The General Data Protection Regulation (GDPR) that will come into force across the European Union on 25 May 2018 will force through a culture change in terms of attitudes to data privacy in organisations, information commissioner Elizabeth Denham has claimed.
Speaking at the Data Protection Practitioners' Conference 2017, Denham said she hoped the new law would make data privacy and data protection more common topics within organisations of all types.
"I want to see comprehensive data protection programs as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK."
"[GDPR] is about a framework that should be used to build a culture of privacy that pervades an entire organisation. It goes back to that idea of doing more than being a technician, and seeing the broader responsibility and impact of your work in your organisation on society".
However, she admitted, many data protection officers - even in organisations that actually have them, at least - are struggling to communicate the importance of data protection even with the prospect of mandatory breach notification and swingeing fines for organisations that spill personal data.
Furthermore, she warned that in the longer term organisations risking damaging their brands and their business if they are seen to be cavalier with personal data.
"If an organisation can't demonstrate that good data protection is a cornerstone of their business policy and practices, they're leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue."
She added, though, that she hoped the benefits of being seen as a responsible holder of data would also encourage adherence to the new law.
"Get data protection right, and you can see a real business benefit. Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a pay-off down the line, not just in better legal compliance, but a competitive edge," she said.
"Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice," she suggested.
The GDPR will become law across the EU in a ‘hard deadline' that means that old agreements, such as with cloud providers, cannot be grandfathered in. Organisations will need to be 100 per cent compliant from day one, or risk fines of up to four per cent of turnover.
However, it is expected that data protection watchdogs will not initially impose stiff fines, and the size of fines will be mitigated if an organisation can show that it has made genuine efforts to protect private data, such as by implementing recognised standards.
GDPR is just one of a number of new regulations related to data protection, privacy and computer security that will become law over the next few years.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance