When we’re presented with a deadline, it’s in our nature as human beings to focus on meeting it. And sometimes that means we forget to think about what happens afterwards.
The deadline of 25th May 2018 for EU General Data Protection Regulation (GDPR) has proved to be a case in point. The run-up to GDPR’s introduction has seen many commentators question whether organisations will be ready in time. But less has been said about the longer-term implications.
However, if further signs were needed of the massive significance of GDPR, then the news agenda has provided them. With remarkable timing, the weeks running up to the deadline have been dominated by stories focused on the privacy and value of personal data, as the furore over Facebook and Cambridge Analytica has played itself out.
Perhaps the most remarkable aspect of these events has been the speed with which public attention has switched to the issue of who is doing what with their personal information, and why. The net result is that – more than ever before – people are questioning whom they can trust with their data. If GDPR hadn’t been invented already, then this shift in public perceptions might well have triggered something very similar.
So, what does this mean for organisations as they transition to a post-GDPR world? True, there’s a compliance element – such as the obligations to let people see on request any data held on them and provide notification of data breaches within 72 hours. From May 25th, all organisations will be meeting these requirements through a blend of systems, processes and people. But far more important in the longer term will be the mindset, culture and motivation behind the compliance.
Why? Because people today don’t just want the organisations they deal with to obey the letter of the law when collecting, handling and using their data. They’re demanding that these organisations be trustworthy for them to entrust their data to them.
While this shift in public perception applies to all organisations, it’s especially pressing for government bodies, which stand or fall by their ability to earn and retain public trust. Historically, public service organisations in areas ranging from health to taxation have assumed they’re entitled to hold and use individuals’ personal data because of what they do. For years, the public have gone along with this arrangement. But no longer.
Experience shows that our expectations as consumers today evolve into our expectations as citizens tomorrow. And the questions people have been asking about the private sector’s use of data are already starting to be asked about the public sector as well. Witness the concerns expressed recently over the NHS’s sharing of personal data with other government departments.
So, to retain public trust, public sector bodies need to achieve a shift of mindset around citizens’ personal data – one that sees them move away from a sense of entitlement and ownership, and towards a sense of responsibility and openness. This applies irrespective of GDPR. But the great thing about GDPR is that it supports and enables this change in culture, by providing a golden opportunity to drive and embed it across the business and workforce.
Part of this positive impact lies in a key aspect of GDPR: the requirement to apply “privacy by design” principles in developing new services. This means building in personal data privacy from ground up, rather than bolting it on as an aforethought.
What’s more, as awareness of GDPR grows internationally, there are increasing signs of it becoming a global “gold standard” for personal data privacy. In the US, for example, Facebook has said it is working on a version of GDPR that will work globally, though the details have yet to be decided.
Taking all this together, the message is clear. GDPR involves much more than meeting a compliance deadline. It’s actually a great opportunity to forge a new privacy culture, one founded on responsibility rather entitlement, and that builds trust among citizens. It’s an opportunity that every public sector organisation must embrace – or face losing public trust in the years to come.