Anyone who cares about privacy has been waiting for the signal to start taking the new Data Protection Act seriously. Frankly, after the big rush to get “GDPR-ready” by May of last year, most organisations seem to have returned privacy to the too-hard pile. Very few have done anything to embed privacy as a living and breathing part of their daily practice. Those few now have a head-start on treating an existential risk, as well as signalling to consumers and employees that unlike their competitors they really care about their safeguarding obligations over people’s data. The rest of you need to start catching up, because today’s £183m ICO fine for the British Airways data breach shows that the regulator is prepared to use its new teeth.
More importantly this has made the national news and individuals will realise that they too have teeth. At a time when trust in large organisations’ stewardship of our personal data is at an all-time low and consumer interest in corporate purpose and ethics is rising we are bound to see both an increase in data subjects exercising their rights and making complaints and a change in purchasing behaviour to favour suppliers that can demonstrate ethical behaviour across the board.
So even if you don’t believe you’ll be fined by the ICO, you should believe that your customers will be asking you difficult questions and if they don’t like the answers they’ll take their business elsewhere. Lip-service won’t cut it; updating your website privacy policy and your cookie warning isn’t enough. You have to know what data you have, where it is, what you’re doing with it and why. You must be able to demonstrate that you have done everything you can to minimise the data you keep and the processing you do with it. You have to document your reasons for needing it and make sure you’ve explained your decisions and activities all to your data subjects. You must show that you’ve done everything you might reasonably be expected to do to protect the personal data you process, including proper supply-chain due diligence as well as securing your own systems. You must train your staff and make sure that everyone in your organisation understands the rules around processing personal data.
GDPR came about because our governments believed that misuse of data causes real harm to people. They meant to cause a step-change in behaviour by data controllers and processors, and today’s fine is evidence that they were serious. But don’t just act out of fear of punishment: improve your systems and processes because it’s the right thing to do.
A bigger picture 
One thought on “It’s time to get ethical”