Garreth Cameron, ICO, Data Protection in the Digital Age
12 Apr 2016 02:59 PM
Garreth Cameron, Group Manager Business and Industry at Information Commissioner’s Office has written an article for techUK's Data Driven Economy Week looking at Data Protection in the Digital Age.
Data protection in the digital age
Businesses benefit from the wealth of data generated in our digital society. Whether data helps develop new products and services, improve or personalise existing ones, or increase revenue through better targeted marketing, the system relies upon consumers being comfortable with sharing their information.
At the Information Commissioner’s Office (ICO), the UK’s independent data protection authority, we want to achieve a society in which all organisations which collect and use personal information do so responsibly, securely and fairly. It’s part of our job as the information rights regulator to shine a light on those areas where the collection of data may not be obvious. Judging by media coverage from our recent blogs on what mobile apps are actually doing and wifi location tracking, there is a growing awareness of how data is collected and analysed by organisations ‘behind the scenes’.
So what do the public think about how organisations use their data, and why’s it important? Every year the ICO conducts research through our annual track. In our most recent survey we found that 85% of those questioned were concerned about how their personal information is sold or passed to other organisations, and 77% were concerned that organisations are not keeping their data secure. Last summer the Competition and Markets Authority in its report on the commercial use of consumer data, concluded that “consumer trust already appears to be fragile, and if attitudes shift as a result of a rapid evolution in data collection and sharing, this could lead to behavioural changes that hinder consumers’ willingness to engage with new developments and act as a potential barrier to investment and innovation”. In short, data protection safeguards matter.
Trust was once described to me as being like a bank account. You need to make regular deposits to build your balance. In data protection terms those deposits could take the form of communicating privacy information clearly (see our recent privacy notices code consultation), using data fairly and lawfully and making it easy for customers to access their data. Conversely, you should avoid making withdrawals as these erode your hard-earned gains. Failing to keep data secure, collecting information you do not need, denying consumers appropriate control over their data, and relying upon hidden terms and conditions - which are subsequently brought to the surface by the media - are all sure fire ways to see businesses losing consumer trust. TalkTalk’s announcement that they had lost 100,000 customers and had to set aside £60m following a reported hacking incident should be a warning to all.
Having the right legal and regulatory environment which gives consumers confidence that they can live and transact safely online, and which gives businesses confidence about what they need to do to comply, is key to ensuring a successful digital economy,. The ICO has a key role to play in this.
There is lots of change on the horizon, and in just over two years’ time data protection laws will undergo reform when the General Data Protection Regulation (GDPR) is expected to come into force across Europe. Designed to update the law for the digital age, individuals will gain greater control over their data through strengthened rights. No longer will someone have to pay to obtain the data that a business holds about them. In some cases this information will also need to be provided in a commonly used electronic format. Individuals will also have the right to object to their data being used to profile them, and a right not to be subjected to automated decision making in certain circumstances.
Businesses will need to be more transparent and accountable in how they comply with data protection. New requirements to report security breaches should help focus minds on what can be done to prevent data being lost, and the ICO will have strengthened enforcement powers to make the point felt when organisations haven’t looked after customer data appropriately.
We will, of course, continue to work with trade bodies like techUK to understand what business priorities are in terms of implementation, and what advice and guidance organisations need to help get it right. One of the first steps we’ve taken is to launch our microsite www.dpreform.org.uk where we’ll be posting all the latest news and guidance on the reforms. We’ve also produced our first piece of guidance Preparing for the GDPR: 12 steps to take now to help organisations start thinking about what they need to do.