GDPR Mindset and Culture: A Short Note for the Board

Original article written by Trupti Harding-Shah of My Inhouse Lawyer,

In her video address yesterday, marking the one-year countdown before GDPR takes effect, the Information Commissioner Elizabeth Denham makes data protection a boardroom issue.

She talks about sticks and carrots: the reputational risks and penalties that could hit the bank balances of businesses who don’t employ good data protection practices and in contrast, the benefits for those who make data trust a cornerstone of how they run their businesses.

A few weeks ago, our partner Freeman Clarke produced an excellent overview on GDPR, giving useful highlights and practical action plans. In this piece, we take a step back and talk about mindset and culture, two themes which are consistently threaded through the ICO’s messaging on GDPR and are relevant to board room thinking.

It’s fair to say that GDPR is not so much an instigator of change as an indicator of change. The digital economy in which we live has clearly outpaced old data protections. It’s a world where we can be identified by our IP addresses, where data about each of us can be used to profile us, market to us and is traded between organisations, often without our knowledge or consent.

GDPR looks to put individuals back in the driving seat, delivering to them stronger rights in response to heightened risks, including rights to:

  • be informed about use of their data
  • access their data
  • move that data around
  • rectify and erase that data where appropriate
  • remove consent
  • challenge automated decisions

With only a year to go, it’s right that businesses should be taking a close look at their data protection practices, identifying gaps against GDPR and looking to make those good.

At Board level, it’s also about moving away from a mindset of compliance to thinking about how individuals would want their data to be handled and being transparent and accountable to them. It’s about employing appropriate data security measures to mitigate the risks we create for others in exchange for using their data. And it’s about creating a culture of data trust that pervades our organisations.

Yes, the risk of enforcement action for non-compliance makes GDPR a board room issue. But the longer strategic play is not just about avoiding fines, it’s about winning customer confidence and being seen as the kind of business that can be trusted. Those are the businesses that will be the winners in the new GDPR environment.

While we wait for more granular guidance from the ICO, and changes to the Privacy and Electronic Communication Regulations (PECR), GDPR should be actively discussed and budgeted for at Board level.

Here’s the link to the 5 minute video from Elizabeth Denham.

Original article written by Trupti Harding-Shah of My Inhouse Lawyer,

If you would like to discuss how GDPR will affect your business and a practical approach to making sure you’re compliant, contact us for a no-strings conversation.