UK businesses 'struggle to translate' ICO's GDPR guidance

Some of the UK's biggest companies are struggling to interpret guidance around incoming data protection rules, with some believing they will not have the systems in place to deal with specific compliance requirements in time for the enforcement date.

The EU's General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018, giving EU citizens more control over their personal data and introducing new restrictions on how organisations can use it - and hefty fines for mishandling it.

Yet, speaking at a panel discussion at London's Infosecurity Europe 2017 conference yesterday, HSBC and John Lewis executives expressed concerns that the Information Commissioner's Office's (ICO) guidelines are too ambiguous.

"There are large areas of GDPR that are the same as the existing rules," said Cameron Craig, deputy general counsel for HSBC. "Unfortunately instead of having a single black line saying 'these are the changes', you have to work out what is actually different."

The financial services sector is used to regular changes in compliance, and has systems in place to deal with disruption normally caused by new regulations. However, the "woolly" nature of the ICO's guidance has proven difficult to enforce, he said.

"You can't just write them down on a piece of paper, and say 'you have to comply with this, this and this'," added Craig, "you have to have a highly sophisticated digital rights management system in place to do that. We're just not going to get that by 2018."

The ICO has published a 12-step guideline for complying with the new GDPR regulations, but it is proving difficult to apply to industries with specific operational requirements.

"I have had the pleasure of working with some fantastic lawyers, but even they are struggling to give a true interpretation," said Steve Wright, group data and infosec officer at John Lewis. "There are seven rights under GDPR, the Right to be Forgotten is just one. For us as a retailer it is going to be incredibly difficult to fulfill [requests for data deletion] within 30 days."

One example given was the issue of lengthy warranty periods - John Lewis will need to honour warranty periods of 10 years in some cases, and will be unable to entirely delete that data when requested.

HSBC's Craig believed that early negotiations on GDPR failed to take into account specialist industries such as the financial sector.

"All the discussions were around online services, the likes of Facebook and Google. It might be ok to have a consent-based system for that type of processing, but for financial services there is a huge amount you need to do without consent. Just getting that reassurance that you can continue doing that is quite a challenge."

Peter Brown, senior technology officer at ICO, present at the discussion, urged concerned companies to continue consulting with ICO guidance.

"We're not going to bang everyone's door down on 26 May, saying 'give us a cheque for 4% of your annual turnover [the maximum fine for a breach]. But it is an opportunity to put in place the right data protection practices, and those that get it right will benefit."

He added: "There has been a consistent message that we have tried to get across. We are continually working on new guidance, and more will be coming out. It may not arrive as quickly as people want, but it is on the way."

Yet issues such as Brexit remain outside the influence of the ICO, and while GDPR will still apply to the UK once it leaves, there is no guarantee that the UK will remain a 'whitelisted' zone - geographies not within the EU but considered to operate under similar data protection legislation.

"The key risk is that the EU may not recognise the UK as an adequate jurisdiction," said Craig. "So there may be problems with transferring data from the EU to the UK. The hope is that we will be given some recognition of adequacy, so that we will be a whitelisted country, and the UK government have indicated that that is a key objective."