Out-Law News 2 min. read
06 Mar 2017, 12:59 pm
In a speech at the Data Protection Practitioners' Conference 2017 in Manchester on Monday, Elizabeth Denham said that accountability is central to the reforms being delivered through the new General Data Protection Regulation (GDPR).
"At the centre of the GDPR is the concept of broader and deeper accountability for an organisation’s handling of personal data," Denham said. "The GDPR brings into UK law a trend that we’ve seen in other parts of the world – a demand that organisations understand, and mitigate – the risks that they create for others in exchange for using a person’s data. It’s about a framework that should be used to build a culture of privacy that pervades an entire organisation. It goes back to that idea of doing more than being a technician, and seeing the broader responsibility and impact of your work in your organisation on society."
"I want to see comprehensive data protection programs as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK. I think that’s achievable," she said.
In her speech, Denham said organisations that fail to accept more accountability for data protection could be hit with substantial fines under the GDPR, as well as potential reputational damage. The maximum penalty for non-compliance with the Regulation is €20 million or, for businesses, 4% of annual global turnover, whichever is the highest.
"The GDPR gives regulators greater enforcement powers," Denham said. "If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue."
However, Denham also said there are positive reasons why businesses should embrace the greater emphasis on accountability that the GDPR will bring.
"Get data protection right, and you can see a real business benefit," Denham said. "Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice."
Last week, the Information Commissioner's Office (ICO) published proposed new guidance which addresses changes to rules on consent contained in the GDPR. The ICO urged organisations in the UK to review their "existing consents" to ensure that their activities that involve the processing of personal data comply with new laws.