"If everyone understands the risks and demands better, it will become possible to have better," he told a Westminster Media Forum seminar in London.
Personal information control is not too "geeky", it should be possible for everyone, and will come in time, he said.
Graham said the chief role of the Information Commissioner's Office (ICO) is to help individuals and organisations comply with data protection legislation.
Referring to the penalties of up to £500,000 for serious data breaches, he said although the ICO now has a "big stick in the cupboard", it would prefer to help and give guidance.
The message is getting through that the ICO has teeth, he said, but the real driver will be organisations' desire to avoid loss of reputation that comes with having such penalties imposed on them.
"Companies need to maintain the confidence of consumers in an increasingly competitive and savvy market, and the advantage will go to those that people trust the most," said Graham.
Highlighting guidelines published by the ICO, such as the Personal Information Online Code of Practice, he said personal data protection should be a two-way process.
"It is not just top-down from regulators and companies, but also an opportunity and responsibility for individuals to take steps to keep their personal data safe and secure," said Graham.
The UK is working with the European authorities, he said in conclusion, to help ensure that the coming revised EU data protection directive takes into account the realities of the 21st century and will fit in with the way the world now works.
This story was first published by Computer Weekly