Information Commissioner Elizabeth Denham used her speech at the 2017 Data Protection Practitioners' Conference to outline the challenges and opportunities that will come with GDPR and Brexit, as well as criticising businesses that fail to put customer data protection first.
Denham started her talk by taking a look back at what’s happened over the last 12 months, and criticized some companies for not taking data protection seriously enough. "Our work with WhatsApp and Facebook springs to mind. We all rely on digital services for important parts of our lives. But my office felt these apps were not taking enough responsibility for data protection. Companies have legal responsibilities to treat people’s data with proper care and transparency - to give them persistent control and choice."
Denham aimed similar criticisms at mobile operator TalkTalk after its record fine for the data breach that exposed 150,000 customer details. She said there was not enough respect or care given to the type of protection consumers would have expected when it comes to personal information.
That should be improved when GDPR comes into force, Denham said, as it brings a more “21st century” approach to the processing of personal data. While lots has been written about what GDPR will mean for internal mechanics of businesses, Denham said just as important is what it means for consumers’ rights.
"Consumers and citizens will have stronger rights to be informed about how organizations use their personal data," she said. "They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organization to carry on processing it, and new rights around data portability and how they give consent."
"At the center of the GDPR is the concept of broader and deeper accountability for an organization’s handling of personal data. The GDPR brings into UK law a trend that we’ve seen in other parts of the world – a demand that organizations understand, and mitigate – the risks that they create for others in exchange for using a person’s data," Denham added.
GDPR gives IT departments and those in charge of security the opportunity to build a culture of privacy that impacts every part of a business. A more thorough data protection policy will mean companies will have to increase up-front spending, Denham said, but that could provide a competitive edge, via for example, winning more customers.
Denham also spoke briefly about Brexit. Before the referendum took place Denham and the ICO were wrestling with, "challenges of a digital economy that required data to flow across borders, where different legal systems and cultural norms about privacy make this a complicated undertaking."
Now, that hasn’t really changed, she said. The challenge is still around making sure that data can flow across borders as needed, with no privacy issues.
"Let’s not lose sight of what good data protection can achieve," Denham concluded. "We have an opportunity to set out a culture of data confidence in the UK. We just need to keep in mind that when we lend our name to projects, we should think about how they can be of benefit to citizens."
"I want to see comprehensive data protection programs as the norm, organizations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organizations across the UK. I think that’s achievable."