UK businesses 'struggle to translate' ICO's GDPR guidance

HSBC and John Lewis criticise watchdog's "woolly" data protection guidelines

EU flag flying

Some of the UK's biggest companies are struggling to interpret guidance around incoming data protection rules, with some believing they will not have the systems in place to deal with specific compliance requirements in time for the enforcement date.

The EU's General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018, giving EU citizens more control over their personal data and introducing new restrictions on how organisations can use it - and hefty fines for mishandling it.

Yet, speaking at a panel discussion at London's Infosecurity Europe 2017 conference yesterday, HSBC and John Lewis executives expressed concerns that the Information Commissioner's Office's (ICO) guidelines are too ambiguous.

"There are large areas of GDPR that are the same as the existing rules," said Cameron Craig, deputy general counsel for HSBC. "Unfortunately instead of having a single black line saying 'these are the changes', you have to work out what is actually different."

The financial services sector is used to regular changes in compliance, and has systems in place to deal with disruption normally caused by new regulations. However, the "woolly" nature of the ICO's guidance has proven difficult to enforce, he said.

"You can't just write them down on a piece of paper, and say 'you have to comply with this, this and this'," added Craig, "you have to have a highly sophisticated digital rights management system in place to do that. We're just not going to get that by 2018."

The ICO has published a 12-step guideline for complying with the new GDPR regulations, but it is proving difficult to apply to industries with specific operational requirements.

"I have had the pleasure of working with some fantastic lawyers, but even they are struggling to give a true interpretation," said Steve Wright, group data and infosec officer at John Lewis. "There are seven rights under GDPR, the Right to be Forgotten is just one. For us as a retailer it is going to be incredibly difficult to fulfill [requests for data deletion] within 30 days."

One example given was the issue of lengthy warranty periods - John Lewis will need to honour warranty periods of 10 years in some cases, and will be unable to entirely delete that data when requested.

HSBC's Craig believed that early negotiations on GDPR failed to take into account specialist industries such as the financial sector.

"All the discussions were around online services, the likes of Facebook and Google. It might be ok to have a consent-based system for that type of processing, but for financial services there is a huge amount you need to do without consent. Just getting that reassurance that you can continue doing that is quite a challenge."

Peter Brown, senior technology officer at ICO, present at the discussion, urged concerned companies to continue consulting with ICO guidance.

"We're not going to bang everyone's door down on 26 May, saying 'give us a cheque for 4% of your annual turnover [the maximum fine for a breach]. But it is an opportunity to put in place the right data protection practices, and those that get it right will benefit."

He added: "There has been a consistent message that we have tried to get across. We are continually working on new guidance, and more will be coming out. It may not arrive as quickly as people want, but it is on the way."

Yet issues such as Brexit remain outside the influence of the ICO, and while GDPR will still apply to the UK once it leaves, there is no guarantee that the UK will remain a 'whitelisted' zone - geographies not within the EU but considered to operate under similar data protection legislation.

"The key risk is that the EU may not recognise the UK as an adequate jurisdiction," said Craig. "So there may be problems with transferring data from the EU to the UK. The hope is that we will be given some recognition of adequacy, so that we will be a whitelisted country, and the UK government have indicated that that is a key objective."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020