2021 ICO Conference tackles data ethics and ransomware

The Information Commissioner’s Office held its 2021 Data Practitioner’s Conference earlier this month, bringing together more than 3,000 data protection professionals from across the country.

In a year filled with obstacles – from COVID-19 to Brexit – there was no shortage of discussion points. However, perhaps the most two noteworthy topics was the growing the rise in ransomware attacks and importance of data ethics.

Addressing the ransomware crisis

It’s been hard to ignore the threat of ransomware recently. In the past few weeks alone, the Irish health service was crippled by attackers and millions of people in the US were left without petrol after malicious actors shut down the Colonial Pipeline.

But those are only two incidents that made the news. The ICO said that it had had seen an increase from 13 ransomware cases per month to 42, with the surge in attacks leading to action.

The Office will shortly be issuing guidance on ransomware and incident response, which will include advice on preparation; data protection requirements; and incident response plans, notification and compliance.

That last issue is particularly important, as there was a heavy emphasis on ransomware and its relation to the UK GDPR. The ICO emphasised the importance of having a policies and procedures in place to help organisations in the event of a successful attack.

Indeed, the ICO confirmed that when it is notified of a ransomware incident, it will start its investigation by looking at the organisation’s GDPR compliance posture, with an initial focus on Articles 5 and 32.

The ICO also said it would look closely at whether an organisation has segregated its live and offline repositories, which would ensure that attackers can’t pivot between them.

Data ethics: a question of could vs should

With technology advancing at a pace that makes it almost impossible to regulate, the ICO stressed that organisations must take responsibility for the way they use sensitive data.

Organisations must take it upon themselves to find a balance between, on the one hand innovation and economic growth, and on the other the responsible use of people’s data.

Failure to do so will further damage people’s trust regarding data sharing, and undermine the work of organisations who implement good practices.

A simple way for organisations to think about the issue, the ICO says, is to consider whether they are using the technology because it’s available to them or because there’s a legitimate business reason.

“Just because an organisation could do something with data, which may be within the black letter of the law, does that mean that it should do it, if it is not something that the individual might expect or which may damage the trust and confidence held in that organisation,” the ICO said.

The ICO believes that data ethics shouldn’t be perceived as “a new requirement or another layer of compliance, rather an alternative lens through which to view data protection compliance, which will help organisations better operationalise UK GDPR principles.”

To help achieve this, the ICO suggests that organisations build a data ethics review into legitimate interest assessments and data protection impact assessments.

When conducting a legitimate interest assessment, organisations must balance the rights of the individual against the legitimate interest of the data controller in using the individual for that purpose.

Notably, the ICO concluded that this balancing exercise is no longer a binary issue between the data subject and data controller. Rather, it should consider the wider societal effects of such processing the benefits it may have.

GDPR compliance support with GRCI Law

If you’re concerned about whether you’re doing enough to tackle the threat of ransomware and data ethics, our Privacy as a Service solution is ideal.

Our team of experienced lawyers, barristers, and information and cyber security experts will work with you to help you achieve regulatory success.

This includes help with compliance monitoring, breach notification processes and data privacy management, and support completing DSARs (data subject access requests).