Anyone who cares about privacy has been waiting for the signal to start taking the new Data Protection Act seriously. Frankly, after the big rush to get “GDPR-ready” by May of last year, most organisations seem to have returned privacy to the too-hard pile. Very few have done anything to embed privacy as a living and breathing part of their daily practice. Those few now have a head-start on treating an existential risk, as well as signalling to consumers and employees that unlike their competitors they really care about their safeguarding obligations over people’s data. The rest of you need to start catching up, because today’s £183m ICO fine for the British Airways data breach shows that the regulator is prepared to use its new teeth.
More importantly this has made the national news and individuals will realise that they too have teeth. At a time when trust in large organisations’ stewardship of our personal data is at an all-time low and consumer interest in corporate purpose and ethics is rising we are bound to see both an increase in data subjects exercising their rights and making complaints and a change in purchasing behaviour to favour suppliers that can demonstrate ethical behaviour across the board.
GDPR came about because our governments believed that misuse of data causes real harm to people. They meant to cause a step-change in behaviour by data controllers and processors, and today’s fine is evidence that they were serious. But don’t just act out of fear of punishment: improve your systems and processes because it’s the right thing to do.