Derek Bishop


GDPR and a culture of privacy

Date added: 09th Nov 2017
Category: Culture of conduct/ethics

The message from GDPR: every piece of information is personal to one of your customers and accordingly should be treated with respect

When was the last time you thought about data in terms of people? Just pause for a moment before you answer. You see, it’s easy to know that every piece of data which you hold relates to an individual but somehow knowing and being aware can be two very different things.

So your database is designed to capture names and addresses, contact details, purchase history and so on. You use all that data in marketing or product development or in aggregate form within an annual report. But as you aggregate and manipulate that data how aware are you that every piece of information is personal to one of your customers and accordingly should be treated with respect.

By the time that the 25th May 2018 rolls around it won’t just be you that needs an enhanced level of awareness.  On that date the new General Data Protection Regulation comes into effect and by then in the words of the Information Commissioner Elizabeth Denham you will need to have created a framework which is “used to build a culture of privacy that pervades an entire organisation.”

What that will require is not only for organisations but also everyone within an organisation to understand and mitigate the risk they create for others in exchange for using a person’s data. It means taking a responsibility for that data and being aware of the impact of data management on society.

Now depending on the way in which you store and manage an individual’s data the changes required by GDPR may be seismic or they may be minor. Certainly it’s not surprising that a quick trawl through the internet pulls up numerous recommendations to start by undertaking a data audit; building an understanding of what data you actually hold and where it sits as a prelude to complying with the new regulations.

But even if all your data ducks are in a neat little row, true compliance requires a culture in which your people are engaged in privacy ideals. That means working with them in areas such as understanding and mitigating risk, respecting people’s right to privacy and putting data protection at the heart of every policy and process change. And don’t forget that GDPR will also apply to any data sharing agreements so whilst organisations are working with people, they will also need to build a mutual understanding with any organisation with which they share data.

In July 2017 the BBC reported the results of a survey which revealed that just 27% of businesses had started to prepare for GDPR. That doesn’t leave a lot of time for majority of businesses to undertake a data audit and transform their data systems as required, let alone renew and refresh organisational culture to take account of people privacy.

Make no mistake, if by 25 May 2018 businesses aren’t able to show that they have embraced the GDPR ethos and taken all reasonable steps to protect and respect data then the added cost of complying could be the least of their worries. GDPR failures are subject to a maximum fine of €20M or 4% of global annual turnover whichever is the greater. So yes, preparation may well start with data understanding, but an organisation’s greatest potential point of security failure is its people. Only when they engage in a culture of privacy will you be on your way to complying with GDPR.


Leave a Reply

Your email address will not be published. Required fields are marked *