GDPR: Trust, privacy and innovation
Elizabeth Denham, UK Information Commissioner, talks about changes to data protection legislation ahead of her speech at the CBI Cyber Security Conference.
As the UK’s data protection regulator, it’s my job to protect the information rights of citizens and ensure that privacy is afforded the same consideration as innovation in today’s evolving digital economy.
Just as innovation relies on consumer trust, the digital economy depends on the trust of consumers to engage with it. And as technology has evolved, both cyber security and data protection have moved up the agenda. Both have become inextricably linked.
Privacy in today’s interconnected world depends on cyber security.
The General Data Protection Regulation (GDPR) is a significant refresh of existing data protection rules necessary to give people much needed protection and control over their personal information.
The government has stated that the breach reporting requirements and fines under it will be a significant call to action which businesses can use to improve resilience around cyber security.
But it is an evolution in data protection, not a total revolution.
It demands more of organisations in terms of accountability for their use of personal data – businesses need to tell people what they are doing with customers’ data, do what they say, and stand ready to demonstrate their compliance.
It also creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead working on a framework that can be used to build a culture of privacy that pervades an entire organisation.
Carrot rather than stick
The GDPR principles are essentially the same whether you are a small business or a multinational corporation. It’s is not the size of the organisation that’s relevant so much as the risk that particular businesses and types of data processing pose. Those handling particularly sensitive data, or processing personal data in potentially intrusive ways, for example.
But we have long recognised that SMEs may have limited time and resources for compliance and have acknowledged this in our regulatory approach.
Many of the actions SMEs should take are practical and straight forward – our updated data protection self-assessment toolkit is a good starting point. Our GDPR overview and 12 steps to take now documents explain where there is continuity with the current law, what’s new and how to plan.
Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. The ICO’s enforcement powers will increase – the maximum fines can go up to £17m or 4 per cent of global turnover.
But what I do want to make clear is this law is not all about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.
The impact of Brexit
Questions are often raised about how the data protection landscape will look after Brexit. The government has recently announced its statement of intent to introduce a new Data Protection Bill which incorporates the GDPR, so all businesses need to be working towards the new law coming into effect on 25 May 2018.
But ultimately legislation changes and issues are a matter for the government and we are standing front and centre ready to contribute to those discussions.
It’s all about trust
The ICO’s annual research on privacy and data protection consistently shows that levels of public trust remain low. Conversely, it also shows that they would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly.
And that provides a major opportunity and competitive advantage for those who can demonstrate that they get data protection right.
As Information Commissioner I’m absolutely committed to increasing the trust and confidence that UK citizens have in data protection.
The ICO’s new Information Rights Strategic Plan sets out how my organisation will grow, evolve – innovate - to make sure we’re staying relevant and making a difference.
As the data protection reforms are essentially about trust, there couldn’t be a better way forward.
The CBI's Cyber Security Conference on 13 September will offer the latest intelligence and practical advice to businesses looking to safeguard their businesses
Previous post: Japan trade talks prompt questions