GDPR will drive data privacy culture change, warns ICO head Elizabeth Denham

Data protection and privacy will soon be just good business practice, argues Elizabeth Denham

The General Data Protection Regulation (GDPR), due to come into force across the European Union on 25 May 2018, will force through a culture change in terms of attitudes to data privacy, the information commissioner Elizabeth Denham has claimed.

Speaking at the Data Protection Practitioners' Conference 2017, Denham said: "I want to see comprehensive data protection programs as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK."

The GDPR, she continued, is "about a framework that should be used to build a culture of privacy that pervades an entire organisation. It goes back to that idea of doing more than being a technician, and seeing the broader responsibility and impact of your work in your organisation on society".

However, she admitted, many data protection officers - in organisations that actually have them, at least - are struggling to communicate the importance of data protection - even with the prospect of mandatory breach notification and swingeing fines for organisations that spill personal data.

In the longer term, she warned, organisations risking damaging their brands and their business if they are seen to be cavalier with personal data.

"If an organisation can't demonstrate that good data protection is a cornerstone of their business policy and practices, they're leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.

"But… get data protection right, and you can see a real business benefit.

"Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a pay-off down the line, not just in better legal compliance, but a competitive edge.

"Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice," she suggested.

The GDPR will become law across the EU in a ‘hard deadline' that means that old agreements, such as with cloud providers, cannot be grandfathered in. Organisations will need to be 100 per cent compliant from day one, or risk fines of up to four per cent of turnover.

However, it is expected that data protection watchdogs will not initially impose stiff fines, and the size of fines will be mitigated if an organisation can show that it has made genuine efforts to protect private data, such as by implementing recognised standards.

GDPR is just one of a number of new regulations related to data protection, privacy and computer security that will become law over the next few years.