GDPR to issue in new era of accountability, ICO says

“We’re all going to have to change how we think about data protection” in the wake of new EU data regulations, warns the Information Commissioner

Posted 18 January 2017 by Gary Flood

Brexit or not – maybe even leaving the Single Market or not – British businesses still all have to wake up and smell the General Data Protection Regulation (GDPR) coffee.

That’s the burden of a key speech the country’s privacy watchdog, Information Commissioner Elizabeth Denham, made this week to SMEs about the new EU-wide data protection laws, set to become the standard for how we all deal with information in May next year.

Denham told her audience that as a result, “We’re all going to have to change how we think about data protection” – because, while she admitted there’s a lot in the GDPR business leaders will recognise from the current law, “make no mistake, this one’s a game changer for everyone”.

“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”

The main motivation for business to do all this, beyond the need to be compliant, she added, was how badly data insecurity fears damage the image of business in the eyes of consumers.

“People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings,” she claimed.

That sense of loss of control impacts their trust in business, the Commissioner added, pointing out that her organisation had found in a survey that 75% of adults in the UK “don’t trust businesses with their personal data”.

The best way forward, she concluded, is to adopt a totally new internal organisational attitude to data protection.

“We need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.

“Not just because it’s the law, but because it’s part of basic good business practice – like honest pricing or good customer service.”

The ICO website has resources to help organisations prepare for the GDPR that sets out advice around making sure key decision makers know the law around personal information is changing, documenting the information the business holds, and reviewing privacy notices.