesterday, HSBC and John Lewis executives expressed concerns that the Information Commissioner's Office's (ICO) guidelines are too ambiguous.

"There are large areas of GDPR that are the same as the existing rules," said Cameron Craig, deputy general counsel for HSBC. "Unfortunately instead of having a single black line saying 'these are the changes', you have to work out what is actually different."

The financial services sector is used to regular changes in compliance, and has systems in place to deal with disruption normally caused by new regulations. However, the "woolly" nature of the ICO's guidance has proven difficult to enforce, he said.

"You can't just write them down on a piece of paper, and say 'you have to comply with this, this and this'," added Craig, "you have to have a highly sophisticated digital rights management system in place to do that. We're just not going to get that by 2018."

Advertisement - Article continues below
Advertisement - Article continues below

The ICO has published a 12-step guideline for complying with the new GDPR regulations, but it is proving difficult to apply to industries with specific operational requirements.

"I have had the pleasure of working with some fantastic lawyers, but even they are struggling to give a true interpretation," said Steve Wright, group data and infosec officer at John Lewis. "There are seven rights under GDPR, the Right to be Forgotten is just one. For us as a retailer it is going to be incredibly difficult to fulfill [requests for data deletion] within 30 days."

One example given was the issue of lengthy warranty periods - John Lewis will need to honour warranty periods of 10 years in some cases, and will be unable to entirely delete that data when requested.

HSBC's Craig believed that early negotiations on GDPR failed to take into account specialist industries such as the financial sector.

Advertisement - Article continues below

"All the discussions were around online services, the likes of Facebook and Google. It might be ok to have a consent-based system for that type of processing, but for financial services there is a huge amount you need to do without consent. Just getting that reassurance that you can continue doing that is quite a challenge."

Peter Brown, senior technology officer at ICO, present at the discussion, urged concerned companies to continue consulting with ICO guidance.

"We're not going to bang everyone's door down on 26 May, saying 'give us a cheque for 4% of your annual turnover [the maximum fine for a breach]. But it is an opportunity to put in place the right data protection practices, and those that get it right will benefit."

He added: "There has been a consistent message that we have tried to get across. We are continually working on new guidance, and more will be coming out. It may not arrive as quickly as people want, but it is on the way."

Advertisement - Article continues below

Yet issues such as Brexit remain outside the influence of the ICO, and while GDPR will still apply to the UK once it leaves, there is no guarantee that the UK will remain a 'whitelisted' zone - geographies not within the EU but considered to operate under similar data protection legislation.

"The key risk is that the EU may not recognise the UK as an adequate jurisdiction," said Craig. "So there may be problems with transferring data from the EU to the UK. The hope is that we will be given some recognition of adequacy, so that we will be a whitelisted country, and the UK government have indicated that that is a key objective."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now


data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020