Peter Hayes
In the middle of the three Brexit years, 2016 to 2019, came ‘the year of GDPR’. How did organisations cope? Has GDPR shown us what good practice is? We think so.
How does this much-anticipated year now look, with the benefit of hindsight? Writing as both a business operator, and as business advisors, it looks like an unusually fast transition to ‘business as usual’. As so many critical infrastructure transformations end in delay, cost and upheaval, how did GDPR become routine?
The answer to that is partly in the appeal of facts, in an uncertain world, and in a respect for experts, in an era when we were supposed to no longer have time for them. GDPR highlighted the unavoidable accountability for fact-driven consents, and it heralded a legion of officers, Data Protection Officers, as expert guardians of truth. “Are we good to mail both customer sets?” “Are consents up to date”? Ask the DPO.
How GDPR rebuilt our faith in facts
We noticed in the build up to May 2018 a concerted effort to tackle an escalating risk faced by most public facing and serving organisations – that of facts, and trust.
How GDPR was interpreted and introduced for the UK was largely down to the Information Commissioner’s Office (ICO) and they saw it as a way to get on the front foot, for upholding information rights. ICO had only recently gained a new Commissioner, Elizabeth Denham, who spotted the seven principles, like seven samurai that could be mobilised to show ‘what good business looks like’.
The Seven Principles of GDPR
Lawfulness, fairness and transparency
Accuracy
Purpose limitation
Storage limitation
Data minimisation
Integrity and confidentiality
and, underpinning all of these, Accountability
The prevailing Data Protection Act (the 1998 Act) had not been remiss. It just lacked the turbo charge of accountability which to us is the linchpin of the above principles.
Are we all feeling more accountable?
Accountability requires us to take responsibility for meeting all of the principles, and we have to show we have the appropriate processes and records in place to comply.
#FACT – ‘A Boom in Data Breach Reporting’. Reports about personal data breaches increased fourfold in one full year of GDPR working. The ICO declares it received around 14,000 Personal Data Breach (PDB) reports from 25 May 2018 to 1 May 2019 up from around 3,300 in the year from 1 April 2017. Are there more data breaches? Maybe. Are more companies accountable for reporting them? Definitely.
GDPR, with embedded accountability, became more than a behavioural nudge to corporate behaviour. To us, accountability became the vital baton in a relay race. Europe, then the ICO, started the lap. Organisations took on the baton. Adjusting to a GDPR way of working brought the opportunity to build trust from customers. Not living and working by GDPR now risked a crippling fine. We like to think the benefits outweighed the potential costs, for the vast majority of well-intended enterprises.
How did this change customer handling organisations? It seems, a lot. Accountability encouraged to appreciate information rights, evidenced by a demand for help.
#FACT-‘More organisations want to know more about information rights’. The volume of enquiries received at the ICO from businesses, organisations and individuals has reached new levels. The service received over 470,000 contacts in the first full year of GDPR, a 66% increase from 2017/18.
Who are you going to call?
Well, before GDPR and the ICO brought clarity of accountability to information rights uncertainties, we might have called the Head of IT, the Company Secretary or maybe the Marketing Chief. We’re not sure who they in turn would have called. Now, it could not be clearer. The Data Protection Officer has stepped up, and will be with us as a lasting EU legacy.
#FACT-‘At the last count, there were over 35,000 active DPOs listed on the ICO’s data protection public register. For customers (‘subjects’) that means an easily reached first level of enquiry, and for organisations, it means a trusted expert.
Where next with GDPR?
Well, in one way, there should not be ‘the year of GDPR’ as it is not an event. It is a profound reorientation of information rights towards the subjects, our customers, and ourselves.
It is also not a role for one person, a DPO, any more than quality was purely the responsibility of a Quality Manager. If organisations take on the realisation that a GDPR way of working is no more or less than any good organisation should do, and that it can even provide a competitive advantage, things can only get better.
If more subjects (‘us’) value our information rights, in how and where we make transactions, or share personal data, we will get a good equilibrium with service providers, and get the overall and overdue good practice in all things personal data.