The ICO recognises that GDPR planning and the process as a whole, is an evolutionary one. Risks and threats will be expected to continue to be identified in the forthcoming days, weeks, months and years.
The ICO confirms that as businesses have had 2 years to prepare for the new regulations and there will be “NO GRACE PERIOD”. It is therefore imperative that businesses have done everything that they can in order to prepare for the deadline.
Businesses who are proactive and who communicate with the ICO regarding resolving issues, and self-reporting, but also who demonstrate that they are effectively accountable within their business and the GDPR regulations, will have these factors considered when taking any regulatory action regarding such issues.
The ICO state that by now businesses should have acted on and should already have in place:
- Board level commitment, adopting the GDPR culture.
- Reviews of documentation, and details of what information is held.
- Full understanding and documented flow of the data held by your business.
- Written and implemented accountability including a DPO and DPIA’s.
- Security review to identify cyber risks and vulnerabilities.
- Trained staff to ensure the company is compliant as a whole.
“If businesses can show that the appropriate systems, thinking and company ethos the |ICO will act as a pragmatic and proactive regulator aware of business needs and the real world.”