"Data protection is rising up the public, political and media agenda", according to Rob Luke, deputy information commissioner (ICO), the UK’s independent authority that regulates the Freedom of Information Act.
Speaking at the recent ISBA annual conference, he declared the issue to be "an important dimension that needs to be factored into how you do business" – especially given that the new General Data Protection Regulation (GDPR) comes into force in May 2018.
Today, businesses "are using data in ways that are unimaginable" from when the data protection laws were first created, he observed. Specifically, he was referring to the data-driven business models of companies such as Google and Facebook as well as new technology like programmatic, Smart TVs and the pending Internet of Things.
And in the coming GDPR era, businesses will need to comply with the law and "change the way we think about data protection", Luke announced. GDPR builds on previous legislation but the update "gives consumers and citizens more control and rights over their personal data", he explained. This includes:
- The right to request their data is deleted unless there is good reason to store it
- The right to data portability
- Clear opt-in methods that make it easier for people to withdraw their consent
GDPR sets high standards on consent over the processing of their data, he noted, and marketers must therefore "think very hard about what this means in practice for your consent mechanisms".
Arguably the biggest change is around accountability and mitigating risks, he said. GDPR will "mainstream privacy considerations throughout your organisations". Companies should conduct privacy impact assessments and implement Privacy by Design principles, he advised.
The benefits of this approach are about much more than compliance: GDPR is "an opportunity to develop trust in a sustained and long-term way". The misuse of personal data, he argued, "will be the quickest and surest way to erode your consumer and sector trust". Those that violate GDPR run the risk of damaged reputation, damage to the bottom line, and are open to being fined, he warned.
Ultimately, GDPR is "more than a risk to be mitigated", Luke suggested: rather, it is "an opportunity to be seized" an opportunity to build customer trust and the time is now for businesses to "act with great responsibility". The ICO has just published a 12 step guide to prepare for GDPR.
To conclude, Luke said "this is an urgent issue for the boardroom of your organisations". As such, he urged marketers in the room to take the issue "back to your own boards tomorrow".