ICO SME Conference
There are long standing issues for SME's in the compliance field - a smaller business probably won't have a legal department and will rely on people in other roles to advise them on data protection and information security.
Sometimes in the course of investigation into data traders some - perhaps unintentional - spammers ask me for guidance or advice on how to avoid some of the pitfalls of data protection law. This conference, however, was a chance to see what general level of awareness there is and where the guidance is focused.
On the whole I was impressed by the approach because I constantly have to struggle to get buy-in at exec level in mid-to-large organisations about why information assurance is so important. Something that is literally a common sensical approach to most is still essentially witchcraft to some.
ICO had approached the day with two specific areas in mind - how to respond to a security breach and how to maintain good DPA response procedures. Both areas are foundations for the GDPR changes expected over the next two years (assuming the UK sees sense enough to stay in the EU of course). I would have been greatly helped by the workshops if I were an SME rep, there was generally good advice for businesses and offers of assistance at the other end of the phone by ICO. Even the basics of and educating for the need to have a data breach procedure was high value for many there - although a number of people were very well aware and able to put forward good decisions already.
They really wanted to promote their engagement as a supportive body in the first instance and that's the right way to do this: get everyone up to speed and educate...if that fails give them one chance then proportionally punish (i.e. as a last resort for first time offenders).
I met a couple of people there in similar situations to myself (i.e. consultants rather than SME reps) and there was an expected level of sharking for trade too. Same with all conferences.
ICO managed to get through what looks like all the questions raised during the day - complete list here. There were a lot of questions and a lot to get through on the day so I'm impressed they invested the time to answer them all. There was a live question pad via Sli.do which was great for letting people post anonymously - sometimes asking a question which might make you sound daft prevents you asking it in the first place.
However I still don't think ICO is equipped to deal with the root causes of a lot of the real issues at hand. For example during the course of the SAR workshop one of the speakers, Joff I think, referred to "buying leads lists" without caveating that re-acquisition of consent is a requirement by law. I'd be very concerned that either the wrong impression is given about lead generation & monetisation of databases; or that incorrect interpretation of legislation is lobbied for by fringe anti-privacy groups such as the Direct Marketing Association.
For example the Direct Marketing Commission (another body set up to loosely officiate over DMA members) state on their website that "In the UK and EU, companies are allowed to email you only if you have given your permission or have been a recent customer."; which is not true. Even if you have been a recent customer you still have to opt-in (explicit consent) to any kind of marketing material.
The bottom line for me is that ICO are doing a great job considering they are under funded, largely unappreciated and overwhelmed by the size of the task at hand. Myself and others have noted concern at some of the responses from ICO case officers regarding unsolicited marketing complaints that would be resolved via investment in the government body.
I spend a small amount of time debating the definition of "personal information" / PII with ICO case officers which doesn't always fill me with confidence - despite the agreeable clarity provided in this SME conference.
I hope the GDPR fines (20m EUR or 4% or global turnover) will be a catalyst for this next step for ICO.