Information Commissioner talks GDPR and accountability in latest speech
“We’re all going to have to change how we think about data protection.”
That was the message from Elizabeth Denham, as she delivered a speech on GDPR and accountability.
The lecture for the Institute of Chartered Accountants in England and Wales focused on businesses, but there was plenty of interest for a wider audience.
Below are the key quotes from the speech, or you can read it in full on the ICO website.
“However fast regulation moves, technology moves faster. Especially as far as data is concerned.”
“The government’s recent cyber risk survey found that whilst 69 per cent of businesses say their senior management consider cyber security is a very or fairly high priority for their organisation only half of businesses have actually taken recommended actions to identify cyber risks.”
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.”
“The GDPR is at root a modernisation of the law.”
“Consumers and citizens have stronger rights to be informed about how organisations use their personal data.”
“There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.”
“Accountability is at the centre of all this: of getting it right today, getting it right in May 2018, and getting it right beyond that.”
“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
“Good practice tools that the ICO has championed for a long time – such as privacy impact assessments and privacy by design – are now legally required in certain circumstances.”
“But this shift in approach is what is needed. It is what consumers expect.”
“Because I think it’s clear that a lot people feel they’ve lost control of their own data. People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings.”
“Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking.”
“Isn’t having customers’ trust a cornerstone to good business? Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?”
“To meet the challenges I’ve described, we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.”
“Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.”
“If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.”
“Of course it’s possible that in the years after the UK leaves the EU, Parliament will debate amending the requirements of the GDPR. If that happens, we’ll be at the centre of any conversations around this, and will be banging our drum for continued protection and rights for consumers and clear laws for organisations.”
“If businesses are looking beyond the current laws, and are trying to future proof themselves against changing or uncertain legislation, the answer takes us back to accountability.”
“Having the right mindset towards data protection helps to future proof a business. It will put it in the right place to keep up with legislation.”
“I want organisations to think to themselves: ‘we base our online user experience around what consumers want. We shape our products and services around what consumers want. We need to shape our data protection approach around what consumers expect’.”
“We’re all going to have to change how we think about data protection.”