The General Data Protection Regulation (GDPR) is the biggest change to data protection law in a generation.
While it builds on the previous legislation, it brings a 21st century approach to the processing of personal data, providing much more protection for consumers, and more privacy considerations for organisations.
And with just one year to go until the law is implemented, there is no time to delay preparing for it.
If your business isn’t prepared, you’re leaving yourself open to enforcement action that can damage both your public reputation and bank balance.
The large fines for getting it wrong are the obvious headline here for the business world, driving the importance of data protection to an executive level.
But there’s a carrot here as well as a stick, and as regulators we actually prefer the carrot. Get data protection right, leverage it to your advantage, and the business benefits could pay dividends.
Over the past few years ICO casework has shown that UK citizens are now better informed around their information rights than ever before. But I think it’s also clear that a lot people feel they’ve lost control of their own data.
The last ICO survey found 75 per cent of adults in the UK don’t trust businesses with their personal information, and I think it’s fair to say that people feel their sense of power over their personal data has slipped its moorings.
That feeling of lost control impacts consumer trust in the businesses that use their data.
Having access to people’s personal information means you have to act with great responsibility – it is a privilege. The main focus of the GDPR is about one thing above all: giving people more control over their own data.
That approach may require an upfront investment in privacy fundamentals, but it offers a payoff down the line – not just in better legal compliance – but a competitive edge. Whether that means attracting more customers, or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice and citizen trust.
The new law presents that challenge in a particular way. Arguably the biggest change in the GDPR is around accountability, and a requirement that businesses and public bodies understand the risks that they create for others, and mitigate those risks in exchange for using a person’s data.
It is a legal trend that we’ve seen in other parts of the world: a demand that the boardroom builds a culture of privacy that pervades an entire organisation. It’s about moving away from seeing the law as a box-ticking exercise, and instead working on a framework that can be used to breed a company-wide culture of privacy, so it becomes the norm for generations to come.
We can point back to the fines again here. The law requires organisations to not only follow the letter of the law, but to also demonstrate that good data protection is a cornerstone of your policy and practices. But this is surely about more than the legislation: it’s about good customer service and building trust with your consumers.
As a regulator, we’re here to help you do that. There’s a wealth of materials on our website to help businesses. If this is all new to you, there’s still time to act: start by taking a look at our 12 steps to take to get you started. If you’re further along with your preparations, our overview, or more detailed guidance, might be of better use.
But you do need to act, and soon. For larger organisations, someone on your staff needs to be accountable for data protection and preparing your business for the approaching changes. And, depending on the nature of your business, the law may require you to appoint a data protection officer, who’ll be able to operate independently, be adequately resourced, and report to the board.
The new law applies to all, including smaller firms, and for them, we’ve launched a revamped data protection self-assessment toolkit, which includes a checklist to help you get ready for the GDPR, and gives you the ability to compare what you are currently doing around data protection to what you should be doing under the new regulation.
There’s only a year to go – it’s possible to be ready – but there really is no time to waste.
Elizabeth Denham is UK information commissioner.