On 25 May, the General Data Protection Regulation comes into effect. It is the beginning of something new, but it is an evolution of what’s gone before. It builds on what was good about the Data Protection Act and brings it in line with our 21st century world. The GDPR re-balances the relationship between individuals and organisations.
It gives greater control to people about how their data is used, and it compels organisations to be transparent and account for their actions. Those organisations that thrive under the new rules will see the GDPR as an opportunity to commit to data protection and embed it in their policies, processes and people.
Those that merely comply, that treat the GDPR as another box-ticking exercise, miss the point. And they miss a trick. Because this is about restoring trust and confidence. Only one in five people in the UK trust organisations to look after their data. That’s not good enough. GDPR is an opportunity to reset the equilibrium.
But it is just one part of reform. The UK Government’s Data Protection Bill brings the GDPR into UK law and tackles some of the details over which we have discretion. Add the law enforcement directive, which sets out how we’ll tackle crime across borders, the NIS directive, which sets out reporting rules for organisations that suffer a cyber-attack, and the e-privacy directive, which sets the rules for direct marketing via phone, text and email.
That’s quite a substantial suite of data protection changes.
My office is working in a new age of data protection; where the UK Government and others around the globe have recognised that personal data is the fuel that powers so much of what makes our economy, our home life, our public services function. The UK is a leader in data protection and the Government has made clear its intention that we retain our world-class status as well as making the UK the safest place to be online.
Sometimes when I speak to the private sector, I can sense the panic, but also the incentive to get it right. So many businesses feel like they are starting from scratch – it’s one of the reasons why we’ve set up helplines and targeted resources to help them prepare. Sometimes when I speak to the public sector, I can sense complacency. Because they know data protection. It’s been part of the furniture for years.
Now it’s time to redecorate; this is a critical time to refresh policies and processes, to upgrade staff training and revisit the approach to data protection. The tone has to come from the top. This is about commitment over compliance. It is up to boards and leadership teams to foster a culture of transparency and accountability as to how the use personal data.
The new legislation creates an onus on organisations to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from the paperwork of privacy, and instead, working on a framework that can be used to build a culture of privacy that pervades your entire organisation. Putting people in the centre of the design of services, and particularly in the adoption of new technologies.
The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time – such as data protection impact assessments and privacy by design – are now legally required in certain circumstances.
Think of the true cost of a cyber breach, for example. It will cost money, but it will also cost reputation, trust, social licence. This is collateral damage. Yet most cyber breaches and attacks are preventable. The high-profile attacks on TalkTalk and Carphone Warehouse would not have happened if they had put rudimentary protections in place. And if NHS systems had been up to date, they would have been protected from Wannacry.
The ICO is a risk-based, proportionate regulator. Yes, the GDPR gives me greater sanctions and tools for those that flout the law – those that play fast and loose with the personal data that’s been entrusted to them. Yes, enforcement is there – but it comes after education, engagement and empowerment. If I am to achieve my aim of improving public confidence in the way their personal data is handled, then I have to take defensive action. Prevention is better than cure.
We’ve provided a whole suite of resources on our website – guidance, checklists, sector-specific FAQs – to help navigate through the new law. And we offer more than the written word. We run voluntary audits to check if organisations are on the right track and to identify weaknesses or red flags before they cause real problems. No strings and it’s free. And we’re developing a so-called sandbox, a safe place for companies and public bodies to test the data durability of their innovations.
You can expect that the ICO will uphold the law and that I will stand up for the rights of UK citizens. But if companies and organisations self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, they will find us to be fair. Enforcement will be proportionate and, as it is now, a last resort.
Data protection is a critical part of ensuring companies and organisations have the social license to innovate with data.
Elizabeth Denham is the UK Information Commissioner. This article is based on her speech earlier this month to the Association of Chief Executives and Public Chairs’ Forum.
Extensive guidance and advice on the GDPR is available from the ICO.