Brexit Notwithstanding: GDPR Means GDPR

Last week I joined attendees at CtrlShift’s Personal Information Economy event, where Elizabeth Denham, the UK’s new Information Commissioner, gave her inaugural speech.

Denham’s overriding message is critical for businesses: the EU’s General Data Protection Regulation (GDPR) will still apply to the UK post-Brexit. Denham made it clear that UK data protection legislation must be deemed essentially equivalent to GDPR if data is to flow between us and Europe.

The business implications are significant. GDPR represents a fundamental reshaping of data protection legislation, giving consumers more rights and placing an increased onus on businesses to secure private data.

As Denham made clear, the law enshrines the rights of consumers to give clear consent over how their data is used, as well as empowering them with new rights around data portability.

If businesses fail to comply with GDPR they face fines of up to four percent of turnover. 

However, for me the most significant element of Denham’s speech is that she sees legislation such as GDPR as necessary to underpin the so-called ‘Me2B’ economy, where consumers are able to benefit directly from the data they share with organisations. As Denham put it to the audience of business leaders: “It’s not privacy OR innovation – its privacy AND innovation”.

Consumer trust in data privacy is essential to business success.

Denham has put businesses on notice: we must embrace the idea of informed consent and be willing to work with customers in true ‘data partnerships’.

This means implementing a customer-driven approach to information sharing where the consumer is empowered to share and rescind their consent and their data. For compliance purposes, this approach demands that businesses capture consent in an auditable flow, as well as implementing a flexible and secure platform to manage data securely.

The good news is that digital rights management technology already exists that can enable business to evolve to this new data protection paradigm.

The challenge is time.

May 2018 will be here before we know it, and businesses now know they absolutely must be GDPR compliant by that date. The race is on.