The UK's Information Commissioner, Elizabeth Denham, has urged companies to make the privacy rights of consumers a “top priority” in her speech to the ICO's annual Data Protection Practitioners' Conference.
Denham urged the audience to focus: “We have an opportunity to set out a culture of data confidence in the UK. We just need to keep in mind that when we lend our name to projects, we should think about how they can be of benefit to citizens.”
Denham highlighted that companies have legal responsibilities to treat people's data with proper care and transparency – to give them persistent control and choice.
Speaking of the record fine the ICO issued to telecoms company TalkTalk, Denham said, “Fundamentally, not enough respect – not enough care – was being given to the type of protection consumers would have expected of their personal information.” She added that “there's a similar theme” within the charity sector where there is “insufficient thought about the level of transparency donors would want, expect or support.”
And this is where the General Data Protection Regulation (GDPR) comes in, as it is going to put even more of an onus on organisations to understand and respect the personal privacy rights of consumers, said Denham.
The GDPR builds on the previous legislation, provides more protections for consumers and more privacy considerations for organisations.
“The GDPR gives specific new obligations for organisations, for example around reporting data breaches and transferring data across borders. But the real change for organisations is understanding the new rights for consumers,” said Denham.
She adds: “Consumers and citizens will have stronger rights to be informed about how organisations use their personal data. They'll have the right to request that personal data be deleted or removed if there's no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent.”
Denham highlighted that at the centre of the GDPR is the concept of broader and deeper accountability for an organisation's handling of personal data.
“The GDPR brings into UK law a trend that we've seen in other parts of the world – a demand that organisations understand, and mitigate, the risks that they create for others in exchange for using a person's data,” said Denham.
And most of all, Denham said it is about driving a culture change which is implemented from the top down. “It goes back to that idea of doing more than being a technician and seeing the broader responsibility and impact of your work in your organisation on society.”
Denham then went on to appeal to the audience, claiming the ICO has listened, and wanted to offer solace to those in the audience who claimed “their biggest challenge is making data protection a boardroom issue,” adding, “So what can I give you today to help you make that case when you go back to your offices tomorrow?”
Choosing not to concentrate on the fines, the regulators and the added barriers, Denham said, “If an organisation can't demonstrate that good data protection is a cornerstone of their business policy and practices, they're leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.”
Denham insisted the ICO is not only about the “stick” and insisted there's a carrot too. “As regulators we actually prefer the carrot. Get data protection right, and you can see a real business benefit.”
Denham believes that accepting more accountability for better data protection in the form of an upfront investment in privacy fundamentals can payoff further down the line, where customers might recognise the company's work to ensure the privacy and correct handling of its customers' data. “Over time this can play a real role in consumer choice.”
Denham said that consumers have never been more aware of their rights but trust in business has lagged behind. “An ICO survey last year showed only one in four UK adults trust businesses with their personal data. And I don't believe the figure would be much higher for the public sector. As a regulator, it's one of my jobs to give you the tools and the support to turn that around.”
Tackling brexit, Denham asked, “The UK-EU referendum decision means the UK's digital economy needs data to flow across borders: how do we make sure that can happen? How can we foster economic growth while still respecting citizens rights?”
She added that when the government comes to answer those questions beyond the implementation of GDPR in 2018, the ICO expects to be at the centre of many conversations, speaking up for continued protection and rights for consumers and clear laws for organisations. And addressing the strong data protection laws Britain will need if it wants to keep the UK's approach at an equivalent standard to the EU.
This follows on from the ICO releasing its GDPR consent guidance, which is now open to consultation until 31 March 2017.
Nigel Hawthorn, Skyhigh Networks' chief European spokesperson, said Denham's speech emphasised the need for business to put privacy at the forefront of their thinking.
“This should act as a red flag to many, as the department that is most likely to see businesses fail GDPR – marketing – has been worryingly absent from the conversation,” he said.“This means marketers are woefully uninformed about how the new laws will impact virtually all of their current processes, with some businesses believing that GDPR is a conversation that doesn't require enterprise-wide input. Either that or their heads are buried. Whatever the case, firms must take the necessary steps to ensure their marketing teams are getting the required consent from customers, and can prove sufficient consent for existing data.”
Hawthorn added: “One example of how the new rules will impact marketing efforts is the distribution of whitepapers. GDPR states that companies cannot restrict access to services based on whether data subjects provide contact details; many organisations ‘gate' valued assets to gather contact information, a reliable source of leads for many. The marketing department needs to be thinking now how to ensure their website will change to ensure compliance and continued effectiveness of campaigns.”